Hi there
I got infected by a lot of trojans/hijackers/spyware last night and after a few runs of MBAM most of it is gone, however there are a few things that MBAM doesn't seem able to delete even in Safe mode and after reboot. Here are my latest logs:

Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 1

07/04/2009 07:31:09
mbam-log-2009-04-07 (07-31-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 399617
Time elapsed: 2 hour(s), 36 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Dropper) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winma23 (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winma23 (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Dropper) -> Delete on reboot.
C:\Avenger\WinCtrl32.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Avenger\WinCtrl32.dll-ren-519 (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winma23.sys (Rootkit.Agent) -> Delete on reboot.



Logfile of HijackThis v1.99.0
Scan saved at 08:28:15, on 07/04/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\twain_32\CIS600X\WATCH.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijack this\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C1AF42A3-04F3-42BD-F634-3604832C897D} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Parental Control Toolbar - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - C:\PROGRA~1\PARENT~1\PARENT~1.DLL
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\System32\smvalid.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?0717c59d2cc5443a9af1f742c931e1b3
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?0717c59d2cc5443a9af1f742c931e1b3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Elliott Dobson\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2994e09258ec9d...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (Interconnect Resources) - https://www.ib.albb.co.uk/ebs/ie/gic.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: distributed.net client - Unknown - C:\WINDOWS\System32\iosdt\iosdt.exe (file missing)
O23 - Service: Google Update Service (gupdate1c98638fb739e5e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Spyware Doctor - Unknown - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SecuROM User Access Service (V7) - Unknown - C:\WINDOWS\System32\UAService7.exe


Thanks in advance for any help

STEP 01

Update TrendMicro™ HijackThis™
Your version of TrendMicro™ HijackThis™ is outdated. You need to download and install the latest version 2.0.2

• Download HJTInstall.exe to your desktop.
• Doubleclick HJTInstall.exe to install HijackThis.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• It will create a HijackThis icon on your desktop.
• Once installed, it will launch HijackThis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log in your next reply.
• You can delete the old version of HJT, located here: C:\hijack this\HijackThis.exe

STEP 02

Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.
• When the tool is finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Okay first I ran Hijack This and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:50, on 07/04/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\twain_32\CIS600X\WATCH.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C1AF42A3-04F3-42BD-F634-3604832C897D} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Parental Control Toolbar - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - C:\PROGRA~1\PARENT~1\PARENT~1.DLL
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\System32\smvalid.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?0717c59d2cc5443a9af1f742c931e1b3
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?0717c59d2cc5443a9af1f742c931e1b3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Elliott Dobson\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2994e09258ec9d...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (Interconnect Resources) - https://www.ib.albb.co.uk/ebs/ie/gic.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: distributed.net client (dnetc) - Unknown owner - C:\WINDOWS\System32\iosdt\iosdt.exe (file missing)
O23 - Service: Google Update Service (gupdate1c98638fb739e5e) (gupdate1c98638fb739e5e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 13244 bytes


Then ComboFix and here is the log for that:

ComboFix 09-04-04.01 - John Dobson 2009-04-07 14:50:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1535.1065 [GMT 1:00]
Running from: c:\documents and settings\John Dobson\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Elliott Dobson\Local Settings\Temporary Internet Files\search.html
c:\documents and settings\John Dobson\Application Data\wiaserva.log
c:\documents and settings\Mark Dobson\Desktop\MBS Account Manager.lnk
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\Winma23.sys
c:\windows\system32\ebrtu.dat
c:\windows\system32\uniq.tll
c:\windows\system32\wbem\grpconv.exe
c:\windows\system32\win32hlp.cnf
c:\windows\system32\WinCtrl32.dl_
c:\windows\system32\WinCtrl32.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINMA23
-------\Service_Winma23


((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 14:03 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-04-07 14:00 17,408 ----a-w c:\windows\system32\drivers\USBCRFT.SYS
2009-04-07 13:31 --------- d-----w c:\program files\Trend Micro
2009-04-06 19:26 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:15 --------- d-----w c:\program files\XoftSpySE
2009-04-06 18:19 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-02 15:00 --------- d-----w c:\documents and settings\Jo-Anne Dobson\Application Data\U3
2009-03-26 15:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 15:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-02 21:38 --------- d-----w c:\program files\MSECache
2009-02-12 23:04 --------- d-----w c:\program files\Google
2006-05-30 15:36 275 ----a-w c:\documents and settings\Incomplete\downloads.dat
2006-03-20 17:24 24,192 ----a-w c:\documents and settings\Mark Dobson\usbsermptxp.sys
2006-03-20 17:24 22,768 ----a-w c:\documents and settings\Mark Dobson\usbsermpt.sys
2003-08-27 13:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
2005-02-27 21:56 119 --sh--w c:\windows\cnerolf.dat
2005-05-13 16:12 217,073 --sha-r c:\windows\meta4.exe
2005-10-24 10:13 66,560 --sha-r c:\windows\MOTA113.exe
2004-11-30 11:19 56,320 --sha-w c:\windows\sppaz.dll
2005-01-01 05:50 56,320 --sha-w c:\windows\vczww.dll
2004-11-30 13:54 56,320 --sha-w c:\windows\wgudg.dll
2005-10-13 20:27 422,400 --sha-r c:\windows\x2.64.exe
2005-10-07 18:14 308,224 --sha-r c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 --sha-r c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 --sha-r c:\windows\system32\x.264.exe
2004-12-04 04:26 56,320 --sha-w c:\windows\system32\ybudm.dll
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2009-04-06 1883672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2009-04-06 1883672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-29 180269]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-06-03 81920]
"LVCOMSX"="c:\windows\System32\LVCOMSX.EXE" [2005-07-19 221184]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"parentalcontrol"="c:\program files\parentalcontrol\parentalcontrol.exe" [2006-08-31 36544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-03-26 1277584]
"SoundMan"="SOUNDMAN.EXE" [2004-07-13 c:\windows\SOUNDMAN.EXE]
"Dit"="Dit.exe" [2004-07-20 c:\windows\Dit.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2006-09-06 2128016]

c:\documents and settings\Elliott Dobson\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-07-19 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-08-04 962661]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-03-15 884838]
Watch.lnk - c:\windows\twain_32\CIS600X\WATCH.exe [2004-10-29 356352]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-11-07 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2005-04-08 143104]
R2 SFC4;SFC4;c:\windows\system32\drivers\sfc4.sys [2004-10-29 41472]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-03-15 17149]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-03-15 362944]
S2 gupdate1c98638fb739e5e;Google Update Service (gupdate1c98638fb739e5e);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
S3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2005-04-08 17408]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2004-10-28 3968]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2008-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-04-29 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2009-04-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 20:42]

2009-02-12 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 20:52]

2005-01-02 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2006-05-09 17:23]

2009-02-03 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 15:29]

