Go Back   Web User Forums > Security > HijackThis logs help and analysis

Reply
 
Thread Tools Search this Thread Display Modes
  #11  
Old 21-09-10, 22:32
bricat's Avatar
bricat bricat is offline
Global Moderator
 
Join Date: Jun 2003
Location: belfast
Posts: 35,867
Default Re: Big problems for someone who ought to know better

don't try a system restore, it may not work, and might make things worse.

rerun HJT and put a check mark next to these :-

O4 - HKCU\..\Run: [{53CA19EC-130C-D451-FFD0-EDF302D09732}] "C:\Documents and Settings\Clayton Family\Application Data\Iwex\yvto.exe"
O4 - HKCU\..\Run: [{CE05C686-7259-07A8-E676-C8561C3AD9BF}] "C:\Documents and Settings\Clayton Family\Application Data\Leonr\okwyp.exe"

now close all windows (including this one) and click on FIX CHECKED


click START >> MY COMPUTER >> C:\DRIVE and the log should be there called ComboFix.txt
__________________
PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Accept that some days you are the pigeon and some days the statue.
Reply With Quote
  #12  
Old 21-09-10, 22:43
skampydog skampydog is offline
Enthusiastic contributor
 
Join Date: Oct 2003
Location: Yorkshire
Posts: 656
Default Re: Big problems for someone who ought to know better

Bricat

easy when you know how

================================================== ==================

ComboFix 10-09-20.07 - Clayton Family 21/09/2010 20:16:28.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.959.517 [GMT 1:00]
Running from: c:\documents and settings\Clayton Family\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\Clayton Family\.COMMgr
c:\documents and settings\Clayton Family\Application Data\974F63B7E4EDF9AC14C0A6ED735FD952
c:\documents and settings\Clayton Family\Application Data\974F63B7E4EDF9AC14C0A6ED735FD952\enemies-names.txt
c:\documents and settings\Clayton Family\Application Data\974F63B7E4EDF9AC14C0A6ED735FD952\local.ini
c:\documents and settings\Clayton Family\Application Data\974F63B7E4EDF9AC14C0A6ED735FD952\lsrslt.ini
c:\documents and settings\Clayton Family\Application Data\Iwex\yvto.exe
c:\documents and settings\Clayton Family\Application Data\Leonr\okwyp.exe
c:\documents and settings\Clayton Family\Application Data\Microsoft\svchost.exe
c:\documents and settings\Clayton Family\Local Settings\Application Data\{E7497E96-DC17-4F30-96EA-80DE4D2E4F66}
c:\documents and settings\Clayton Family\Local Settings\Application Data\{E7497E96-DC17-4F30-96EA-80DE4D2E4F66}\chrome.manifest
c:\documents and settings\Clayton Family\Local Settings\Application Data\{E7497E96-DC17-4F30-96EA-80DE4D2E4F66}\chrome\content\_cfg.js
c:\documents and settings\Clayton Family\Local Settings\Application Data\{E7497E96-DC17-4F30-96EA-80DE4D2E4F66}\chrome\content\overlay.xul
c:\documents and settings\Clayton Family\Local Settings\Application Data\{E7497E96-DC17-4F30-96EA-80DE4D2E4F66}\install.rdf
c:\program files\Alex Feinman\ISO Recorder\ImapiHelper.exe
c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
c:\program files\Brother\ControlCenter3\brctrcen.exe
c:\program files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
c:\program files\sys5\sol.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\install.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\system.dat
c:\windows\system32\Thumbs.db

Code:
 <pre>
c:\documents and settings\Clayton Family\Application Data\Iwex\yvto .exe ---^> c:\documents and settings\Clayton Family\Application Data\Iwex\yvto.exe
c:\documents and settings\Clayton Family\Application Data\Leonr\okwyp .exe ---^> c:\documents and settings\Clayton Family\Application Data\Leonr\okwyp.exe
c:\program files\sys5\sol .exe ---^> c:\program files\sys5\sol.exe
c:\windows\system32\rundll32 .exe ---^> c:\windows\system32\rundll32.exe
</pre>
.
Infected copy of c:\windows\system32\drivers\viaide.sys was found and disinfected
Restored copy from - Kitty had a snack
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FLEXnet_Licensing_Service
-------\Legacy_Imapi_Helper
-------\Service_FLEXnet Licensing Service
-------\Service_Imapi Helper


((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 )))))))))))))))))))))))))))))))
.

