51 replies to this topic

[dutchroll]

Well, after a partial fix to this problem achieved by running malwarebytes with the latest updates, it has fully reared up again.

The problem(s):
1. Fake Windows Security Centre on startup, which attempts to direct you to purchase a bunch of software.
2. Navigating to websites in IE is accompanied by random popup boxes that "virus activity has been detected".
3. Webpage advertisements & banners are randomly hijacked and display ads with various messages about privacy being compromised, virus threats, etc, etc.

Problems 1 and 2 were initially solved by running malwarebytes latest version with updates. After a hiatus for a couple of weeks, they're back.
Problem 3 was never really solved.

HIJACK THIS log follows.
MALWAREBYTES log also follows (it apparently didn't detect anything).
PANDA ACTIVE SCAN has been attempted twice but has caused a shutdown and reboot on both occasions less than 1/4 way through. It did detect problems by that point but obviously I can't tell what they were due to the shutdown. Will try again in safe mode soon.

Norton has just detected Trojan.Vundo but seems to have locked up. I'll see what happens on reboot into safe mode. All assistance appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 3:40:11 PM, on 15/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
D:\Norton AntiVirus\navapsvc.exe
D:\Norton AntiVirus\IWP\NPFMntor.exe
D:\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
E:\Palm\Hotsync.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Opdicom\OpdiTracker\OptT3STA.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Computer\Internet Utility\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = E:\Palm\Hotsync.exe
O4 - Global Startup: Start OpdiTracker.lnk = D:\Opdicom\OpdiTracker\OptT3STA.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Send to OneNote (HKLM)
O9 - Extra 'Tools' menuitem: S&end to OneNote (HKLM)
O9 - Extra button: Skype (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.cnn.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas....stauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: bwh0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: offline-8876480 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

Malwarebytes' Anti-Malware 1.12
Database version: 750

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|J:\|M:\|)
Objects scanned: 296509
Time elapsed: 2 hour(s), 37 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[dutchroll]

OK well the Active Scan did run in safe mode, though along the way the system threw up a "problem has been detected and windows has been shutdown........" message together with an "OK" button, which seemed a bit odd because it didn't actually stop anything running, and it was in poor english. I ignored it and everything kept running OK to the end.

Here is the Active Scan log (which threw up a couple of infections that look significant aside from the usual tracking cookies):

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-05-15 18:04:29
PROTECTIONS: 1
MALWARE: 21
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Norton AntiVirus 2005 2005 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@trafficmp[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@atdmt[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@tribalfusion[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@com[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@yadro[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@xiti[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@ad.yieldmanager[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@bs.serving-sys[1].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@server.iad.liveperson[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@advertising[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@overture[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Sarah\Cookies\sarah@overture[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@questionmarket[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@adultfriendfinder[1].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{82CA51DE-1CBC-4EE0-968D-B843BDD449B5}\RP5\A0001598.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{82CA51DE-1CBC-4EE0-968D-B843BDD449B5}\RP2\A0000008.sys
02915475 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\.8CFE9A0B\8CFE9A0B.CORE.DLL
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location 4
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description 4
;===============================================================================
================================================================================
=
===================
182048 HIGH MS07-069 4
;===============================================================================
================================================================================
=
===================

[AdvancedSetup]

Hello Dutchroll and Welcome to Malwarebytes

Well it looks like you "may" have followed the directions here Pre- HJT Post Instructions, Please follow these instructions prior to posting a HJT log but you didn't say if you've run the Spybot Search & Destroy and allowed it to remove items found.
Don't forget to update all Scanners before scanning.


Let me review your logs and information and I'll get back to you as it's quite late right now.

[dutchroll]

Yep, done all that.

You'll note in the logs I posted that Adaware and Spybot both rate a mention. I run them frequently.

Have read and followed to the letter all the instructions in your pre-amble posts. If I missed anything, it wasn't for lack of trying.

[AdvancedSetup]

First - disable the Spybot Search & Destroy Tea Timer if it's running as it will interfere with some fixes.

Instructions on how to disable the Spybot Search & Destroy Tea Timer
Disable Spybot Search & Destroys' TEA TIMER:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Please run the following tasks.
[indent]Follow these instructions carefully.

• Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.
  
• You can also download it from Majorgeeks.com
  
• When you run ATF-Cleaner, check the items as shown below for Main.
  
• For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
  
• NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
  
• Then click on "Empty Selected".

[/indent]
[indent] . [/indent]

Go into your Control Panel - Add/Remove and uninstall the following applications - you can get updates later on.
All Java versions, All Flash versions, All Shockwave versions, All QuickTime versions, Adobe Acrobat READER
Many of these programs have been recently updated to correct holes that have been found in the programs which help
facilitate Malware being installed onto your system. Updating to the most recent versions will help to eleviate this method of entry.
Unless you need the functionality of Adobe Reader 6 this program is now at version 8.12

[indent]Start HiJackThis and do a Scan Only and place a check mark in the following items

• O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
  
• O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
  
• O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
  
• O4 - Global Startup: Start OpdiTracker.lnk = D:\Opdicom\OpdiTracker\OptT3STA.exe
  
• This item - Aventail Installer could be legit or not it depends on if you installed it or someone else did without your knowledge so you decide
  
• O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas....stauthI/epi.cab
  
• O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.ma...t/ultrashim.cab
  
• O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/armhelper.ocx
  
• O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
  
• Put a check in ALL the 018 entries - this is for your Logitech updates but in my opinion you'd be better off manually checking on updates instead of using this method.
  