2009-02-03 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 15:29]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C1AF42A3-04F3-42BD-F634-3604832C897D} - (no file)
HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
HKLM-Run-MPFTray - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
HKLM-Run-iHP-100 - c:\program files\iRiver\HSeries\iHPDetect.exe
HKLM-Run-ICcontrol - c:\windows\iccontrol.exe
HKLM-Run-adiras - adiras.exe
HKLM-Run-MISAggregator - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.freeserve.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
mSearch Bar = www.google.co.uk
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = ;localhost;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?0717c59d2cc5443a9af1f742c931e1b3
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?0717c59d2cc5443a9af1f742c931e1b3
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Elliott Dobson\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: GIC - hxxps://www.ib.albb.co.uk/ebs/ie/classes.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {630F2610-7654-11D1-83E3-0080C71A8794} - hxxps://www.ib.albb.co.uk/ebs/ie/gic.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://ebanking.northernbank.co.uk/html/activex/e-Safekey/NB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\John Dobson\Application Data\Mozilla\Firefox\Profiles\qyab55kd.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-loader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-publisherloader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-updaterloader.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 15:00:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\setupapi.log.0.old:hjakc 56320 bytes executable
c:\windows\setuplog.txt:jfsre 29696 bytes executable
c:\windows\SIGVERIF.TXT:lekpp 10752 bytes executable
c:\windows\SM1BG.EXE.bak:efduj 29696 bytes executable
c:\windows\oeuninst.exe:bejwn 10752 bytes executable
c:\windows\oeuninst.exe:fnlsp 29696 bytes executable
c:\windows\Prairie Wind.bmp:tfbbp 29696 bytes executable
c:\windows\twain_32.dll:cjgyz 56320 bytes executable
c:\windows\control.ini:dkxdy 56320 bytes executable
c:\windows\control.ini:pzybm 10752 bytes executable
c:\windows\NOTEPAD.EXE:uliht 98816 bytes executable
c:\windows\REGLOCS.OLD:cplhf 10752 bytes executable
c:\windows\River Sumida.bmp:vpvmz 29696 bytes executable
c:\windows\vczww.dll:gyors 10752 bytes executable
c:\windows\WATCH.INI:yzhwv 29696 bytes executable
c:\windows\explorer.scf:rtega 98816 bytes executable
c:\windows\FaxSetup.log:ywpor 98816 bytes executable
c:\windows\GPMMICP.INI:ktplc 10752 bytes executable

scan completed successfully
hidden files: 18

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc22.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(800)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Spyware Doctor\sdhelp.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\UAService7.exe
c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
.
**************************************************************************
.
Completion time: 2009-04-07 15:16:55 - machine was rebooted [John Dobson]
ComboFix-quarantined-files.txt 2009-04-07 14:16:52

Pre-Run: 141,853,634,560 bytes free
Post-Run: 153,326,833,664 bytes free

246 --- E O F --- 2009-03-12 08:07:21

STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• Disconnect from the Internet.
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Download and install CCleaner
• CCleaner
• Double-click on the downloaded file "ccsetup218.exe" and install the application.
• Keep the default installation folder "C:\Program Files\CCleaner"
• Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
• Click finish when done and close ALL PROGRAMS
• Start the CCleaner program.
• Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
• Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
• Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
• Click on Run Cleaner button on the bottom right side of the program.
• Click OK to any prompts

STEP 03
Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

ComboFix Log:

ComboFix 09-04-04.01 - John Dobson 2009-04-08 12:25:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1535.1118 [GMT 1:00]
Running from: c:\documents and settings\John Dobson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John Dobson\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\program files\Common Files\SM1updtr.dll
c:\windows\cnerolf.dat
c:\windows\meta4.exe
c:\windows\MOTA113.exe
c:\windows\sppaz.dll
c:\windows\system32\ybudm.dll
c:\windows\system32\yv12vfw.dll
c:\windows\TEMP\mc22.tmp
c:\windows\vczww.dll
c:\windows\wgudg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\SM1updtr.dll
c:\windows\cnerolf.dat
c:\windows\meta4.exe
c:\windows\MOTA113.exe
c:\windows\sppaz.dll
c:\windows\system32\ybudm.dll
c:\windows\system32\yv12vfw.dll
c:\windows\vczww.dll
c:\windows\wgudg.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 11:46 17,408 ----a-w c:\windows\system32\drivers\USBCRFT.SYS
2009-04-08 11:46 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-04-08 06:24 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-07 13:31 --------- d-----w c:\program files\Trend Micro
2009-04-06 19:26 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:15 --------- d-----w c:\program files\XoftSpySE
2009-04-02 15:00 --------- d-----w c:\documents and settings\Jo-Anne Dobson\Application Data\U3
2009-03-26 15:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 15:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-02 21:38 --------- d-----w c:\program files\MSECache
2009-02-12 23:04 --------- d-----w c:\program files\Google
2006-05-30 15:36 275 ----a-w c:\documents and settings\Incomplete\downloads.dat
2006-03-20 17:24 24,192 ----a-w c:\documents and settings\Mark Dobson\usbsermptxp.sys
2006-03-20 17:24 22,768 ----a-w c:\documents and settings\Mark Dobson\usbsermpt.sys
2005-10-13 20:27 422,400 --sha-r c:\windows\x2.64.exe
2005-10-07 18:14 308,224 --sha-r c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 --sha-r c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 --sha-r c:\windows\system32\x.264.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-04-07_15.16.01.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-07 13:59:05 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-08 11:15:44 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-07 13:59:05 16,384 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-08 11:15:44 16,384 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-07 13:59:05 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-08 11:15:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-08 11:34:01 16,384 ----atw c:\windows\temp\Perflib_Perfdata_580.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2009-04-06 1883672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2009-04-06 1883672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-29 180269]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-06-03 81920]
"LVCOMSX"="c:\windows\System32\LVCOMSX.EXE" [2005-07-19 221184]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"parentalcontrol"="c:\program files\parentalcontrol\parentalcontrol.exe" [2006-08-31 36544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-03-26 1277584]
"SoundMan"="SOUNDMAN.EXE" [2004-07-13 c:\windows\SOUNDMAN.EXE]
"Dit"="Dit.exe" [2004-07-20 c:\windows\Dit.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2006-09-06 2128016]

c:\documents and settings\Elliott Dobson\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-07-19 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-08-04 962661]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-03-15 884838]
Watch.lnk - c:\windows\twain_32\CIS600X\WATCH.exe [2004-10-29 356352]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-11-07 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2005-04-08 143104]
R2 SFC4;SFC4;c:\windows\system32\drivers\sfc4.sys [2004-10-29 41472]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-03-15 17149]
S2 gupdate1c98638fb739e5e;Google Update Service (gupdate1c98638fb739e5e);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
S3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2005-04-08 17408]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2004-10-28 3968]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-03-15 362944]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2008-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-04-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2009-04-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 20:42]

2009-04-07 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 20:52]

2005-01-02 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2006-05-09 17:23]

2009-04-07 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 15:29]