2010-09-20 11:23 . 2010-09-21 19:44 -------- d-----w- c:\program files\sys5
2010-09-20 11:23 . 2010-09-21 11:25 -------- d-----w- c:\program files\sys4
2010-09-20 11:23 . 2010-09-21 14:33 -------- d-----w- c:\program files\sys1
2010-09-20 11:21 . 2010-09-21 11:22 -------- d-----w- c:\program files\sys2
2010-09-19 19:22 . 2010-09-19 19:22 -------- d-----w- c:\program files\Trend Micro
2010-09-19 19:18 . 2010-09-19 19:18 -------- d-----w- c:\documents and settings\Clayton Family\Local Settings\Application Data\AVG Security Toolbar
2010-09-19 11:30 . 2010-09-19 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-19 09:11 . 2010-09-18 18:06 35332 ----a-w- c:\windows\login.exe
2010-09-18 20:10 . 2010-09-20 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-09-18 18:11 . 2010-09-18 18:11 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-09-18 14:25 . 2010-09-18 16:50 120 ----a-w- c:\windows\Phozum.dat
2010-09-18 14:25 . 2010-09-18 14:25 0 ----a-w- c:\windows\Ysakeyeguwiviy.bin
2010-09-18 11:56 . 2010-09-18 11:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-18 11:47 . 2010-09-18 11:46 178176 ----a-w- c:\windows\Ppivya.exe
2010-09-12 11:24 . 2010-09-19 00:10 -------- d-----w- c:\program files\FVD Suite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-09-21 19:47 . 2008-09-12 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-09-21 19:44 . 2006-09-23 02:41 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\Leonr
2010-09-21 19:44 . 2006-07-03 21:33 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\Iwex
2010-09-21 19:34 . 2009-09-25 21:18 -------- d-----w- c:\program files\Microsoft
2010-09-21 19:30 . 2007-07-08 22:20 -------- d-----w- c:\program files\BitTorrent
2010-09-21 18:55 . 2010-03-14 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-21 18:43 . 2010-09-18 18:06 112 ----a-w- c:\documents and settings\All Users\Application Data\ThtUMbh.dat
2010-09-21 15:26 . 2009-08-27 23:41 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\Keumez
2010-09-21 13:33 . 2008-12-19 22:59 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\Otipsi
2010-09-21 00:48 . 2008-10-04 19:25 -------- d-----w- c:\program files\LogMeIn
2010-09-20 21:03 . 2009-11-28 03:28 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\Osxe
2010-09-20 12:43 . 2005-10-31 15:56 745472 ----a-w- C:\StubInstaller.exe
2010-09-20 11:28 . 2005-06-04 20:18 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\Suod
2010-09-19 21:50 . 2009-12-31 09:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-19 14:48 . 2010-09-19 13:22 2096 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-19 14:40 . 2005-09-07 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-19 01:27 . 2005-09-07 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-19 01:15 . 2008-04-17 10:15 -------- d-----w- c:\program files\Picasa2
2010-09-19 00:55 . 2005-05-08 18:04 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-09-18 20:51 . 2009-12-29 18:27 -------- d-----w- c:\program files\QuickTime
2010-09-18 20:51 . 2006-08-02 21:18 -------- d-----w- c:\program files\ActivBoard
2010-09-12 11:24 . 2010-05-17 21:17 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\FVDToolbar
2010-09-09 18:39 . 2009-09-05 21:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-03 23:15 . 2007-07-08 22:21 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\BitTorrent
2010-08-17 13:17 . 2004-08-10 15:38 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-06 20:04 . 2010-08-06 20:04 -------- d-----w- c:\program files\AviSynth 2.5
2010-08-06 20:04 . 2010-08-06 20:04 -------- d-----w- c:\program files\eRightSoft
2010-08-06 16:07 . 2009-08-02 16:07 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\LimeWire
2010-08-03 19:25 . 2009-05-24 15:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-22 15:49 . 2004-08-10 15:38 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 06:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 08:45 . 2010-03-14 13:06 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-17 08:45 . 2010-07-17 08:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-17 08:44 . 2008-08-03 10:40 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2004-08-10 15:38 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-10 15:38 916480 ----a-w- c:\windows\system32\wininet.dll
2005-05-21 21:44 . 2005-05-21 21:33 56 --sh--r- c:\windows\system32\163988363A.sys
2006-05-03 09:06 . 2010-08-06 20:04 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2010-08-06 20:04 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2010-08-06 20:04 216064 --sh--r- c:\windows\system32\nbDX.dll
.
Code:
<pre>
c:\program files\ActivBoard\ABoard .exe
c:\program files\Ahead\InCD\InCD .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\BitTorrent\bittorrent .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\FVD Suite\fvdbox .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Microsoft ActiveSync\WCESCOMM .exe
c:\program files\Musicmatch\Musicmatch Jukebox\mimboot .exe
c:\program files\Picasa2\PicasaMediaDetector .exe
c:\program files\QuickTime\qttask .exe
c:\program files\ScanSoft\PaperPort\Ereg\Ereg .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"{53CA19EC-130C-D451-FFD0-EDF302D09732}"="c:\documents and settings\Clayton Family\Application Data\Iwex\yvto.exe" [2006-07-03 166912]
"{CE05C686-7259-07A8-E676-C8561C3AD9BF}"="c:\documents and settings\Clayton Family\Application Data\Leonr\okwyp.exe" [2006-09-23 145408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 67072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-09-18 2065760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [N/A]

c:\documents and settings\LogMeInRemoteUser.FAMILY_PC\Start Menu\Programs\Startup\
dyic.exe [2010-9-21 145408]

c:\documents and settings\Clayton Family\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-5-23 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
etmex.exe [2010-9-21 145408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 08:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 10:04 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRpYecd.com/dw/dw.php?id=%s&ver=d01]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\n0bletlb7.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
2008-02-27 16:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASH24SXZ9S]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\Pwp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
c:\program files\BitTorrent\bittorrent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockChecker]
c:\program files\Block Checker\block-checker.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
c:\program files\Brother\ControlCenter3\brctrcen.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dlovopologocel]
2008-04-14 00:12 202240 ----a-w- c:\windows\ocadomigivajiy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\handlerfix70700en00.exe]
c:\documents and settings\Clayton Family\Application Data\974F63B7E4EDF9AC14C0A6ED735FD952\handlerfix70 700en00.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRme]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRme0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRmSc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp32.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRnoc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\debug.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRnsc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\drweb.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRnyc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\csrss.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRnZ]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\cmd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRoMc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\gdi32.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRota]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\install.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRotc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\hexdump.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRouqc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\iexplarer.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRprc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\login.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRpuc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\lsass.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRpw+]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\nvsvc32.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRpyA]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\mwthu69.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRpYec]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\n0bletlb7.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRpZ]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\mdm.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRqOzd]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\r34jirtsui.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRre]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\user.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRrrb]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\taskmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRrta]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\services.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRrtc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\sysedit.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRruf]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\spoolsv.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRrvc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\setup.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRrxe]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\system.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRsa]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRsPc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win16.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRspe]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\winamp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRsre]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\wininst.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRssc]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\winlogon.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-01-29 21:10 46632 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 16:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-24 17:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKasc]
c:\windows\drweb.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Olitapim]
2008-04-14 00:12 79360 ----a-w- c:\windows\msauenf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-01-29 21:12 30248 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pnbjotuu]
c:\documents and settings\Clayton Family\Local Settings\Application Data\ssktxkcxl\liaekcwtssd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ppmate]
2006-10-27 09:43 1495111 ----a-w- c:\program files\PPMate\PPMate\ppmate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 09:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tesco Insert Detect]
2003-02-17 11:45 262144 ----a-w- c:\program files\Tesco\Picture Suite\InsDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 15:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\system32\\ccapp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\PPMate\\PPMate\\ppmate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=
"c:\\Program Files\\Zattoo\\Zattoo2.exe"=
"c:\\Program Files\\Zattoo\\Zattoo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Clayton Family\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"29566:TCP"= 29566:TCP:limewire

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [31/12/2009 10:23 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/08/2008 11:40 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/03/2010 14:06 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 09:45 308136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 09:22 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [18/09/2010 21:10 431432]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvb i.sys [11/09/2005 21:36 6400]
.
Contents of the 'Scheduled Tasks' folder