• You can read up more about it here: What is backweb-8876480.exe
  
• Then click on "Fix selected".

[/indent]
Reset IE to defaults

• Start Internet Explorer - Tools, Internet Options, Advanced and select Reset... to reset all values back to their defaults
  
• Then start IE and select to keep the current settings.
  
• Quit and relaunch IE and make sure it goes to the default MSN page
  
• Quit IE

[indent]Run an Online scan with NOD32

• Run an online scan with ESET from Free Virus Scan: Use ESET's Online Antivirus Scanner
  
  • You must use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan.
    
    
  • Accept the terms and click "Start".
    
    
  • Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications".
    
    
  • Click "Start" to begin the scan.
    
    
  • When completed restart your computer

[/indent]

[indent]Software Updates
Here are links to get the latest versions of the software that you removed once we're all done scanning your system.
Don't reinstall them just yet.

• Java Runtime Environment (JRE) 6 Update 6
  
• Orbit Downloader
  
• Adobe Acrobat Reader 8.12 Full Download English
  
• Adobe Flash Player version 9.0.124.0 uncheck the Free Google Toolbar
  
• Shockwave Player 11
  
• QuickTime 7.4.5 for Windows XP or Vista uncheck the sign ups

[/indent]
[indent]Once the above has been completed run Malwarebytes and go to the Update tab and update it and do a Quick Scan
Then do a HJT scan only and post back that log and the MB log.[/indent]



.

[dutchroll]

OK,

Firstly: Thankyou very much for your time AdvancedSetup. It really is appreciated.

Secondly: I've followed the instructions, and here's the latest info:

Extra Info which may or may not be helpful:

1. The situation on this PC has deteriorated to the point where most stuff has to be done in "Safe Mode". It is not particularly stable upon normal bootup, and the malware has slowed it down to a very slow crawl in the last 48 hrs, with continuous HD read/write activity and CPU usage. The problem I've found with "Safe Mode" of course is that there are restrictions on what I can achieve and so occasionally I've had to reboot normally and just wear the pain (to uninstall software, etc).

2. Booting into normal mode always throws up a "Trojan.Vundo" detection by Norton which cannot be fixed and remains on the screen until reboot into "Safe Mode".

3. Booting into "Safe Mode" fixes the system slowdown problem and para 2 above, but nothing else.

4. The fake "Windows Security Centre" with its display of "UltimateFixer", "SystemDefender" and "SysCleaner" always appears upon initial loading of the desktop, no matter what mode I'm in.

Info directly related to your instructions:

OK, did everything IAW the instructions except:

1. A personal mistake - I selected "All" with the ATF Cleaner. Ce la vie. I didn't need the cookies, recycle bin, etc anyway.

2. I did not uninstall Adobe Acrobat because I have the full version of Acrobat 7.0 (and no other versions of anything to do with Acrobat that I can find), which I need for work.

3. I did not check the O16 Aventail Installer entry in the hijackthis log (again as you alluded to) because this is a SecureID token I need for remote access to the Qantas Airlines server (who I work for).

4. No matter what mode, and how many times I tried, none of the O18 entries could be deleted.

5. The ESET scanner detected several infections, all related to Java, but could only fix one of them. I tried to copy the scanner results but only got the jibberish in the headers etc without the guts of the messages. Sorry, probably a copy/paste screwup on my part.

Here are the new logs (BTW, the malware problem still remains - pesky critter eh!)

Logfile of HijackThis v1.97.7
Scan saved at 6:26:45 PM, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Computer\Internet Utility\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = E:\Palm\Hotsync.exe
O9 - Extra button: Send to OneNote (HKLM)
O9 - Extra 'Tools' menuitem: S&end to OneNote (HKLM)
O9 - Extra button: Skype (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - https://qvpn.qantas....stauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O18 - Protocol: bwh0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: offline-8876480 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:

Malwarebytes' Anti-Malware 1.12
Database version: 755

Scan type: Quick Scan
Objects scanned: 39305
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[AdvancedSetup]

Yes, some times Malware can be quite difficult to remove, but with patience we should be able to get you cleaned up.


Download this program and run it. RogueRemover FREE

Go into the Control Panel - Add/Remove and remove these items.
Uninstall Spybot Search & Destroy (or similar name)- this item below does not look like the correct one.
Uninstall the Logitech Desktop Messenger only. Not the other Logitech items. This should remove the 018 items.

Then go download and install this version and update it (do not enable the Tea Timer)
Spybot Search and Destroy 1.5.2.20
Then run a scan with it and allow it to repair any items it finds.