2009-04-07 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 15:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.freeserve.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
mSearch Bar = www.google.co.uk
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = ;localhost;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?0717c59d2cc5443a9af1f742c931e1b3
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?0717c59d2cc5443a9af1f742c931e1b3
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Elliott Dobson\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: GIC - hxxps://www.ib.albb.co.uk/ebs/ie/classes.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {630F2610-7654-11D1-83E3-0080C71A8794} - hxxps://www.ib.albb.co.uk/ebs/ie/gic.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://ebanking.northernbank.co.uk/html/activex/e-Safekey/NB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\John Dobson\Application Data\Mozilla\Firefox\Profiles\qyab55kd.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-loader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-publisherloader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-updaterloader.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 12:45:50
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\setupapi.log.0.old:hjakc 56320 bytes executable
c:\windows\setuplog.txt:jfsre 29696 bytes executable
c:\windows\SIGVERIF.TXT:lekpp 10752 bytes executable
c:\windows\SM1BG.EXE.bak:efduj 29696 bytes executable
c:\windows\oeuninst.exe:bejwn 10752 bytes executable
c:\windows\oeuninst.exe:fnlsp 29696 bytes executable
c:\windows\Prairie Wind.bmp:tfbbp 29696 bytes executable
c:\windows\twain_32.dll:cjgyz 56320 bytes executable
c:\windows\control.ini:dkxdy 56320 bytes executable
c:\windows\control.ini:pzybm 10752 bytes executable
c:\windows\NOTEPAD.EXE:uliht 98816 bytes executable
c:\windows\REGLOCS.OLD:cplhf 10752 bytes executable
c:\windows\River Sumida.bmp:vpvmz 29696 bytes executable
c:\windows\WATCH.INI:yzhwv 29696 bytes executable
c:\windows\explorer.scf:rtega 98816 bytes executable
c:\windows\FaxSetup.log:ywpor 98816 bytes executable
c:\windows\GPMMICP.INI:ktplc 10752 bytes executable

scan completed successfully
hidden files: 17

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(604)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Spyware Doctor\sdhelp.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
.
**************************************************************************
.
Completion time: 2009-04-08 12:57:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-08 11:57:50
ComboFix2.txt 2009-04-07 14:16:56

Pre-Run: 153,282,838,528 bytes free
Post-Run: 153,266,376,704 bytes free

242 --- E O F --- 2009-03-12 08:07:21


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:55:59, on 08/04/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\twain_32\CIS600X\WATCH.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Parental Control Toolbar - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - C:\PROGRA~1\PARENT~1\PARENT~1.DLL
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?0717c59d2cc5443a9af1f742c931e1b3
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?0717c59d2cc5443a9af1f742c931e1b3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Elliott Dobson\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (Interconnect Resources) - https://www.ib.albb.co.uk/ebs/ie/gic.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: distributed.net client (dnetc) - Unknown owner - C:\WINDOWS\System32\iosdt\iosdt.exe (file missing)
O23 - Service: Google Update Service (gupdate1c98638fb739e5e) (gupdate1c98638fb739e5e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 12711 bytes


MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 1951
Windows 5.1.2600 Service Pack 1

08/04/2009 14:36:29
mbam-log-2009-04-08 (14-36-29).txt

Scan type: Quick Scan
Objects scanned: 89617
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Did I have a rootkit infection at all? Ive read replies where people are advised to format computers to get rid of them, I hope mine is not a case like that

Yes you did have and yes many do advise formatting and rebuild the system but typically it often not an easy available option for most users.

Please run the following.

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location and post it back when you reply
  
  Then look for the following Java folders and if found delete them.
  C:\Program Files\Java
  C:\Program Files\Common Files\Java
  C:\Documents and Settings\All Users\Application Data\Java
  C:\Documents and Settings\All Users\Application Data\Sun\Java
  C:\Documents and Settings\username\Application Data\Java
  C:\Documents and Settings\username\Application Data\Sun\Java

Then run this.

You may have corrupted files on your disk. Please try running the following.
First close ALL Applications as this routine will automatically restart your computer.
Click on START - RUN and copy / paste the following entry into the box and click OK





Then run the following.
Click on START - RUN and copy/paste the contents of the code box below into the run box and hit OK

Click on START - RUN and copy/paste the contents of the code box below into the run box and hit OK


Then ATTACH the files C:\DriversSigned.txt and C:\DriversGeneral.txt to your next reply please.

Okay here is the JavaRa log:

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Apr 09 11:55:52 2009

Found and removed: C:\Windows\System32\jupdate-1.5.0_01-b08.log

Found and removed: Software\JavaSoft\Java2D\1.5.0_01

Found and removed: Software\JavaSoft\Java2D\1.5.0_04

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_04\

------------------------------------

Finished reporting.



The other two codes when i put them into run just gave me blank text files, I'm also unsure as to whether the system ran a CHKDSK. Do I have to do these another way now or is there something wrong with the codes?

Thanks again

I'm sorry, my fault. The tool driverquery.exe does not appear to be installed with Windows XP Home Edition, only on the Pro version.

Please update MBAM and do another Quick Scan and post back the log.

Then run this

Please create a BOOTLOG
• Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
• Select "Enable Boot Logging" option and press enter.
• Windows prompts you to select a Windows Installation (even if there is only one windows installation)
• This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
   
  If you're already running inside Windows you can enable it the following way.
   
• Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
• Click on OK and you will be prompted to RESTART Windows. Please do restart now.
• After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
• From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
• NOTE: If the file is over about 150 lines or so then DELETE the C:\Windows\ntbtlog.txt file and restart the computer and post the NEW one it creates.
• NOTE: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
• The tab is called BOOT on Vista. Then choose Boot log

RootRepeal - Rootkit Detector

• Please download the following tool: RootRepeal - Rootkit Detector
• Direct download link is here: RootRepeal.rar
• If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
• Extract the program file to a new folder such as C:\RootRepeal
• Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
• When done, click on Save Report
• Save it to the same location where you ran it from, such as C:\RootRepeal
• Save it as your_name_rootrepeal.txt - where your_name is your forum name
• This makes it more easy to track who the log belongs to.
• Then open that log and select all and copy/paste it back on your next reply please.
• Quit the RootRepeal program.