2010-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:22]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: FVDToolbar Add Page - c:\program files\FVD Suite\addons\IE\FVDToolbar.dll/IECONTEXT.DLL.HTM
Trusted Zone: musicmatch.com\online
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} - hxxp://img.funtigo.com/images/uploader/ssiPictureUploader.cab
FF - ProfilePath - c:\documents and settings\Clayton Family\Application Data\Mozilla\Firefox\Profiles\g3jdtdiv.default\ext ensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}\defaults\preferences\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - (no file)



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-21 20:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,67,2e ,46,9f,49,c3,48,b4,71,64,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,67,2e ,46,9f,49,c3,48,b4,71,64,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(628)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\apps\HIDSERVICE\HIDSERVICE.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\SOUNDMAN.EXE
.
************************************************** ************************
.
Completion time: 2010-09-21 20:57:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-21 19:57

Pre-Run: 69,663,817,728 bytes free
Post-Run: 69,820,981,248 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 50A810EEE50D855F13698A704C7D4A08


thanks for your help so far
__________________
XP Home
Office Pro + FrontPage, IE6
AVG, Zone Alarm
Reply With Quote
  #13  
Old 22-09-10, 01:38
bricat's Avatar
bricat bricat is offline
Global Moderator
 
Join Date: Jun 2003
Location: belfast
Posts: 35,867
Default Re: Big problems for someone who ought to know better

BOY !!!! when you get infected you really get infected


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:


Killall::

Folder::
c:\program files\sys5
c:\program files\sys4
c:\program files\sys1
c:\program files\sys2
c:\documents and settings\Clayton Family\Application Data\Keumez
c:\documents and settings\Clayton Family\Application Data\Otipsi
c:\documents and settings\Clayton Family\Application Data\Osxe
c:\documents and settings\Clayton Family\Application Data\Suod
c:\program files\Block Checker
c:\documents and settings\Clayton Family\Application Data\974F63B7E4EDF9AC14C0A6ED735FD952
c:\documents and settings\Clayton Family\Local Settings\Application Data\ssktxkcxl

File::
c:\windows\login.exe
c:\windows\Phozum.dat
c:\windows\Ysakeyeguwiviy.bin
c:\windows\Ppivya.exe
c:\windows\system32\163988363A.sys
c:\documents and settings\LogMeInRemoteUser.FAMILY_PC\Start Menu\Programs\Startup\dyic.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\etmex.exe
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\n0bletlb7.exe
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\Pwp.exe
c:\windows\ocadomigivajiy.dll
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp.exe
c:\windows\msauenf2.dll
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp32.exe
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\gdi32.exe
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\iexplarer.exe
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\login.exe
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\mwthu69.exe
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\n0bletlb7.exe
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\r34jirtsui.exe
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win.exe
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win16.exe


Renv::
c:\program files\ActivBoard\ABoard .exe
c:\program files\Ahead\InCD\InCD .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\BitTorrent\bittorrent .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\FVD Suite\fvdbox .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Microsoft ActiveSync\WCESCOMM .exe
c:\program files\Musicmatch\Musicmatch Jukebox\mimboot .exe
c:\program files\Picasa2\PicasaMediaDetector .exe
c:\program files\QuickTime\qttask .exe
c:\program files\ScanSoft\PaperPort\Ereg\Ereg .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"{53CA19EC-130C-D451-FFD0-EDF302D09732}"=-
"{CE05C686-7259-07A8-E676-C8561C3AD9BF}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"HNUKUOXRpYecd.com/dw/dw.php?id=%s&ver=d01"=-
"ASH24SXZ9S"=-
"BlockChecker"=-
"Dlovopologocel"=-
"handlerfix70700en00.exe"=-
"HNUKUOXRme"=-
"HNUKUOXRme0"=-
"HNUKUOXRmSc"=-
"HNUKUOXRnoc"=-
"HNUKUOXRnsc"=-
"HNUKUOXRnyc"=-
"HNUKUOXRnZ"=-
"HNUKUOXRoMc"=-
"HNUKUOXRota"=-
"HNUKUOXRotc"=-
"HNUKUOXRouqc"=-
"HNUKUOXRprc"=-
"HNUKUOXRpuc"=-
"HNUKUOXRpw+"=-
"HNUKUOXRpyA"=-
"HNUKUOXRpYec"=-
"HNUKUOXRpZ"=-
"HNUKUOXRqOzd"=-
"HNUKUOXRre"=-
"HNUKUOXRrrb"=-
"HNUKUOXRrta"=-
"HNUKUOXRrtc"=-
"HNUKUOXRruf"=-
"HNUKUOXRrvc"=-
"HNUKUOXRrxe"=-
"HNUKUOXRsa"=-
"HNUKUOXRsPc"=-
"HNUKUOXRspe"=-
"HNUKUOXRsre"=-
"HNUKUOXRssc"=-
"Olitapim"=-
"pnbjotuu"=-

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Referring to the picture above, drag CFScript.txt into ComboFix.exe.

This will start ComboFix again.(it may ask you to reboot your computer)

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please and
let me know how it is running.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
__________________
PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Accept that some days you are the pigeon and some days the statue.
Reply With Quote
  #14  
Old 22-09-10, 05:56
skampydog skampydog is offline
Enthusiastic contributor
 
Join Date: Oct 2003
Location: Yorkshire
Posts: 656
Default Re: Big problems for someone who ought to know better

Bricat

will do but it'll be tonight now due to work commitments

thanks for your help so far - report back soon

kind regards

David
__________________
XP Home
Office Pro + FrontPage, IE6
AVG, Zone Alarm
Reply With Quote
  #15  
Old 23-09-10, 20:55
skampydog skampydog is offline
Enthusiastic contributor
 
Join Date: Oct 2003
Location: Yorkshire
Posts: 656
Default Re: Big problems for someone who ought to know better