Start HJT and do a Scan Only
Put a check mark on these items
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Then click on Fix selected

Then try to do an online PANDA Scan
PandaActive Scan

I will have to check with one of the updaters to see why MB is missing one of the items.

Let me know if Spybot or MB or Panda run into any errors or what it finds.

After all scanning and reboot please run a new HJT scan and post that log.
If you're still having issues then we'll need to possibly run some other tools for cleanup.

.

[dutchroll]

Sorry about the obvious time zone diff here. Allrighty here's the latest (run to your instructions):

1. RogueRemover, with the latest update just now, found nothing.

2. There were 2 Spybot S&D entries in the Add/Remove programs and I uninstalled both of them, then installed and ran the latest version, 1.5.2.20. Nothing was detected.

3. Malwarebytes detected nothing.

4. Removing the Logitech Desktop Messenger fixed all of the O18 problems in Hijackthis.

5. Panda again ended up detecting several items, but threw up a "system rebooting" (or words to that effect) screen which actually did result in an uncontrollable reboot half-way through the scan. So once again unfortunately I couldn't get any useful info from Panda.

Here's the latest Hijackthis log:

Logfile of HijackThis v1.97.7

Logfile of HijackThis v1.97.7
Scan saved at 9:42:01 PM, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Computer\Internet Utility\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = E:\Palm\Hotsync.exe
O9 - Extra button: Send to OneNote (HKLM)
O9 - Extra 'Tools' menuitem: S&end to OneNote (HKLM)
O9 - Extra button: Skype (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - https://qvpn.qantas....stauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640

[AdvancedSetup]

Yes, different time zones - sorry about that.

[indent]So both PANDA and NOD32 online scans crash before they can complete?
Maybe you can try this one: Kaspersky Lab Free Virus Scan

Please notice here that Tea Timer is running and needs to be disabled for now. It can be restarted later on.
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Instructions on how to disable the Spybot Search & Destroy Tea Timer
Disable Spybot Search & Destroys' TEA TIMER:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Also - you have an old version of HJT (don't think it is a real issue but better to remove that version and install an updated one)
Your current HJT version is: 1.97.7 The latest is: 2.0.2
Please go here and get an updated version and install it AFTER removing the old version
Download TrendSecure TrendMicro HijackThis

Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

[/indent]
.

[dutchroll]

OK AdvancedSetup, thanks for bearing with me - getting anything to run on this machine has been quite time-consuming!

Fixed the tea-timer issue. Forgot to uncheck it at the previous step above when I uninstalled & re-installed Spybot.

Kaspersky scan crashed like the others, causing a system shutdown. In either normal or safe mode the machine seems to invariably want to shutdown and reboot at some point. On several occasions where I've left it unattended with no programs running, I've come back to find it re-booted.

I decided to try another Panda scan and this ran almost to the end before crashing. Fortunately I was in attendance throughout, and managed to quickly cancel the scan and save the logfile while the system was going through its shutdown with about 3 seconds to spare. There had been no further detections since it finished on the C drive about 20% through.

You'll notice more stuff in the hijackthis (latest version now BTW). Obviously due to running DSS in normal rather than Safe Mode (which it told me it didn't like). A lot of the other stuff I've done has been in Safe Mode where possible due to the system stability problems I'm getting. The malware is still quite active in Safe Mode, but I don't get the continuous HDD activity and severe resource-hogging which makes things much easier to do.

Here are the relevant logs:

Pandascan:
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-05-17 12:18:00
PROTECTIONS: 1
MALWARE: 9
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Norton AntiVirus 2005 2005 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
00187949 Cookie/adstat TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@adstat.4u[1].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{82CA51DE-1CBC-4EE0-968D-B843BDD449B5}\RP5\A0001598.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{82CA51DE-1CBC-4EE0-968D-B843BDD449B5}\RP2\A0000008.sys
02915475 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\.8CFE9A0B\8CFE9A0B.CORE.DLL
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location ˁ
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description ˁ
;===============================================================================
================================================================================
=
===================
182048 HIGH MS07-069 ˁ
;===============================================================================
================================================================================
=
===================

DSS Main

Deckard's System Scanner v20071014.68
Run by Mike&Sarah on 2008-05-17 12:26:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2008-05-17 02:26:49 UTC - RP23 - Deckard's System Scanner Restore Point
22: 2008-05-16 12:29:58 UTC - RP22 - Software Distribution Service 3.0
21: 2008-05-16 10:20:42 UTC - RP21 - Configured QuickTime
20: 2008-05-16 05:28:03 UTC - RP20 - Removed J2SE Runtime Environment 5.0 Update 6
19: 2008-05-16 05:26:36 UTC - RP19 - Removed Adobe Flash Player 9 ActiveX