Okay here is the Bootlog

Service Pack 1 4 10 2009 17:06:23.359
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver aliide.sys
Loaded driver cmdide.sys
Loaded driver toside.sys
Loaded driver viaide.sys
Loaded driver intelide.sys
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver cpqarray.sys
Loaded driver \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Loaded driver atapi.sys
Loaded driver aha154x.sys
Loaded driver sparrow.sys
Loaded driver symc810.sys
Loaded driver aic78xx.sys
Loaded driver dac960nt.sys
Loaded driver ql10wnt.sys
Loaded driver amsint.sys
Loaded driver asc.sys
Loaded driver asc3550.sys
Loaded driver mraid35x.sys
Loaded driver i2omp.sys
Loaded driver ini910u.sys
Loaded driver ql1240.sys
Loaded driver aic78u2.sys
Loaded driver symc8xx.sys
Loaded driver sym_hi.sys
Loaded driver sym_u3.sys
Loaded driver ABP480N5.SYS
Loaded driver asc3350p.sys
Loaded driver cd20xrnt.sys
Loaded driver ultra.sys
Loaded driver adpu160m.sys
Loaded driver dpti2o.sys
Loaded driver ql1080.sys
Loaded driver ql1280.sys
Loaded driver ql12160.sys
Loaded driver perc2.sys
Loaded driver perc2hib.sys
Loaded driver hpn.sys
Loaded driver cbidf2k.sys
Loaded driver dac2w2k.sys
Loaded driver tffsport.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver sr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver viaagp.sys
Loaded driver sisagp.sys
Loaded driver sbp2port.sys
Loaded driver RecAgent.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver Mup.sys
Loaded driver alim1541.sys
Loaded driver amdagp.sys
Loaded driver agp440.sys
Loaded driver agpCPQ.sys
Loaded driver \SystemRoot\System32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\System32\DRIVERS\processr.sys
Loaded driver \SystemRoot\System32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\SlWdmSup.sys
Loaded driver \SystemRoot\System32\DRIVERS\slntamr.sys
Loaded driver \SystemRoot\System32\DRIVERS\Mtlmnt5.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\DRIVERS\Rtlnic51.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys
Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\System32\Drivers\Cdr4_xp.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\Drivers\Cdralw2k.SYS
Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys
Loaded driver \SystemRoot\system32\drivers\ALCXWDM.SYS
Loaded driver \SystemRoot\system32\drivers\ALCXSENS.SYS
Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys
Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys
Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys
Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys
Loaded driver \SystemRoot\System32\Drivers\RootMdm.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys
Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Loaded driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\System32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\amdk7.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\system32\drivers\ikhlayer.sys
Loaded driver \SystemRoot\system32\drivers\ikhfile.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\BANTExt.sys
Loaded driver \SystemRoot\System32\DRIVERS\USBSTOR.SYS
Loaded driver \SystemRoot\System32\DRIVERS\WPN111.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys
Loaded driver \SystemRoot\System32\Drivers\BrScnUsb.sys
Did not load driver \SystemRoot\System32\Drivers\adildr.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\AegisP.sys
Loaded driver \??\C:\WINDOWS\System32\DNINDIS5.SYS
Loaded driver \SystemRoot\System32\drivers\ws2ifsl.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\System32\drivers\afd.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \SystemRoot\System32\DRIVERS\secdrv.sys
Loaded driver \SystemRoot\System32\drivers\SFC4.sys
Loaded driver \??\C:\WINDOWS\TEMP\mc22.tmp
Loaded driver \??\C:\WINDOWS\System32\drivers\tmcomm.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \??\C:\WINDOWS\System32\drivers\rootrepeal.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

And the log from RootRepeal

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/10 17:12
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP1
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA671F000 Size: 90112 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79E1000 Size: 8192 File Visible: No
Status: -

Name: mc22.tmp
Image Path: C:\WINDOWS\TEMP\mc22.tmp
Address: 0xF7A78000 Size: 2560 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\System32\drivers\rootrepeal.sys
Address: 0xA5687000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Shared\PSSAIR~1.ZIP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\John Dobson\Local Settings\temp\etilqs_kDsNLh86MnW7lkfzwOhE
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\cally48@msn.com\DFSR\Staging\CS{D075D489-F858-9356-5E59-53FB9589F3A7}\01\15-{D075D489-F858-9356-5E59-53FB9589F3A7}-v1-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v15-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\chrissy_chat@hotmail.com\DFSR\Staging\CS{A76B8944-24BD-B0DD-7C15-6E6662420961}\01\16-{A76B8944-24BD-B0DD-7C15-6E6662420961}-v1-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v16-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\chrissy_chat@hotmail.com\DFSR\Staging\CS{A76B8944-24BD-B0DD-7C15-6E6662420961}\11\18-{AD33AC6C-9511-4B94-9FCD-292D881F0444}-v11-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v18-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\chrissy_chat@hotmail.com\DFSR\Staging\CS{A76B8944-24BD-B0DD-7C15-6E6662420961}\12\12-{AD33AC6C-9511-4B94-9FCD-292D881F0444}-v12-{AD33AC6C-9511-4B94-9FCD-292D881F0444}-v12-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\chrissy_chat@hotmail.com\DFSR\Staging\CS{A76B8944-24BD-B0DD-7C15-6E6662420961}\17\17-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v17-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v17-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\hillman875@hotmail.co.uk\DFSR\Staging\CS{B2AF2DD6-6E04-8492-8046-7631556D53D6}\01\50-{B2AF2DD6-6E04-8492-8046-7631556D53D6}-v1-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v50-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\hillman875@hotmail.co.uk\DFSR\Staging\CS{B2AF2DD6-6E04-8492-8046-7631556D53D6}\51\51-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v51-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v51-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\hillman875@hotmail.co.uk\DFSR\Staging\CS{B2AF2DD6-6E04-8492-8046-7631556D53D6}\52\52-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v52-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v52-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\hillman875@hotmail.co.uk\DFSR\Staging\CS{B2AF2DD6-6E04-8492-8046-7631556D53D6}\60\35-{FC4BF147-8564-469A-AAF4-446285619EFC}-v160-{ED389A28-3C62-488C-81F0-CA06AC21665F}-v35-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\01\27-{54221109-9D8D-42EB-CAB1-E923EBD19E27}-v1-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v27-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\12\12-{91EBFEB4-4EBA-4BE9-AEEA-AEF0267137B2}-v12-{91EBFEB4-4EBA-4BE9-AEEA-AEF0267137B2}-v12-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\28\28-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v28-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v28-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\29\29-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v29-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v29-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\30\30-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v30-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v30-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\31\31-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v31-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v31-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\32\32-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v32-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v32-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\33\33-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v33-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v33-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\34\34-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v34-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v34-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\35\35-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v35-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v35-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\joshuaneilly@hotmail.com\DFSR\Staging\CS{54221109-9D8D-42EB-CAB1-E923EBD19E27}\36\36-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v36-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v36-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\magicman207@hotmail.com\DFSR\Staging\CS{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}\01\10-{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}-v1-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\magicman207@hotmail.com\DFSR\Staging\CS{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}\19\19-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v19-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v19-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\magicman207@hotmail.com\DFSR\Staging\CS{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}\20\20-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v20-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v20-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\magicman207@hotmail.com\DFSR\Staging\CS{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}\21\21-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v21-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v21-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\magicman207@hotmail.com\DFSR\Staging\CS{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}\22\22-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v22-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v22-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\magicman207@hotmail.com\DFSR\Staging\CS{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}\22\22-{ED389A28-3C62-488C-81F0-CA06AC21665F}-v22-{ED389A28-3C62-488C-81F0-CA06AC21665F}-v22-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\magicman207@hotmail.com\DFSR\Staging\CS{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}\23\23-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v23-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v23-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\magicman207@hotmail.com\DFSR\Staging\CS{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}\24\24-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v24-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v24-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\magicman207@hotmail.com\DFSR\Staging\CS{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}\25\25-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v25-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v25-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\magicman207@hotmail.com\DFSR\Staging\CS{21FA7657-A9C0-8D9F-9DA6-64544AD4629C}\26\26-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v26-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v26-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\michaeljardis@aol.com\DFSR\Staging\CS{6AC0476C-2441-2320-7173-0C149D7ED5C1}\01\11-{6AC0476C-2441-2320-7173-0C149D7ED5C1}-v1-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v11-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\non_existant_alias@hotmail.com\DFSR\Staging\CS{736641EB-00DC-02C0-66CD-5A690869639C}\01\37-{736641EB-00DC-02C0-66CD-5A690869639C}-v1-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v37-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\non_existant_alias@hotmail.com\DFSR\Staging\CS{736641EB-00DC-02C0-66CD-5A690869639C}\13\38-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v13-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v38-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\non_existant_alias@hotmail.com\DFSR\Staging\CS{736641EB-00DC-02C0-66CD-5A690869639C}\14\39-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v14-{DCB5ACB0-4384-4750-BECF-3C0622512890}-v39-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Elliott Dobson\Local Settings\Application Data\Microsoft\Messenger\edobson20@hotmail.com\SharingMetadata\non_existant_alias@hotmail.com\DFSR\Staging\CS{736641EB-00DC-02C0-66CD-5A690869639C}\19\136-{ED389A28-3C62-488C-81F0-CA06AC21665F}-v19-{52C0C62B-4A7F-4898-A6A0-6419AFD61A7B}-v136-Partial.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jo-Anne Dobson\Application Data\Macromedia\Flash Player\#SharedObjects\VQLGH68M\bbc.co.uk\news\sol\shared\spl\hi\rugby_union:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Mark Dobson\Local Settings\Application Data\Microsoft\Messenger\dobson20@hotmail.co.uk\SharingMetadata\ladykiller_100168@hotmail.co.uk\DFSR\Staging\CS{A75E0533-8F2E-B63D-0B0D-F311CD41A3D8}\01\14-{A75E0533-8F2E-B63D-0B0D-F311CD41A3D8}-v1-{C046930D-533E-4BB5-B2E8-43956730D1E0}-v14-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Mark Dobson\Local Settings\Application Data\Microsoft\Messenger\dobson40@hotmail.co.uk\SharingMetadata\jim_12guage@hotmail.co.uk\DFSR\Staging\CS{F67406A4-E169-7EAD-A0E0-9058DF8878A0}\01\11-{F67406A4-E169-7EAD-A0E0-9058DF8878A0}-v1-{A1C6D3CD-EB12-4CC2-9899-266F2C67890A}-v11-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Mark Dobson\Local Settings\Application Data\Microsoft\Messenger\dobson40@hotmail.co.uk\SharingMetadata\jim_12guage@hotmail.co.uk\DFSR\Staging\CS{F67406A4-E169-7EAD-A0E0-9058DF8878A0}\11\11-{495125C1-D66D-4745-834C-714E118DC716}-v11-{495125C1-D66D-4745-834C-714E118DC716}-v11-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Mark Dobson\Local Settings\Application Data\Microsoft\Messenger\dobson40@hotmail.co.uk\SharingMetadata\jim_12guage@hotmail.co.uk\DFSR\Staging\CS{F67406A4-E169-7EAD-A0E0-9058DF8878A0}\12\12-{495125C1-D66D-4745-834C-714E118DC716}-v12-{495125C1-D66D-4745-834C-714E118DC716}-v12-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\