Bricat

sorry for the delay but work prevailed last night

did as you suggested

New Combofix Log =

ComboFix 10-09-23.01 - Clayton Family 23/09/2010 19:30:23.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.959.525 [GMT 1:00]
Running from: c:\documents and settings\Clayton Family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Clayton Family\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp32.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\gdi32.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\iexplarer. exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\login.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\mwthu69.ex e"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\n0bletlb7. exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\Pwp.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\r34jirtsui.exe "
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win16.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\etmex.exe"
"c:\documents and settings\LogMeInRemoteUser.FAMILY_PC\Start Menu\Programs\Startup\dyic.exe"
"c:\windows\login.exe"
"c:\windows\msauenf2.dll"
"c:\windows\ocadomigivajiy.dll"
"c:\windows\Phozum.dat"
"c:\windows\Ppivya.exe"
"c:\windows\system32\163988363A.sys"
"c:\windows\Ysakeyeguwiviy.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Clayton Family\Application Data\Exbiz
c:\documents and settings\Clayton Family\Application Data\Exbiz\yxen.exe
c:\documents and settings\Clayton Family\Application Data\Iwex
c:\documents and settings\Clayton Family\Application Data\Iwex\yvto.exe
c:\documents and settings\Clayton Family\Application Data\Keumez
c:\documents and settings\Clayton Family\Application Data\Keumez\baer.ebo
c:\documents and settings\Clayton Family\Application Data\Leonr
c:\documents and settings\Clayton Family\Application Data\Leonr\okwyp.exe
c:\documents and settings\Clayton Family\Application Data\Microsoft\svchost .exe
c:\documents and settings\Clayton Family\Application Data\Osxe
c:\documents and settings\Clayton Family\Application Data\Otipsi
c:\documents and settings\Clayton Family\Application Data\Suod
c:\documents and settings\Clayton Family\Application Data\Suod\gaif .exe
c:\documents and settings\Clayton Family\Application Data\Suod\gaif.exe
c:\documents and settings\Clayton Family\Local Settings\Application Data\ssktxkcxl
c:\documents and settings\Default User\Start Menu\Programs\Startup\etmex.exe
c:\documents and settings\LogMeInRemoteUser.FAMILY_PC\Start Menu\Programs\Startup\dyic.exe
c:\program files\sys1
c:\program files\sys1\se.exe
c:\program files\sys2
c:\program files\sys2\sol.exe
c:\program files\sys4
c:\program files\sys5
c:\program files\sys5\sol.exe
c:\windows\login.exe
c:\windows\msauenf2.dll
c:\windows\ocadomigivajiy.dll
c:\windows\Phozum.dat
c:\windows\Ppivya.exe
c:\windows\system32\163988363A.sys
c:\windows\Ysakeyeguwiviy.bin

.
((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.

2010-09-21 22:31 . 2010-09-21 22:31 -------- d-----w- c:\program files\ieSpell
2010-09-19 19:22 . 2010-09-19 19:22 -------- d-----w- c:\program files\Trend Micro
2010-09-19 19:18 . 2010-09-19 19:18 -------- d-----w- c:\documents and settings\Clayton Family\Local Settings\Application Data\AVG Security Toolbar
2010-09-19 11:30 . 2010-09-19 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-18 20:10 . 2010-09-20 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-09-18 18:11 . 2010-09-18 18:11 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-09-18 11:56 . 2010-09-18 11:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-12 11:24 . 2010-09-23 18:30 -------- d-----w- c:\program files\FVD Suite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-09-23 19:57 . 2008-09-12 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-09-23 18:30 . 2005-09-07 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-23 18:30 . 2009-12-29 18:27 -------- d-----w- c:\program files\QuickTime
2010-09-23 18:30 . 2008-04-17 10:15 -------- d-----w- c:\program files\Picasa2
2010-09-23 18:30 . 2005-05-08 18:04 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-09-23 18:30 . 2009-12-31 09:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 18:30 . 2007-07-08 22:20 -------- d-----w- c:\program files\BitTorrent
2010-09-23 18:30 . 2006-08-02 21:18 -------- d-----w- c:\program files\ActivBoard
2010-09-23 18:22 . 2008-10-04 19:25 -------- d-----w- c:\program files\LogMeIn
2010-09-21 19:34 . 2009-09-25 21:18 -------- d-----w- c:\program files\Microsoft
2010-09-21 18:55 . 2010-03-14 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-21 18:43 . 2010-09-18 18:06 112 ----a-w- c:\documents and settings\All Users\Application Data\ThtUMbh.dat
2010-09-20 12:43 . 2005-10-31 15:56 745472 ----a-w- C:\StubInstaller.exe
2010-09-19 14:48 . 2010-09-19 13:22 2096 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-19 14:40 . 2005-09-07 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-12 11:24 . 2010-05-17 21:17 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\FVDToolbar
2010-09-09 18:39 . 2009-09-05 21:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-03 23:15 . 2007-07-08 22:21 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\BitTorrent
2010-08-17 13:17 . 2004-08-10 15:38 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-06 20:04 . 2010-08-06 20:04 -------- d-----w- c:\program files\AviSynth 2.5
2010-08-06 20:04 . 2010-08-06 20:04 -------- d-----w- c:\program files\eRightSoft
2010-08-06 16:07 . 2009-08-02 16:07 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\LimeWire
2010-08-03 19:25 . 2009-05-24 15:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-22 15:49 . 2004-08-10 15:38 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 06:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 08:45 . 2010-03-14 13:06 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-17 08:45 . 2010-07-17 08:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-17 08:44 . 2008-08-03 10:40 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2004-08-10 15:38 149504 ----a-w- c:\windows\system32\schannel.dll
2006-05-03 09:06 . 2010-08-06 20:04 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2010-08-06 20:04 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2010-08-06 20:04 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 67072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Clayton Family\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-5-23 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 08:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 10:04 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRpYecd.com/dw/dw.php?id=%s&ver=d01]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\n0bletlb7.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
2008-02-27 16:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2010-09-20 11:57 87552 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-01-29 21:10 46632 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 16:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-24 17:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-01-29 21:12 30248 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ppmate]
2006-10-27 09:43 1495111 ----a-w- c:\program files\PPMate\PPMate\ppmate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 09:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tesco Insert Detect]
2003-02-17 11:45 262144 ----a-w- c:\program files\Tesco\Picture Suite\InsDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 15:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\system32\\ccapp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\PPMate\\PPMate\\ppmate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=
"c:\\Program Files\\Zattoo\\Zattoo2.exe"=
"c:\\Program Files\\Zattoo\\Zattoo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Clayton Family\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"29566:TCP"= 29566:TCP:limewire

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [31/12/2009 10:23 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/08/2008 11:40 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/03/2010 14:06 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 09:45 308136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 09:22 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [18/09/2010 21:10 431432]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvb i.sys [11/09/2005 21:36 6400]
.
Contents of the 'Scheduled Tasks' folder