-- First Restore Point --
1: 2008-04-24 04:41:54 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:15 PM, on 17/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\Norton AntiVirus\navapsvc.exe
D:\Norton AntiVirus\IWP\NPFMntor.exe
D:\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
D:\Computer\Mike&Sarah.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = E:\Palm\Hotsync.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas....stauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: sgkwdelo - C:\WINDOWS\SYSTEM32\sgkwdelo.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11502 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 WmBEnum (Logitech Virtual Bus Enumerator Driver) - c:\windows\system32\drivers\wmbenum.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>
R3 WmXlCore (Logitech WingMan Translation Layer Driver) - c:\windows\system32\drivers\wmxlcore.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>
R3 yukonwxp (NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller) - c:\windows\system32\drivers\yk51x86.sys <Not Verified; Marvell; Marvell Yukon Ethernet Controller>

S2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
S3 ALCXWDM (Service for Realtek AC97 Audio (WDM)) - c:\windows\system32\drivers\alcxwdm.sys (file missing)
S3 ausbmon (Advanced USB Port Monitor Filter Driver) - c:\windows\system32\ausbmon.sys (file missing)
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
S3 hap17v2k (Creative P17V HAL Driver) - c:\windows\system32\drivers\hap17v2k.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20070628.004\symidsco.sys (file missing)
S3 WmFilter (Logitech WingMan HID Filter Driver) - c:\windows\system32\drivers\wmfilter.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>
S3 WmHidLo (Logitech WingMan USB Filter Driver) - c:\windows\system32\drivers\wmhidlo.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 NTService1 (MaxSyncService) - d:\maxtor\onetouch\utils\syncservices.exe <Not Verified; ; SyncServices>

S2 MaxBackServiceInt - "d:\maxtor\maxtor backup\maxbackserviceint.exe" <Not Verified; ; MaxBackServiceInt Module>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NBService - d:\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-17 12:25:21 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-17 00:43:28 268 --a------ C:\WINDOWS\Tasks\Windows Update.job
2008-01-18 19:01:57 522 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Mike&Sarah.job


-- Files created between 2008-04-17 and 2008-05-17 -----------------------------

2008-05-17 10:38:04 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:38:04 0 d-------- C:\Program Files\Interapple
2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 10:22:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 22:38:03 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent
2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21:52 0 d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-15 11:03:11 249856 --a------ C:\WINDOWS\system32\sgkwdelo.dll
2008-05-13 16:40:19 0 d-------- C:\Program Files\RogueRemover FREE
2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>
2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>
2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL
2008-04-29 17:19:05 0 d-------- C:\acrsk
2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media
2008-04-25 08:23:30 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-24 16:34:20 0 d-------- C:\cmdcons
2008-04-24 15:24:47 0 d-------- C:\Program Files\Windows Defender
2008-04-24 15:21:11 0 d-------- C:\Program Files\Panda Security
2008-04-24 14:49:23 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-24 14:41:36 68096 --a------ C:\WINDOWS\zip.exe
2008-04-24 14:41:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-24 14:41:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-24 14:41:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-24 14:41:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-24 14:41:36 98816 --a------ C:\WINDOWS\sed.exe
2008-04-24 14:41:36 80412 --a------ C:\WINDOWS\grep.exe
2008-04-24 14:41:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 14:11:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:52:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-05-17 12:23:53 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech
2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime
2008-05-16 15:30:13 0 d-------- C:\Program Files\Common Files
2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia
2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia
2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml
2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real
2008-04-17 10:17:02 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon
2008-04-10 12:07:31 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe
2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest
2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2
2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared
2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley
2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini
2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader
2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 11:52:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype
2008-03-31 15:48:12 278 --a------ C:\053347d72ebcd5e.dat
2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX
2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc
2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild
2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET
2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-03-21 11:49:08 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Autodesk
2008-03-02 07:34:23 0 --a------ C:\Program Files\temp01


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]
"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/01/2007 05:32 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 06:53 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 01:49 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - E:\Palm\Hotsync.exe [9/06/2004 2:27:34 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoUserNameInStartMenu"=01000000
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sgkwdelo]
sgkwdelo.dll 15/05/2008 11:03 AM 249856 C:\WINDOWS\system32\sgkwdelo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
AutoRun\command- H:\InstallTomTomHOME.exe




-- End of Deckard's System Scanner: finished at 2008-05-17 12:32:49 ------------

DSS Extra

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6600 @ 2.40GHz
CPU 1: Intel® Core™2 CPU 6600 @ 2.40GHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 2046.41 MiB / 1467.59 MiB
Pagefile Memory (total/avail): 3939.59 MiB / 3527.08 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1903.1 MiB

C: is Fixed (NTFS) - 16.7 GiB total, 3.47 GiB free.
D: is Fixed (NTFS) - 24.31 GiB total, 12.3 GiB free.
E: is Fixed (NTFS) - 27.35 GiB total, 20.15 GiB free.
F: is Fixed (NTFS) - 43.43 GiB total, 3.53 GiB free.
G: is CDROM (No Media)
H: is Fixed (NTFS) - 112.74 GiB total, 110.67 GiB free.
J: is Fixed (NTFS) - 107.22 GiB total, 107.16 GiB free.
M: is Fixed (NTFS) - 78.13 GiB total, 45.3 GiB free.