Sorry for being a pain but am I nearly in the clear yet?

Many thanks in advance!

Please edit the CFScript.txt file on your desktop and remove all the current data and copy/paste this into the file.
Then download a NEW fresh copy of Combofix and drag and drop the script file as before.
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe



Then run the following when that is done.

Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click on the Complete scan radio button.
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
• On the File types tab ensure you select All files
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
  • Do not change the Rename extension - default is: #??
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
  • Leave prompt on Action checked
• On the Log file tab leave the Log to file checked.
• Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
• Log mode = Append
• Encoding = ANSI
• Details Leave Names of file packers and Statistics checked.
• Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
• On the General tab leave the Scan Priority on High
• Click the Apply button at the bottom, and then the OK button.
• On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
• In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
• The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
• When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
• Click 'Yes to all' if it asks if you want to cure/move the files.
• This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your Desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.
  

  

Okay, here is the Combofix log incase you need it:

ComboFix 09-04-14.08 - John Dobson 14/04/2009 14:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.1535.919 [GMT 1:00]
Running from: c:\documents and settings\John Dobson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John Dobson\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\TEMP\mc22.tmp
.

((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-10 16:11 . 2009-04-10 16:11 -------- d-----w C:\RootRepeal
2009-04-08 13:05 . 2009-04-08 13:05 -------- d-----w c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 13:24 . 2008-11-09 19:51 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-04-14 13:06 . 2005-04-08 20:24 17408 ----a-w c:\windows\system32\drivers\USBCRFT.SYS
2009-04-14 13:01 . 2009-02-03 19:42 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-09 11:15 . 2009-04-09 11:05 0 ----a-w C:\DriversGeneral.txt
2009-04-09 10:55 . 2009-04-09 10:55 522 ----a-w C:\JavaRa.log
2009-04-09 10:54 . 2005-05-09 18:55 -------- d-----w c:\program files\AAV Fleet Manager
2009-04-08 13:32 . 2008-11-23 11:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-08 13:16 . 2005-02-14 20:58 -------- d-----w c:\program files\GetRight
2009-04-07 13:31 . 2005-10-31 20:14 -------- d-----w c:\program files\Trend Micro
2009-04-06 19:15 . 2009-02-03 19:52 -------- d-----w c:\program files\XoftSpySE
2009-04-06 14:32 . 2008-11-23 11:59 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-11-23 11:59 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 15:00 . 2008-05-11 13:20 -------- d-----w c:\documents and settings\Jo-Anne Dobson\Application Data\U3
2009-03-29 14:58 . 2008-06-18 16:48 103512 ----a-w c:\documents and settings\Jo-Anne Dobson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 21:38 . 2009-03-02 21:38 -------- d-----w c:\program files\MSECache
2008-10-19 20:59 . 2004-11-28 17:18 99624 ----a-w c:\documents and settings\Mark Dobson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 17:37 . 2004-10-31 20:01 99624 ----a-w c:\documents and settings\Elliott Dobson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-25 22:44 . 2004-12-22 18:53 99624 ----a-w c:\documents and settings\John Dobson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-09-10 13:12 . 2006-09-10 13:12 13824 ----a-w c:\documents and settings\Elliott Dobson\Local Settings\Application Data\faf58af6.exe
2006-09-10 11:15 . 2006-09-10 11:15 13824 ----a-w c:\documents and settings\Mark Dobson\Local Settings\Application Data\0e2adaf6.exe
2006-05-30 15:36 . 2006-05-30 15:35 275 ----a-w c:\documents and settings\Incomplete\downloads.dat
2006-03-20 17:24 . 2006-03-20 17:24 24192 ----a-w c:\documents and settings\Mark Dobson\usbsermptxp.sys
2006-03-20 17:24 . 2006-03-20 17:24 22768 ----a-w c:\documents and settings\Mark Dobson\usbsermpt.sys
2004-10-31 20:01 . 2004-10-31 20:01 137 ----a-w c:\documents and settings\Elliott Dobson\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2009-04-06 1883672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2009-04-06 1883672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-29 180269]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-06-03 81920]
"LVCOMSX"="c:\windows\System32\LVCOMSX.EXE" [2005-07-19 221184]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"parentalcontrol"="c:\program files\parentalcontrol\parentalcontrol.exe" [2006-08-31 36544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-04-06 1277584]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-13 65024]
"Dit"="Dit.exe" - c:\windows\Dit.exe [2004-07-20 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2006-09-06 2128016]