2010-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:22]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: FVDToolbar Add Page - c:\program files\FVD Suite\addons\IE\FVDToolbar.dll/IECONTEXT.DLL.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: musicmatch.com\online
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} - hxxp://img.funtigo.com/images/uploader/ssiPictureUploader.cab
FF - ProfilePath - c:\documents and settings\Clayton Family\Application Data\Mozilla\Firefox\Profiles\g3jdtdiv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - component: c:\documents and settings\Clayton Family\Application Data\Mozilla\Firefox\Profiles\g3jdtdiv.default\ext ensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\compone nts\xpavgtbapi.dll
FF - component: c:\program files\FVD Suite\addons\Firefox\components\fvd_connector.dll
FF - plugin: c:\documents and settings\Clayton Family\Application Data\Mozilla\Firefox\Profiles\g3jdtdiv.default\ext ensions\DeviceDetection@logitech.com\plugins\npLog itechDeviceDetection.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.d ll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{53CA19EC-130C-D451-FFD0-EDF302D09732} - c:\documents and settings\Clayton Family\Application Data\Iwex\yvto.exe
HKCU-Run-{CE05C686-7259-07A8-E676-C8561C3AD9BF} - c:\documents and settings\Clayton Family\Application Data\Leonr\okwyp.exe
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
MSConfigStartUp-ASH24SXZ9S - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\Pwp.exe
MSConfigStartUp-BlockChecker - c:\program files\Block Checker\block-checker.exe
MSConfigStartUp-BrMfcWnd - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
MSConfigStartUp-ControlCenter3 - c:\program files\Brother\ControlCenter3\brctrcen.exe
MSConfigStartUp-Dlovopologocel - c:\windows\ocadomigivajiy.dll
MSConfigStartUp-handlerfix70700en00 - c:\documents and settings\Clayton Family\Application Data\974F63B7E4EDF9AC14C0A6ED735FD952\handlerfix70 700en00.exe
MSConfigStartUp-HNUKUOXRme - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp.exe
MSConfigStartUp-534 - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp.exe
MSConfigStartUp-HNUKUOXRmSc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp32.exe
MSConfigStartUp-HNUKUOXRnoc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\debug.exe
MSConfigStartUp-HNUKUOXRnsc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\drweb.exe
MSConfigStartUp-HNUKUOXRnyc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\csrss.exe
MSConfigStartUp-HNUKUOXRnZ - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\cmd.exe
MSConfigStartUp-HNUKUOXRoMc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\gdi32.exe
MSConfigStartUp-HNUKUOXRota - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\install.exe
MSConfigStartUp-HNUKUOXRotc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\hexdump.exe
MSConfigStartUp-HNUKUOXRouqc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\iexplarer.exe
MSConfigStartUp-HNUKUOXRprc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\login.exe
MSConfigStartUp-HNUKUOXRpuc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\lsass.exe
MSConfigStartUp-HNUKUOXRpw+ - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\nvsvc32.exe
MSConfigStartUp-HNUKUOXRpyA - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\mwthu69.exe
MSConfigStartUp-HNUKUOXRpYec - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\n0bletlb7.exe
MSConfigStartUp-HNUKUOXRpZ - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\mdm.exe
MSConfigStartUp-HNUKUOXRqOzd - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\r34jirtsui.exe
MSConfigStartUp-HNUKUOXRre - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\user.exe
MSConfigStartUp-HNUKUOXRrrb - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\taskmgr.exe
MSConfigStartUp-HNUKUOXRrta - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\services.exe
MSConfigStartUp-HNUKUOXRrtc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\sysedit.exe
MSConfigStartUp-HNUKUOXRruf - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\spoolsv.exe
MSConfigStartUp-HNUKUOXRrvc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\setup.exe
MSConfigStartUp-HNUKUOXRrxe - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\system.exe
MSConfigStartUp-HNUKUOXRsa - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win.exe
MSConfigStartUp-HNUKUOXRsPc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win16.exe
MSConfigStartUp-HNUKUOXRspe - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\winamp.exe
MSConfigStartUp-HNUKUOXRsre - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\wininst.exe
MSConfigStartUp-HNUKUOXRssc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\winlogon.exe
MSConfigStartUp-MKasc - c:\windows\drweb.exe
MSConfigStartUp-Olitapim - c:\windows\msauenf2.dll
MSConfigStartUp-OM_Monitor - c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
MSConfigStartUp-pnbjotuu - c:\documents and settings\Clayton Family\Local Settings\Application Data\ssktxkcxl\liaekcwtssd.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 20:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,67,2e ,46,9f,49,c3,48,b4,71,64,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,67,2e ,46,9f,49,c3,48,b4,71,64,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\apps\HIDSERVICE\HIDSERVICE.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
.
************************************************** ************************
.
Completion time: 2010-09-23 21:07:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-23 20:07
ComboFix2.txt 2010-09-21 19:57

Pre-Run: 69,702,684,672 bytes free
Post-Run: 69,736,173,568 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 22D7D8225C72E8DC5BDE7C90EE705740



New HJT log =
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:13:23, on 23/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Clayton Family\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:50370
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\prog ram files\microsoft\desktoplayer.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: FVD Suite Toolbar - {2B171655-A69C-5c18-B693-6CB5DC269D41} - C:\Program Files\FVD Suite\addons\IE\FVDToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nonep] C:\Program Files\sys5\sol.exe
O4 - HKCU\..\Run: [{53CA19EC-130C-D451-FFD0-EDF302D09732}] "C:\Documents and Settings\Clayton Family\Application Data\Ubid\wamow.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: FVDToolbar Add Page - res://C:\Program Files\FVD Suite\addons\IE\FVDToolbar.dll/IECONTEXT.DLL.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Open FVD Suite Toolbar - {2B171655-A69C-5c18-B693-6CB5DC269D43} - C:\Program Files\FVD Suite\addons\IE\FVDToolbar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Open FVD Suite Toolbar - {2B171655-A69C-5c18-B693-6CB5DC269D43} - C:\Program Files\FVD Suite\addons\IE\FVDToolbar.dll (HKCU)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/upload...reUploader.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Clayton Family\My Documents\lucinda\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 11764 bytes


I'm still getting the resident shield coming up screaming at me

IE is working faster and more reliable on search result clicks (no more shopping sites)

Simply can't get Firefox to load at all - but I can deinstall/ reinstall later I guess







Thanks for your much appreciated help so far

regards

David
__________________
XP Home
Office Pro + FrontPage, IE6
AVG, Zone Alarm
Reply With Quote
  #16  
Old 23-09-10, 21:12
bricat's Avatar
bricat bricat is offline
Global Moderator
 
Join Date: Jun 2003
Location: belfast
Posts: 35,867
Default Re: Big problems for someone who ought to know better

we're getting there
run this scan and see what it finds :-

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
__________________
PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Accept that some days you are the pigeon and some days the statue.
Reply With Quote
  #17  
Old 23-09-10, 21:16
skampydog skampydog is offline
Enthusiastic contributor
 