\\.\PHYSICALDRIVE0 - ST3120026AS - 111.79 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 16.7 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 95.09 GiB - D: - E: - F:

\\.\PHYSICALDRIVE1 - WDC WD3200JS-00PDB0 - 298.09 GiB - 3 partitions
\PARTITION0 - Installable File System - 78.13 GiB - M:
\PARTITION1 - Installable File System - 112.74 GiB - H:
\PARTITION2 - Installable File System - 107.22 GiB - J:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: Norton Internet Worm Protection v2005 (Symantec)
AV: Norton AntiVirus 2005 v2005 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"E:\\tomtom home\\TomTomHOME.exe"="E:\\tomtom home\\TomTomHOME.exe:*:Enabled:TomTomHOME"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"="F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD:*:Disabled:Age of Empires II Expansion"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"="D:\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"D:\\Microsoft Office\\Office12\\GROOVE.EXE"="D:\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"="D:\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mike&Sarah\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MIKE-SARAH
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mike&Sarah
LOGONSERVER=\\MIKE-SARAH
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MIKE&S~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MIKE&S~1\LOCALS~1\Temp
USERDOMAIN=MIKE-SARAH
USERNAME=Mike&Sarah
USERPROFILE=C:\Documents and Settings\Mike&Sarah
windir=C:\WINDOWS
XPCDrive=G:\
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Mike&Sarah (admin)
Sarah (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type30747 / Error
Event Submitted/Written: 05/17/2008 00:26:01 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application CCAPP.EXE, version 103.0.9.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type30732 / Warning
Event Submitted/Written: 05/17/2008 11:02:31 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type30731 / Warning
Event Submitted/Written: 05/17/2008 11:02:31 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{5783F2D7-6001-0409-0002-0060B0CE6BBA}', feature 'MS_Core' failed during request for component '{FC3E0B6E-F62B-11D1-B144-00C04F990B2B}'

Event Record #/Type30730 / Warning
Event Submitted/Written: 05/17/2008 11:02:31 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{5783F2D7-6001-0409-0002-0060B0CE6BBA}', feature 'P', component '{3C13777B-241D-1048-3CB6-C63AF9512C47}' failed. The resource 'HKEY_CURRENT_USER\Software\Autodesk\MC3\MC3OptIn' does not exist.

Event Record #/Type30725 / Warning
Event Submitted/Written: 05/17/2008 10:49:30 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24798 / Warning
Event Submitted/Written: 05/17/2008 00:30:31 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE-SARAH27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE-SARAH27 can't undo changes that you allow.

For more information please see the following:
%MIKE-SARAH275

Scan ID: {79061E5F-E75F-44EC-8826-85DE4A3C458F}

User: MIKE-SARAH\Mike&Sarah

Name: %MIKE-SARAH271

ID: %MIKE-SARAH272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE-SARAH276

Alert Type: %MIKE-SARAH278

Detection Type: 1.1.1593.02

Event Record #/Type24797 / Warning
Event Submitted/Written: 05/17/2008 00:30:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE-SARAH27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE-SARAH27 can't undo changes that you allow.

For more information please see the following:
%MIKE-SARAH275

Scan ID: {3FD07953-8462-4C97-93A5-48444B2B58EE}

User: MIKE-SARAH\Mike&Sarah

Name: %MIKE-SARAH271

ID: %MIKE-SARAH272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE-SARAH276

Alert Type: %MIKE-SARAH278

Detection Type: 1.1.1593.02

Event Record #/Type24796 / Warning
Event Submitted/Written: 05/17/2008 00:30:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE-SARAH27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE-SARAH27 can't undo changes that you allow.

For more information please see the following:
%MIKE-SARAH275

Scan ID: {FD952A4E-6E83-42FD-82D5-CBA36BAF45C8}

User: MIKE-SARAH\Mike&Sarah

Name: %MIKE-SARAH271

ID: %MIKE-SARAH272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE-SARAH276

Alert Type: %MIKE-SARAH278

Detection Type: 1.1.1593.02

Event Record #/Type24795 / Warning
Event Submitted/Written: 05/17/2008 00:30:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE-SARAH27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE-SARAH27 can't undo changes that you allow.

For more information please see the following:
%MIKE-SARAH275

Scan ID: {99124C5A-94FD-4C06-8C4A-9FF0314E9142}

User: MIKE-SARAH\Mike&Sarah

Name: %MIKE-SARAH271

ID: %MIKE-SARAH272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE-SARAH276

Alert Type: %MIKE-SARAH278

Detection Type: 1.1.1593.02

Event Record #/Type24794 / Warning
Event Submitted/Written: 05/17/2008 00:30:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE-SARAH27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE-SARAH27 can't undo changes that you allow.

For more information please see the following:
%MIKE-SARAH275

Scan ID: {57A32D62-64C2-495D-9706-CC2481040628}

User: MIKE-SARAH\Mike&Sarah

Name: %MIKE-SARAH271

ID: %MIKE-SARAH272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE-SARAH276

Alert Type: %MIKE-SARAH278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-05-17 12:32:49 ------------

[AdvancedSetup]

What version of Norton Antivirus are you running? Do you have the installation key and media to re-install it if we remove it?
If so, I was thinking of uninstalling Norton AV and download a demo of NOD32 locally and install that.
Then do a scan on your system with it.