c:\documents and settings\Elliott Dobson\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-7-19 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-8-4 962661]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-3-15 884838]
Watch.lnk - c:\windows\twain_32\CIS600X\WATCH.exe [2004-10-29 356352]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-11-7 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

R2 gupdate1c98638fb739e5e;Google Update Service (gupdate1c98638fb739e5e);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
R3 CardReaderFilter;Card Reader Filter;c:\windows\System32\Drivers\USBCRFT.SYS [2009-04-14 17408]
R3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\DRIVERS\SWUSBFLT.sys [2001-08-17 3968]
S0 tffsport;M-Systems DiskOnChip 2000;c:\windows\System32\DRIVERS\tffsport.sys [2002-08-29 143104]
S2 SFC4;SFC4;c:\windows\system32\drivers\SFC4.sys [1998-09-16 41472]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\System32\DNINDIS5.SYS [2003-07-24 17149]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys [2005-09-26 362944]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2008-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-04-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-04-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 19:42]

2009-04-08 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 19:52]

2005-01-02 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2006-05-09 16:23]

2009-04-07 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 14:29]

2009-04-07 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 14:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.freeserve.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
mSearch Bar = www.google.co.uk
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = ;localhost;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?0717c59d2cc5443a9af1f742c931e1b3
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?0717c59d2cc5443a9af1f742c931e1b3
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Elliott Dobson\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: GIC - hxxps://www.ib.albb.co.uk/ebs/ie/classes.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {630F2610-7654-11D1-83E3-0080C71A8794} - hxxps://www.ib.albb.co.uk/ebs/ie/gic.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://ebanking.northernbank.co.uk/html/activex/e-Safekey/NB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\John Dobson\Application Data\Mozilla\Firefox\Profiles\qyab55kd.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-loader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-publisherloader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-updaterloader.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 14:24
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\setupapi.log.0.old:hjakc 56320 bytes executable
c:\windows\setuplog.txt:jfsre 29696 bytes executable
c:\windows\SIGVERIF.TXT:lekpp 10752 bytes executable
c:\windows\SM1BG.EXE.bak:efduj 29696 bytes executable
c:\windows\oeuninst.exe:bejwn 10752 bytes executable
c:\windows\oeuninst.exe:fnlsp 29696 bytes executable
c:\windows\Prairie Wind.bmp:tfbbp 29696 bytes executable
c:\windows\twain_32.dll:cjgyz 56320 bytes executable
c:\windows\control.ini:dkxdy 56320 bytes executable
c:\windows\control.ini:pzybm 10752 bytes executable
c:\windows\NOTEPAD.EXE:uliht 98816 bytes executable
c:\windows\REGLOCS.OLD:cplhf 10752 bytes executable
c:\windows\River Sumida.bmp:vpvmz 29696 bytes executable
c:\windows\WATCH.INI:yzhwv 29696 bytes executable
c:\windows\explorer.scf:rtega 98816 bytes executable
c:\windows\FaxSetup.log:ywpor 98816 bytes executable
c:\windows\GPMMICP.INI:ktplc 10752 bytes executable

scan completed successfully
hidden files: 17

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc22.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(16092)
c:\windows\System32\msi.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-14 13:28
ComboFix2.txt 2009-04-08 11:57
ComboFix3.txt 2009-04-07 14:16

Pre-Run: 153,385,680,896 bytes free
Post-Run: 153,371,885,568 bytes free

192 --- E O F --- 2009-03-12 08:07








Here is the log for Dr.Web CureIt

Few things on this are definitely false positives such as the stuff in the Flight Simulator 9 folder