Join Date: Oct 2003
Location: Yorkshire
Posts: 656
Default Re: Big problems for someone who ought to know better

Bricat - sorry for the delay

Combofix log =

ComboFix 10-09-23.01 - Clayton Family 23/09/2010 19:30:23.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.959.525 [GMT 1:00]
Running from: c:\documents and settings\Clayton Family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Clayton Family\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp32.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\gdi32.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\iexplarer. exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\login.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\mwthu69.ex e"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\n0bletlb7. exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\Pwp.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\r34jirtsui.exe "
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win.exe"
"c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win16.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\etmex.exe"
"c:\documents and settings\LogMeInRemoteUser.FAMILY_PC\Start Menu\Programs\Startup\dyic.exe"
"c:\windows\login.exe"
"c:\windows\msauenf2.dll"
"c:\windows\ocadomigivajiy.dll"
"c:\windows\Phozum.dat"
"c:\windows\Ppivya.exe"
"c:\windows\system32\163988363A.sys"
"c:\windows\Ysakeyeguwiviy.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Clayton Family\Application Data\Exbiz
c:\documents and settings\Clayton Family\Application Data\Exbiz\yxen.exe
c:\documents and settings\Clayton Family\Application Data\Iwex
c:\documents and settings\Clayton Family\Application Data\Iwex\yvto.exe
c:\documents and settings\Clayton Family\Application Data\Keumez
c:\documents and settings\Clayton Family\Application Data\Keumez\baer.ebo
c:\documents and settings\Clayton Family\Application Data\Leonr
c:\documents and settings\Clayton Family\Application Data\Leonr\okwyp.exe
c:\documents and settings\Clayton Family\Application Data\Microsoft\svchost .exe
c:\documents and settings\Clayton Family\Application Data\Osxe
c:\documents and settings\Clayton Family\Application Data\Otipsi
c:\documents and settings\Clayton Family\Application Data\Suod
c:\documents and settings\Clayton Family\Application Data\Suod\gaif .exe
c:\documents and settings\Clayton Family\Application Data\Suod\gaif.exe
c:\documents and settings\Clayton Family\Local Settings\Application Data\ssktxkcxl
c:\documents and settings\Default User\Start Menu\Programs\Startup\etmex.exe
c:\documents and settings\LogMeInRemoteUser.FAMILY_PC\Start Menu\Programs\Startup\dyic.exe
c:\program files\sys1
c:\program files\sys1\se.exe
c:\program files\sys2
c:\program files\sys2\sol.exe
c:\program files\sys4
c:\program files\sys5
c:\program files\sys5\sol.exe
c:\windows\login.exe
c:\windows\msauenf2.dll
c:\windows\ocadomigivajiy.dll
c:\windows\Phozum.dat
c:\windows\Ppivya.exe
c:\windows\system32\163988363A.sys
c:\windows\Ysakeyeguwiviy.bin

.
((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.

2010-09-21 22:31 . 2010-09-21 22:31 -------- d-----w- c:\program files\ieSpell
2010-09-19 19:22 . 2010-09-19 19:22 -------- d-----w- c:\program files\Trend Micro
2010-09-19 19:18 . 2010-09-19 19:18 -------- d-----w- c:\documents and settings\Clayton Family\Local Settings\Application Data\AVG Security Toolbar
2010-09-19 11:30 . 2010-09-19 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-18 20:10 . 2010-09-20 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-09-18 18:11 . 2010-09-18 18:11 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-09-18 11:56 . 2010-09-18 11:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-12 11:24 . 2010-09-23 18:30 -------- d-----w- c:\program files\FVD Suite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-09-23 19:57 . 2008-09-12 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-09-23 18:30 . 2005-09-07 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-23 18:30 . 2009-12-29 18:27 -------- d-----w- c:\program files\QuickTime
2010-09-23 18:30 . 2008-04-17 10:15 -------- d-----w- c:\program files\Picasa2
2010-09-23 18:30 . 2005-05-08 18:04 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-09-23 18:30 . 2009-12-31 09:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 18:30 . 2007-07-08 22:20 -------- d-----w- c:\program files\BitTorrent
2010-09-23 18:30 . 2006-08-02 21:18 -------- d-----w- c:\program files\ActivBoard
2010-09-23 18:22 . 2008-10-04 19:25 -------- d-----w- c:\program files\LogMeIn
2010-09-21 19:34 . 2009-09-25 21:18 -------- d-----w- c:\program files\Microsoft
2010-09-21 18:55 . 2010-03-14 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-21 18:43 . 2010-09-18 18:06 112 ----a-w- c:\documents and settings\All Users\Application Data\ThtUMbh.dat
2010-09-20 12:43 . 2005-10-31 15:56 745472 ----a-w- C:\StubInstaller.exe
2010-09-19 14:48 . 2010-09-19 13:22 2096 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-19 14:40 . 2005-09-07 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-12 11:24 . 2010-05-17 21:17 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\FVDToolbar
2010-09-09 18:39 . 2009-09-05 21:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-03 23:15 . 2007-07-08 22:21 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\BitTorrent
2010-08-17 13:17 . 2004-08-10 15:38 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-06 20:04 . 2010-08-06 20:04 -------- d-----w- c:\program files\AviSynth 2.5
2010-08-06 20:04 . 2010-08-06 20:04 -------- d-----w- c:\program files\eRightSoft
2010-08-06 16:07 . 2009-08-02 16:07 -------- d-----w- c:\documents and settings\Clayton Family\Application Data\LimeWire
2010-08-03 19:25 . 2009-05-24 15:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-22 15:49 . 2004-08-10 15:38 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 06:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 08:45 . 2010-03-14 13:06 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-17 08:45 . 2010-07-17 08:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-17 08:44 . 2008-08-03 10:40 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2004-08-10 15:38 149504 ----a-w- c:\windows\system32\schannel.dll
2006-05-03 09:06 . 2010-08-06 20:04 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2010-08-06 20:04 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2010-08-06 20:04 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 67072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Clayton Family\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-5-23 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 08:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 10:04 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKUOXRpYecd.com/dw/dw.php?id=%s&ver=d01]
c:\docume~1\CLAYTO~1\LOCALS~1\Temp\n0bletlb7.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
2008-02-27 16:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2010-09-20 11:57 87552 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-01-29 21:10 46632 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 16:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-24 17:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-01-29 21:12 30248 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ppmate]
2006-10-27 09:43 1495111 ----a-w- c:\program files\PPMate\PPMate\ppmate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 09:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tesco Insert Detect]
2003-02-17 11:45 262144 ----a-w- c:\program files\Tesco\Picture Suite\InsDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 15:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\system32\\ccapp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\PPMate\\PPMate\\ppmate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=
"c:\\Program Files\\Zattoo\\Zattoo2.exe"=
"c:\\Program Files\\Zattoo\\Zattoo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Clayton Family\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"29566:TCP"= 29566:TCP:limewire