It looks like you may have something hiding from the scan tools and we may need to run some different tools to locate this infection.

Start MB and go to the MORE TOOLS tab and launch FileAssassin and browse and find this file: C:\WINDOWS\SYSTEM32\sgkwdelo.dll and remove it.

Then run HJT and put a check mark on this:
O20 - Winlogon Notify: sgkwdelo - C:\WINDOWS\SYSTEM32\sgkwdelo.dll
Then select "Fix selected" and remove the entry.

I will have to review some dedicated tools and see which one we should run on your system to try and catch this.

If you can remove Norton and download this 30 trial to run that would be good.
Here is a removal tool if it gives you problems removing it.
Download and run the Norton Removal Tool

NOD32 Antivirus 30 Day Trial

Delete the current ComboFix you have on your system and download a new version and run that as well.
how-to-use-combofix


Then post back the ComboFix log and a new HJT log, let me know what NOD32 finds if you can run it locally.

.

[dutchroll]

Norton Antivirus 2007. Re-installation is no problem - I have the CD.

So, yes I can remove Norton completely. I've done this before and I know it's a bit tedious due to the places that Symantec puts various components. I'll start working on that now along with the other suggestions. It certainly does look like this one is escaping all the conventional tools.

Combofix & HJT logs will follow when I'm done, hopefully in an hour or 2.

I'll be going away on business for 4 days tomorrow afternoon - about 20hrs from now. So if we're still stuck then, there'll be a short break before I can do anything. At least the Notebook is fine!

[AdvancedSetup]

Okay thanks for the update. I'll be going to bed soon and wife has cleanup duties for me tomorrow

Will see what you post and do follow-up research for what we can do to get this detected and cleaned up.

You can also try the SDFIX if ComboFix does not find, correct it either.
How to use SDFix

Will check back on you in the morning if I can.

[dutchroll]

OK, we're getting somwhere now!

Deletion of the C:\WINDOWS\SYSTEM32\sgkwdelo.dll file has for the first time prevented the fake "Windows Security Centre" loading upon startup. I've just restarted into normal mode to begin the uninstallation of NAV. The system is still extremely sluggish (an understatement btw - it's almost unuseable in normal mode) with lots of HDD activity, so obviously we have a way to go.

Now if I can just manage to steal some CPU cycles and HDD time from this thing, I might be able to get NAV uninstalled.

[dutchroll]

Alright we've really made substantial progress now:

As noted above, the deletion of the offending .dll file prevented the fake Windows Security Centre starting up in the system tray. This also had the effect of preventing the random virus/security popups and ads.

Upon rebooting into normal mode however, the computer was still hamstrung in CPU time and HDD activity, so I couldn't do anything much at all. The unfixable Norton detection of Trojan.Vundo was still popping up too.

I tried one more reboot into normal mode, upon which I started control panel immediately (while other stuff was still loading) and managed to start the Norton removal. This had the almost immediate effect of fixing the system resources problem and the computer was running normally. I notice that the MaxBackServiceInt.exe process is still hogging 50% of CPU time at idle. Not sure whether that means anything in particular.

NOD32 Antivirus

Downloaded and ran no problem, but didn't detect anything at all (latest update too).

Combofix

Got the latest version and ran that. It ran fine, and the log is below. Dunno whether it has actually fixed anything.

Did another reboot into normal mode and the computer at least seems to be running fine now in a normal useable state. I'm not sure whether anything has actually found the root cause yet though. I haven't yet run SDFix but will do so if you want me to after looking at the logs.

COMBOFIX LOG

ComboFix 08-05-15.3 - Mike&Sarah 2008-05-17 18:49:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1363 [GMT 10:00]
Running from: C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe
* Created a new restore point
.
Error: Cfiles.dat
Error: Cfolders.dat