AdwareAway.exe\data006;C:\Documents and Settings\Elliott Dobson\My Documents\other downloads\AdwareAway.exe;Probably STPAGE.Trojan;;
AdwareAway.exe\data011;C:\Documents and Settings\Elliott Dobson\My Documents\other downloads\AdwareAway.exe;Trojan.StartPage.335;;
AdwareAway.exe;C:\Documents and Settings\Elliott Dobson\My Documents\other downloads;Archive contains infected objects;Moved.;
amij.dll;C:\Documents and Settings\Elliott Dobson\My Documents\unknown things;Trojan.StartPage.380;Deleted.;
ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\John Dobson\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\John Dobson\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\John Dobson\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\John Dobson\Desktop;Container contains infected objects;Moved.;
6D952C06d01/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\John Dobson\Local Settings\Application Data\Mozilla\Firefox\Profiles\qyab55kd.default\Cache\6D952C06d;Probably BATCH.Virus;;
6D952C06d01/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\John Dobson\Local Settings\Application Data\Mozilla\Firefox\Profiles\qyab55kd.default\Cache\6D952C06d;Program.PsExec.171;;
data002;C:\Documents and Settings\John Dobson\Local Settings\Application Data\Mozilla\Firefox\Profiles\qyab55kd.default\Cache;Archive contains infected objects;;
6D952C06d01;C:\Documents and Settings\John Dobson\Local Settings\Application Data\Mozilla\Firefox\Profiles\qyab55kd.default\Cache;Container contains infected objects;Moved.;
4EBE0140d01;C:\Documents and Settings\Mark Dobson\Application Data\Mozilla\Firefox\Profiles\raph40n6.default\Cache;Dialer.Premium;Moved.;
MeeWinks13.exe;C:\Documents and Settings\Mark Dobson\Desktop;Adware.Zango;Moved.;
Setup(2).exe;C:\Documents and Settings\Mark Dobson\Desktop;Adware.Zango;Moved.;
Setup(5).exe\data001;C:\Documents and Settings\Mark Dobson\Desktop\Setup(5).exe;Adware.Zango;;
Setup(5).exe\data003;C:\Documents and Settings\Mark Dobson\Desktop\Setup(5).exe;Trojan.PWS.Mailspy.96;;
Setup(5).exe;C:\Documents and Settings\Mark Dobson\Desktop;Container contains infected objects;Moved.;
Setup(6).exe\data001;C:\Documents and Settings\Mark Dobson\Desktop\Setup(6).exe;Adware.Zango;;
Setup(6).exe\data003;C:\Documents and Settings\Mark Dobson\Desktop\Setup(6).exe;Trojan.PWS.Mailspy.96;;
Setup(6).exe;C:\Documents and Settings\Mark Dobson\Desktop;Container contains infected objects;Moved.;
Setup(7).exe\data001;C:\Documents and Settings\Mark Dobson\Desktop\Setup(7).exe;Adware.Zango;;
Setup(7).exe\data003;C:\Documents and Settings\Mark Dobson\Desktop\Setup(7).exe;Trojan.PWS.Mailspy.96;;
Setup(7).exe;C:\Documents and Settings\Mark Dobson\Desktop;Container contains infected objects;Moved.;
setup.exe\data007;C:\Documents and Settings\Mark Dobson\Desktop\setup.exe;Trojan.Popuper;;
setup.exe;C:\Documents and Settings\Mark Dobson\Desktop;Archive contains infected objects;Moved.;
setup1_10035.exe;C:\Documents and Settings\Mark Dobson\Desktop;Trojan.Xpass;Deleted.;
setup1_10043.exe;C:\Documents and Settings\Mark Dobson\Desktop;Trojan.Xpass;Deleted.;
0e2adaf6.exe;C:\Documents and Settings\Mark Dobson\Local Settings\Application Data;Dialer.Member;Deleted.;
backup-20061008-230544-129.dll;C:\hijack this\backups;Trojan.DownLoader.based;Deleted.;
707_Template.exe;C:\Program Files\Microsoft Games\Flight Simulator 9\Captain_Sim\707\manual\files;Trojan.StartPage.21076;Deleted.;
707_Updates.exe;C:\Program Files\Microsoft Games\Flight Simulator 9\Captain_Sim\707\manual\files;Trojan.StartPage.21076;Deleted.;
TCE_707.exe;C:\Program Files\Microsoft Games\Flight Simulator 9\Captain_Sim\707\tce;Trojan.StartPage.21076;Deleted.;
Traffic_AsianaAirlines_Wi2006.bgl;C:\Program Files\Microsoft Games\Flight Simulator 9\Scenery\World\scenery;Modification of Trojan.DelSys.191;Moved.;
MRAISetup.exe;C:\Program Files\MRAI Install Wizard v1.23;Modification of BackDoor.Generic.1210;Moved.;
Airport inc trainer.exe;C:\Program Files\Take2\Airport Inc;Tool.Hatkeys;Moved.;
airus2.exe;C:\Program Files\Take2\Airport Inc;Trojan.MulDrop.16870;Deleted.;
vczww.dll.vir:gyors;C:\Qoobox\Quarantine\C\WINDOWS;BackDoor.Sip;Deleted.;
WinCtrl32.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.DownLoad.3503;Deleted.;
WinCtrl32.dl_.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.DownLoad.3503;Deleted.;
grpconv.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem;Trojan.DownLoad.33445;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP1\snapshot;Trojan.DownLoad.3503;Deleted.;
A0000003.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.based;Deleted.;
A0000004.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.based;Deleted.;
A0000011.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.Xpass;Deleted.;
A0000014.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.Xpass;Deleted.;
A0000016.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.55574;Deleted.;
A0000017.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.55574;Deleted.;
A0000018.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.55574;Deleted.;
A0000019.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.55574;Deleted.;
A0000022.dll;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoad.3503;Deleted.;
A0000041.bat;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Probably BATCH.Virus;;
A0000102.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoad.33445;Deleted.;
A0000103.dll;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoad.3503;Deleted.;
A0000121.bat;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Probably BATCH.Virus;;
A0000123.EXE;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Program.PsExec.170;Moved.;
A0000128.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.based;Deleted.;
A0000129.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.based;Deleted.;
A0000131.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.Xpass;Deleted.;
A0000202.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.Xpass;Deleted.;
A0000204.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.Xpass;Deleted.;
A0000610.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.based;Deleted.;
A0000611.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.based;Deleted.;
A0000713.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.based;Deleted.;
A0000714.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.based;Deleted.;
A0000715.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2;Trojan.DownLoader.based;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP2\snapshot;Trojan.DownLoad.3503;Deleted.;
A0000829.dll:gyors;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP3;BackDoor.Sip;Deleted.;
A0000844.bat;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP3;Probably BATCH.Virus;;
A0000846.EXE;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP3;Program.PsExec.170;Moved.;
A0001728.bat;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Probably BATCH.Virus;;
A0001777.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Dialer.Member;Deleted.;
A0001779.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Adware.Zango;Moved.;
A0001780.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Adware.Zango;Moved.;
A0001781.exe\data001;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7\A0001781.exe;Adware.Zango;;
A0001781.exe\data003;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7\A0001781.exe;Trojan.PWS.Mailspy.96;;
A0001781.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Container contains infected objects;Moved.;
A0001782.exe\data001;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7\A0001782.exe;Adware.Zango;;
A0001782.exe\data003;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7\A0001782.exe;Trojan.PWS.Mailspy.96;;
A0001782.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Container contains infected objects;Moved.;
A0001783.exe\data001;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7\A0001783.exe;Adware.Zango;;
A0001783.exe\data003;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7\A0001783.exe;Trojan.PWS.Mailspy.96;;
A0001783.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Container contains infected objects;Moved.;
A0001784.exe\data007;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7\A0001784.exe;Trojan.Popuper;;
A0001784.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Archive contains infected objects;Moved.;
A0001785.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Trojan.Xpass;Deleted.;
A0001786.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Trojan.Xpass;Deleted.;
A0001787.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Dialer.Member;Deleted.;
A0001788.dll;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Trojan.DownLoader.based;Deleted.;
A0001789.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Trojan.StartPage.21076;Deleted.;
A0001790.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Trojan.StartPage.21076;Deleted.;
A0001791.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Trojan.StartPage.21076;Deleted.;
A0001792.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Modification of BackDoor.Generic.1210;Moved.;
A0001793.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Tool.Hatkeys;Moved.;
A0001794.exe;C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP7;Trojan.MulDrop.16870;Deleted.;
control.ini:pzybm;C:\WINDOWS;BackDoor.Sip;Deleted.;
explorer.scf:rtega;C:\WINDOWS;Trojan.DownLoader.1101;Deleted.;
FaxSetup.log:ywpor;C:\WINDOWS;Trojan.DownLoader.1101;Deleted.;
GPMMICP.INI:ktplc;C:\WINDOWS;BackDoor.Sip;Deleted.;
NOTEPAD.EXE:uliht;C:\WINDOWS;Trojan.DownLoader.1101;Deleted.;
oeuninst.exe:bejwn;C:\WINDOWS;BackDoor.Sip;Deleted.;
Prairie Wind.bmp:tfbbp;C:\WINDOWS;Trojan.DownLoader.1077;Deleted.;
REGLOCS.OLD:cplhf;C:\WINDOWS;BackDoor.Sip;Deleted.;
River Sumida.bmp:vpvmz;C:\WINDOWS;Trojan.DownLoader.1077;Deleted.;
setuplog.txt:jfsre;C:\WINDOWS;Trojan.DownLoader.1077;Deleted.;
SIGVERIF.TXT:lekpp;C:\WINDOWS;BackDoor.Sip;Deleted.;
SM1BG.EXE.bak:efduj;C:\WINDOWS;Trojan.DownLoader.1077;Deleted.;
WATCH.INI:yzhwv;C:\WINDOWS;Trojan.DownLoader.1077;Deleted.;
axaccessctrl.ocx\data001;C:\WINDOWS\system32\axaccessctrl.ocx;Trojan.Xpass;;
axaccessctrl.ocx\data002;C:\WINDOWS\system32\axaccessctrl.ocx;Trojan.Xpass;;
axaccessctrl.ocx;C:\WINDOWS\system32;Container contains infected objects;Moved.;
axaccessctrl1.ocx\data001;C:\WINDOWS\system32\axaccessctrl1.ocx;Trojan.Xpass;;
axaccessctrl1.ocx\data002;C:\WINDOWS\system32\axaccessctrl1.ocx;Trojan.Xpass;;
axaccessctrl1.ocx;C:\WINDOWS\system32;Container contains infected objects;Moved.;
gcodac.dll;C:\WINDOWS\system32;Trojan.StartPage.391;Deleted.;
gyvxgxe.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
MatAdown.dll;C:\WINDOWS\system32;Trojan.DownLoader.1057;Deleted.;
sqllnpn.dll;C:\WINDOWS\system32;Trojan.DownLoader.245;Deleted.;