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [31/12/2009 10:23 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/08/2008 11:40 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/03/2010 14:06 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 09:45 308136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 09:22 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [18/09/2010 21:10 431432]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvb i.sys [11/09/2005 21:36 6400]
.
Contents of the 'Scheduled Tasks' folder

2010-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:22]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: FVDToolbar Add Page - c:\program files\FVD Suite\addons\IE\FVDToolbar.dll/IECONTEXT.DLL.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: musicmatch.com\online
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} - hxxp://img.funtigo.com/images/uploader/ssiPictureUploader.cab
FF - ProfilePath - c:\documents and settings\Clayton Family\Application Data\Mozilla\Firefox\Profiles\g3jdtdiv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - component: c:\documents and settings\Clayton Family\Application Data\Mozilla\Firefox\Profiles\g3jdtdiv.default\ext ensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\compone nts\xpavgtbapi.dll
FF - component: c:\program files\FVD Suite\addons\Firefox\components\fvd_connector.dll
FF - plugin: c:\documents and settings\Clayton Family\Application Data\Mozilla\Firefox\Profiles\g3jdtdiv.default\ext ensions\DeviceDetection@logitech.com\plugins\npLog itechDeviceDetection.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.d ll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{53CA19EC-130C-D451-FFD0-EDF302D09732} - c:\documents and settings\Clayton Family\Application Data\Iwex\yvto.exe
HKCU-Run-{CE05C686-7259-07A8-E676-C8561C3AD9BF} - c:\documents and settings\Clayton Family\Application Data\Leonr\okwyp.exe
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
MSConfigStartUp-ASH24SXZ9S - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\Pwp.exe
MSConfigStartUp-BlockChecker - c:\program files\Block Checker\block-checker.exe
MSConfigStartUp-BrMfcWnd - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
MSConfigStartUp-ControlCenter3 - c:\program files\Brother\ControlCenter3\brctrcen.exe
MSConfigStartUp-Dlovopologocel - c:\windows\ocadomigivajiy.dll
MSConfigStartUp-handlerfix70700en00 - c:\documents and settings\Clayton Family\Application Data\974F63B7E4EDF9AC14C0A6ED735FD952\handlerfix70 700en00.exe
MSConfigStartUp-HNUKUOXRme - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp.exe
MSConfigStartUp-534 - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp.exe
MSConfigStartUp-HNUKUOXRmSc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\avp32.exe
MSConfigStartUp-HNUKUOXRnoc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\debug.exe
MSConfigStartUp-HNUKUOXRnsc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\drweb.exe
MSConfigStartUp-HNUKUOXRnyc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\csrss.exe
MSConfigStartUp-HNUKUOXRnZ - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\cmd.exe
MSConfigStartUp-HNUKUOXRoMc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\gdi32.exe
MSConfigStartUp-HNUKUOXRota - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\install.exe
MSConfigStartUp-HNUKUOXRotc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\hexdump.exe
MSConfigStartUp-HNUKUOXRouqc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\iexplarer.exe
MSConfigStartUp-HNUKUOXRprc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\login.exe
MSConfigStartUp-HNUKUOXRpuc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\lsass.exe
MSConfigStartUp-HNUKUOXRpw+ - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\nvsvc32.exe
MSConfigStartUp-HNUKUOXRpyA - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\mwthu69.exe
MSConfigStartUp-HNUKUOXRpYec - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\n0bletlb7.exe
MSConfigStartUp-HNUKUOXRpZ - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\mdm.exe
MSConfigStartUp-HNUKUOXRqOzd - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\r34jirtsui.exe
MSConfigStartUp-HNUKUOXRre - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\user.exe
MSConfigStartUp-HNUKUOXRrrb - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\taskmgr.exe
MSConfigStartUp-HNUKUOXRrta - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\services.exe
MSConfigStartUp-HNUKUOXRrtc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\sysedit.exe
MSConfigStartUp-HNUKUOXRruf - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\spoolsv.exe
MSConfigStartUp-HNUKUOXRrvc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\setup.exe
MSConfigStartUp-HNUKUOXRrxe - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\system.exe
MSConfigStartUp-HNUKUOXRsa - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win.exe
MSConfigStartUp-HNUKUOXRsPc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\win16.exe
MSConfigStartUp-HNUKUOXRspe - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\winamp.exe
MSConfigStartUp-HNUKUOXRsre - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\wininst.exe
MSConfigStartUp-HNUKUOXRssc - c:\docume~1\CLAYTO~1\LOCALS~1\Temp\winlogon.exe
MSConfigStartUp-MKasc - c:\windows\drweb.exe
MSConfigStartUp-Olitapim - c:\windows\msauenf2.dll
MSConfigStartUp-OM_Monitor - c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
MSConfigStartUp-pnbjotuu - c:\documents and settings\Clayton Family\Local Settings\Application Data\ssktxkcxl\liaekcwtssd.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 20:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,67,2e ,46,9f,49,c3,48,b4,71,64,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,67,2e ,46,9f,49,c3,48,b4,71,64,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\apps\HIDSERVICE\HIDSERVICE.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
.
************************************************** ************************
.
Completion time: 2010-09-23 21:07:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-23 20:07
ComboFix2.txt 2010-09-21 19:57

Pre-Run: 69,702,684,672 bytes free
Post-Run: 69,736,173,568 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 22D7D8225C72E8DC5BDE7C90EE705740


HJT log =
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:13:23, on 23/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Clayton Family\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:50370
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\prog ram files\microsoft\desktoplayer.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: FVD Suite Toolbar - {2B171655-A69C-5c18-B693-6CB5DC269D41} - C:\Program Files\FVD Suite\addons\IE\FVDToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nonep] C:\Program Files\sys5\sol.exe
O4 - HKCU\..\Run: [{53CA19EC-130C-D451-FFD0-EDF302D09732}] "C:\Documents and Settings\Clayton Family\Application Data\Ubid\wamow.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: FVDToolbar Add Page - res://C:\Program Files\FVD Suite\addons\IE\FVDToolbar.dll/IECONTEXT.DLL.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Open FVD Suite Toolbar - {2B171655-A69C-5c18-B693-6CB5DC269D43} - C:\Program Files\FVD Suite\addons\IE\FVDToolbar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Open FVD Suite Toolbar - {2B171655-A69C-5c18-B693-6CB5DC269D43} - C:\Program Files\FVD Suite\addons\IE\FVDToolbar.dll (HKCU)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/upload...reUploader.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Clayton Family\My Documents\lucinda\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 11764 bytes