((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 18:31 . 2008-05-17 18:31 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-17 18:30 . 2008-05-17 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 12:21 . 2008-05-17 12:21 <DIR> d-------- C:\Deckard
2008-05-17 10:38 . 2008-05-17 10:38 <DIR> d-------- C:\Program Files\Interapple
2008-05-17 10:38 . 1997-01-24 04:52 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:37 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 20:30 . 2008-05-16 20:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 17:53 . 2008-05-16 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21 . 2008-05-16 16:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:42 . 2008-05-16 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 15:42 . 2008-05-16 15:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 15:08 . 2008-05-16 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-16 15:00 . 2008-05-17 18:48 1,024 --ah----- C:\Documents and Settings\Administrator\NTUSER.dat.LOG
2008-05-08 10:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 10:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media
2008-04-24 15:24 . 2008-04-24 15:24 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-24 15:21 . 2008-04-24 15:23 <DIR> d-------- C:\Program Files\Panda Security
2008-04-24 14:11 . 2008-04-24 14:11 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 14:11 . 2008-04-24 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:52 . 2008-04-24 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 12:51 . 2008-04-24 12:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 12:04 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-24 12:04 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 08:13 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-17 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 10:20 --------- d-----w C:\Program Files\Logitech
2008-05-16 06:07 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 05:45 --------- d-----w C:\Program Files\QuickTime
2008-05-16 05:13 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-05-14 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-06 00:52 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-05-06 00:52 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-04-24 23:29 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 05:47 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-24 02:38 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-16 04:18 --------- d-----w C:\Program Files\Canon
2008-04-09 11:04 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-09 07:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 07:43 --------- d-----w C:\Program Files\Gabest
2008-04-09 07:41 --------- d-----w C:\Program Files\URLSnooper2
2008-04-09 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grass Valley
2008-04-09 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 07:40 --------- d-----w C:\Program Files\Common Files\Canopus Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Grass Valley
2008-04-09 04:01 --------- d-----w C:\Program Files\Orbitdownloader
2008-04-09 03:52 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-03 01:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 01:51 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-03 01:49 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-03 01:49 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-03 01:49 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-04-03 01:49 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-04-03 01:49 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-04-03 01:49 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-04-03 00:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead
2008-03-31 05:52 --------- d-----w C:\Program Files\LCDHype
2008-03-31 05:48 278 ----a-w C:\053347d72ebcd5e.dat
2008-03-31 05:44 --------- d-----w C:\Program Files\DIFX
2008-03-31 05:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-03-31 05:43 --------- d-----w C:\Program Files\Common Files\Aladdin Shared
2008-03-31 05:43 --------- d-----w C:\Program Files\Chief Architect Inc
2008-03-31 05:43 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 04:58 --------- d-----w C:\Program Files\MSBuild
2008-03-31 04:58 --------- d-----w C:\Program Files\Microsoft Works
2008-03-31 04:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-31 04:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 00:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-21 01:49 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Autodesk
2008-03-21 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 21:34 0 ----a-w C:\Program Files\temp01
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_16.40.49.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 06:21:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 08:00:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-09-06 08:03:02 4,280,176 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\WRD12CNV.DLL
+ 2007-08-28 14:07:58 24,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\WRD12EXE.EXE
+ 2007-08-28 12:38:10 500,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\MORPH9.DLL
+ 2007-08-28 12:38:46 9,584,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\MSPUB.EXE
+ 2007-08-23 16:43:28 138,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\PRTF9.DLL
+ 2007-08-28 12:39:14 625,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\PTXT9.DLL
+ 2007-08-23 16:43:36 593,296 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\PUBCONV.DLL
+ 2007-08-28 12:16:00 350,064 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WINWORD.EXE
+ 2007-09-06 07:03:02 4,280,176 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WRD12CNV.DLL
+ 2007-08-28 13:07:58 24,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WRD12EXE.EXE
+ 2007-09-06 06:56:32 17,490,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WWLIB.DLL
+ 2008-04-28 23:05:46 97,566 ----a-r C:\WINDOWS\Installer\{11F66E7E-4865-4070-B289-A0DB052979E1}\ARPPRODUCTICON.exe
+ 2008-04-28 23:05:46 139,264 ----a-r C:\WINDOWS\Installer\{11F66E7E-4865-4070-B289-A0DB052979E1}\NewShortcut1_9ED656646A58425EA489DD37B45C784C.exe
+ 2008-04-28 23:05:46 97,566 ----a-r C:\WINDOWS\Installer\{11F66E7E-4865-4070-B289-A0DB052979E1}\NewShortcut2_5DA3E6B2BEC143748E1D1FBBA4DD86C3.exe
+ 2008-05-17 08:31:14 10,134 ----a-r C:\WINDOWS\Installer\{86A6E235-C08F-4A14-B14C-793C7D8844A0}\callmsi.exe
+ 2008-05-17 08:31:14 136,448 ----a-r C:\WINDOWS\Installer\{86A6E235-C08F-4A14-B14C-793C7D8844A0}\egui.exe
- 2008-04-16 15:03:09 38,240 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-05-14 11:57:14 38,240 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2008-04-16 15:04:57 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-05-14 11:59:10 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-04-16 15:04:58 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-05-14 11:59:10 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-16 15:04:58 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-05-14 11:59:10 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-04-16 15:04:58 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-05-14 11:59:10 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-04-16 15:04:58 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-14 11:59:10 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-16 15:04:58 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-05-14 11:59:10 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-16 15:04:58 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-05-14 11:59:11 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-16 15:04:58 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-05-14 11:59:10 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-04-16 15:04:58 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-05-14 11:59:10 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-16 15:04:58 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-05-14 11:59:10 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-04-16 15:04:58 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-14 11:59:10 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-16 15:04:58 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-05-14 11:59:10 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-03-25 04:50:25 554,008 -c----w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:28 518,944 -c----w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:30 326,432 -c----w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:34 1,516,568 -c----w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:40 355,112 -c----w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-27 08:12:54 151,583 -c----w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-25 04:50:42 60,192 -c----w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 248,608 -c----w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:44 219,936 -c----w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:45 355,104 -c----w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:47 432,928 -c----w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:49 322,336 -c----w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:52 559,904 -c----w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:55 264,992 -c----w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:57 838,432 -c----w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:58 621,344 -c----w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 355,104 -c----w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-13 06:43:42 40,456 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
+ 2008-03-13 06:44:36 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
+ 2008-03-13 06:52:18 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
+ 2005-05-24 02:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 05:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 05:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-07-27 04:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 04:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 09:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 02:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
- 2008-04-05 12:56:22 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
- 2004-08-03 14:56:44 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-03 14:56:44 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2004-08-03 14:56:44 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-07-17 01:34:48 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-03 14:56:44 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-03 14:56:44 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-03 14:56:44 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-03 14:56:44 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2004-08-03 14:56:44 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-03 14:56:44 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-03 14:56:44 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-03 14:56:44 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2004-08-03 14:56:46 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-03 14:56:46 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-03 14:56:46 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-02-10 23:39:26 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2008-02-10 23:39:18 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2008-02-08 03:53:46 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2008-02-04 22:48:04 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
- 2008-04-24 06:26:13 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-17 08:04:59 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-24 06:26:13 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-17 08:04:59 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 1996-07-28 18:55:00 250,880 ----a-w C:\WINDOWS\system32\TX32.DLL
+ 1996-07-22 15:21:00 64,000 ----a-w C:\WINDOWS\system32\TXTLS32.DLL
+ 1996-07-23 15:10:00 45,568 ----a-w C:\WINDOWS\system32\WNDTLS32.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 14:03 163840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 22:27 185784]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 23:05 7557120]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 23:05 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 17:45 389120]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"egui"="D:\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - E:\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"E:\\tomtom home\\TomTomHOME.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Microsoft Office\\Office12\\GROOVE.EXE"=
"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
S3 ausbmon;Advanced USB Port Monitor Filter Driver;C:\WINDOWS\system32\ausbmon.sys []
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-05 20:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

*Newly Created Service* - EAMON
*Newly Created Service* - EASDRV
*Newly Created Service* - EKRN
*Newly Created Service* - EPFWTDIR
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 08:03:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 14:43:28 C:\WINDOWS\Tasks\Windows Update.job"
- C:\WINDOWS\system32\wupdmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 18:52:22
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe [508] 0x89D62440

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\MIKE&S~1\LOCALS~1\Temp\tmp16C.tmp.8cfe9a0b.tmp 249344 bytes executable
C:\WINDOWS\TEMP\tmp95.tmp.8cfe9a0b.tmp 249856 bytes executable
C:\WINDOWS\system32\.8cfe9a0b

scan completed successfully
hidden files: 3

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\8cfe9a0b]
"ImagePath"="C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.core.dll
.
Completion time: 2008-05-17 18:53:55
ComboFix-quarantined-files.txt 2008-05-17 08:53:42
ComboFix2.txt 2008-04-24 06:42:03

Pre-Run: 3,967,873,024 bytes free
Post-Run: 4,101,378,048 bytes free

328 --- E O F --- 2008-05-16 12:31:38


HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:45 PM, on 17/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
D:\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\ESET NOD32 Antivirus\ekrn.exe
D:\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Computer\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [egui] "D:\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = E:\Palm\Hotsync.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas....stauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9312 bytes

[AdvancedSetup]

Hello Dutchroll and thank you for the updated information.

Yes your system is still infected (or at least has pieces of it left over). This appears to be a fairly new method of infection so I need to review and ensure we clean it up properly. Since neither one of us has the time to do it justice today then we will tackle it when you get back.

As for the Norton 2007 - you can see why it is not recommended by too many people now days. It is a HUGE resource hog and a laptop due to slower components makes it even worse. Try using the NOD32 for a while and see how you like it instead, hopefully it is more friendly on resources than Norton AV.

Okay I'll check back on you in a few days. Just post back here when you get back and are ready to continue.

Please go to this site below

uploads.malwarebytes.org

Then browse and locate these files and upload them to the site for review

C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\drivers\logiflt.iad



.

[dutchroll]

I got this message when trying to upload those files:

[indent]The file lvuvc.hs is 0 bytes. This could be because a virus scanner is blocking it or because it doesn't exist on your PC. Please check it exists and disable any virus scanners that are active.
The file logiflt.iad is 0 bytes. This could be because a virus scanner is blocking it or because it doesn't exist on your PC. Please check it exists and disable any virus scanners that are active.[/indent]

Disabled the NOD32 but still got the same message.

Thanks for the info on Norton. I'll do some research on AV stuff while I'm away. I'll be back late Wed evening my time (Australian eastern time) Might be time to end the relationship with Norton. Kaspersky is looking favourable.

[AdvancedSetup]

Okay well then just use the File Assissin as before and browse to those files and choose to delete them.

Let me know when you're back and we'll continue.

[dutchroll]

OK AdvancedSetup.

Back home for a few days now. FileAssassin deleted both those files successfully.

[AdvancedSetup]

Okay, good. MB has had quite a few updates so please update MB and do another Quick Scan and post another Deckard's log and post back.