================================================== ===================


still getting the resident shield errors and windows is still blocking explorer

can't get fire fox to start at all but can live with that at the mo

================================================== ===============

thanks for your fantastic help so far

regards

David
__________________
XP Home
Office Pro + FrontPage, IE6
AVG, Zone Alarm
Reply With Quote
  #18  
Old 26-09-10, 09:40
skampydog skampydog is offline
Enthusiastic contributor
 
Join Date: Oct 2003
Location: Yorkshire
Posts: 656
Default Re: Big problems for someone who ought to know better

Bricat

really sorry - didn't see your Eset online scanner post

that seemed to find another load of problems

here's the log

================================================== ==================

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=44769cdbd58e0047949a187564e095d5
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-26 02:59:45
# local_time=2010-09-26 03:59:45 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 517087 517087 0 0
# compatibility_mode=1024 16777175 100 0 16872823 16872823 0 0
# compatibility_mode=8192 67108863 100 0 579 579 0 0
# scanned=256818
# found=84
# cleaned=84
# scan_time=28774
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DropperMaximus.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Clayton Family\Application Data\Mozilla\Firefox\Profiles\g3jdtdiv.default\ext ensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}\defaults\preferences\prefs.js Win32/Agent.RQD.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\My Shared Folder\06 Track 6 (unfortunate).wma WMA/TrojanDownloader.Wimad.K trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Content\Reference\ASP\RequestObj ect.html Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\about.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\bubble_AB.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\bubble_confirm.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\bubble_general.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\bubble_IDV.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\bubble_IDV1.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\bubble_IDV2.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\bubble_protection.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\bubble_search.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\bubble_SPupdate.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\bubble_update.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\deletehistory_processing.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\emailchecker_config.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\emailchecker_notifier.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\Facebook_config.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\Facebook_error.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\Facebook_notifier.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\Facebook_status.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\rssreader_advanced.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\rssreader_config.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\rssreader_simple.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\settings_askdialog.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\settings_checkboxdialog.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\settings_closedialog.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\settings_main.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\ssb_dangerous.html Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\ssb_questionable.html Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\ssb_risky.html Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\ssb_safe.html Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\ssb_unknown.html Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\ssb_waiting.html Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\tabswelcome.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\tabswelcome_ie7footer.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\toolbarprotector_window.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\updater_processing.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\chrome\ content\html\weather_error.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_23\c hrome\content\html\bubble_confirm.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_23\c hrome\content\html\bubble_update.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_23\c hrome\content\html\tabswelcome.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_23\c hrome\content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_39\c hrome\content\html\tabswelcome.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_39\c hrome\content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_40\c hrome\content\html\tabswelcome.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_40\c hrome\content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_48\c hrome\content\html\bubble_confirm.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_48\c hrome\content\html\bubble_update.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_48\c hrome\content\html\tabswelcome.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_48\c hrome\content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_57\c hrome\content\html\tabswelcome.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\ch_57\c hrome\content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Macromedia\Dreamweaver 8\Configuration\Content\Reference\ASP\RequestObjec t.html Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Clayton Family\Application Data\Exbiz\yxen.exe.vir Win32/Spy.Zbot.ZR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Clayton Family\Application Data\Iwex\yvto.exe.vir Win32/Spy.Zbot.ZR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Clayton Family\Application Data\Leonr\okwyp.exe.vir a variant of Win32/Kryptik.GUM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Clayton Family\Application Data\Microsoft\svchost .exe.vir Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Clayton Family\Application Data\Microsoft\svchost.exe.vir a variant of Win32/Kryptik.GYB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Clayton Family\Application Data\Suod\gaif .exe.vir Win32/Spy.Zbot.ZR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Clayton Family\Application Data\Suod\gaif.exe.vir Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe.vir Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Brother\Brmfcmon\BrMfcWnd.exe.vir Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Brother\ControlCenter3\BrCtrCen.exe.vir Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe.vir Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe.vir Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Microsoft\DesktopLayer.exe.vir a variant of Win32/Kryptik.GXW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe.vir Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\sys1\se.exe.vir a variant of Win32/Kryptik.GWV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\sys2\sol.exe.vir a variant of Win32/Agent.RQD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Windows Media Player\wmpnetwk.exe.vir Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\rundll32.e xe.vir Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\vi aide.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0025349.rbf Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0025361.rbf Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0025367.rbf Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0025368.rbf Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0025369.rbf Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0025371.rbf Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0025385.rbf Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0025404.rbf Win32/Ramnit.B virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Program Files\Common Files\Real\Toolbar\RealBar.dll probably a variant of Win32/Adware.Toolbar.Visicom.AB application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
================================================== =================

regards

David
__________________
XP Home
Office Pro + FrontPage, IE6
AVG, Zone Alarm
Reply With Quote
  #19  
Old 26-09-10, 10:40
bricat's Avatar
bricat bricat is offline
Global Moderator
 
Join Date: Jun 2003
Location: belfast
Posts: 35,867
Default Re: Big problems for someone who ought to know better

that certainly removed a lot, how is the computer running now ?
__________________
PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Accept that some days you are the pigeon and some days the statue.
Reply With Quote
  #20  
Old 26-09-10, 11:39
skampydog skampydog is offline
Enthusiastic contributor
 
Join Date: Oct 2003
Location: Yorkshire
Posts: 656
Default Re: Big problems for someone who ought to know better

Bricat

the machine is certainly a thousand times better than it was but I'm still getting avg resident shield popping and the errors always seem to report aroung anything I open. eg if I start firefox all the errors report that firefox is littered with viruses, open acrobat reader and the errors report reader being littered with them

what I'm going to do is what you suggested in #4 and turn off/ turn back on again system restore, create a system restore point, tidy the pc up with ccleaner and defraggler and report back

thanks again

David
__________________
XP Home
Office Pro + FrontPage, IE6
AVG, Zone Alarm
Reply With Quote
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


Search the forum

Search

© Dennis Publishing Limited Licensed by Felden





All times are GMT. The time now is 05:59.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright Dennis Publishing 2010, All rights reserved