And finally a new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:42:32, on 14/04/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\twain_32\CIS600X\WATCH.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Parental Control Toolbar - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - C:\PROGRA~1\PARENT~1\PARENT~1.DLL
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?0717c59d2cc5443a9af1f742c931e1b3
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?0717c59d2cc5443a9af1f742c931e1b3
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Elliott Dobson\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (Interconnect Resources) - https://www.ib.albb.co.uk/ebs/ie/gic.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: distributed.net client (dnetc) - Unknown owner - C:\WINDOWS\System32\iosdt\iosdt.exe (file missing)
O23 - Service: Google Update Service (gupdate1c98638fb739e5e) (gupdate1c98638fb739e5e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 12491 bytes



Thanks again!

Okay please go edit the CFscript.txt and remove it's current contents and add this.



Then get a NEW fresh copy of Combofix.exe as Dr Web damaged the current version. Download and overwrite the current version if it's still there.

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe

Then drag the new modified CFscript.txt file onto combofix.exe and run it.

Then run the following MBAM scan.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.



Let me know how the computer is running now and if there are still any signs of infection or not.

Thanks

Okay here goes:

ComboFix log just incase:

ComboFix 09-04-15.08 - John Dobson 15/04/2009 14:31.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.1535.1110 [GMT 1:00]
Running from: c:\documents and settings\John Dobson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John Dobson\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-14 13:37 . 2009-04-14 16:35 -------- d-----w c:\documents and settings\John Dobson\DoctorWeb
2009-04-10 16:11 . 2009-04-10 16:11 -------- d-----w C:\RootRepeal
2009-04-08 13:05 . 2009-04-08 13:05 -------- d-----w c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 13:38 . 2008-11-09 19:51 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-04-14 20:38 . 2005-04-08 20:24 17408 ----a-w c:\windows\system32\drivers\USBCRFT.SYS
2009-04-14 19:22 . 2004-12-26 19:53 33792 ----a-w c:\windows\oeuninst.exe
2009-04-14 19:22 . 2004-12-26 19:53 66048 ----a-w c:\windows\NOTEPAD.EXE
2009-04-14 19:09 . 2004-11-02 18:53 -------- d-----w c:\program files\MRAI Install Wizard v1.23
2009-04-14 13:01 . 2009-02-03 19:42 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-09 11:15 . 2009-04-09 11:05 0 ----a-w C:\DriversGeneral.txt
2009-04-09 10:55 . 2009-04-09 10:55 522 ----a-w C:\JavaRa.log
2009-04-09 10:54 . 2005-05-09 18:55 -------- d-----w c:\program files\AAV Fleet Manager
2009-04-08 13:32 . 2008-11-23 11:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-08 13:16 . 2005-02-14 20:58 -------- d-----w c:\program files\GetRight
2009-04-07 13:31 . 2005-10-31 20:14 -------- d-----w c:\program files\Trend Micro
2009-04-06 19:15 . 2009-02-03 19:52 -------- d-----w c:\program files\XoftSpySE
2009-04-06 14:32 . 2008-11-23 11:59 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-11-23 11:59 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 15:00 . 2008-05-11 13:20 -------- d-----w c:\documents and settings\Jo-Anne Dobson\Application Data\U3
2009-03-29 14:58 . 2008-06-18 16:48 103512 ----a-w c:\documents and settings\Jo-Anne Dobson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 21:38 . 2009-03-02 21:38 -------- d-----w c:\program files\MSECache
2008-10-19 20:59 . 2004-11-28 17:18 99624 ----a-w c:\documents and settings\Mark Dobson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 17:37 . 2004-10-31 20:01 99624 ----a-w c:\documents and settings\Elliott Dobson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-25 22:44 . 2004-12-22 18:53 99624 ----a-w c:\documents and settings\John Dobson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-05-30 15:36 . 2006-05-30 15:35 275 ----a-w c:\documents and settings\Incomplete\downloads.dat
2006-03-20 17:24 . 2006-03-20 17:24 24192 ----a-w c:\documents and settings\Mark Dobson\usbsermptxp.sys
2006-03-20 17:24 . 2006-03-20 17:24 22768 ----a-w c:\documents and settings\Mark Dobson\usbsermpt.sys
2004-10-31 20:01 . 2004-10-31 20:01 137 ----a-w c:\documents and settings\Elliott Dobson\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-14_13.24.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 11:16 . 2009-04-15 11:16 16384 c:\windows\temp\Perflib_Perfdata_77c.dat
+ 2005-04-08 20:24 . 2009-04-14 20:38 17408 c:\windows\system32\drivers\USBCRFT.SYS
- 2005-04-08 20:24 . 2009-04-14 13:06 17408 c:\windows\system32\drivers\USBCRFT.SYS
+ 2004-12-26 19:53 . 2009-04-14 19:22 66048 c:\windows\system32\dllcache\notepad.exe
- 2004-12-26 19:53 . 2004-12-26 19:53 66048 c:\windows\system32\dllcache\notepad.exe
- 2009-04-08 13:31 . 2009-04-14 13:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-08 13:31 . 2009-04-15 11:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-03-27 07:43 . 2009-04-15 11:16 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-03-27 07:43 . 2009-04-14 13:00 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-03-27 07:43 . 2009-04-14 13:00 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2003-03-27 07:43 . 2009-04-15 11:16 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-12-26 19:53 . 2009-04-14 19:22 33792 c:\windows\oeuninst.exe
- 2004-12-26 19:53 . 2004-12-26 19:53 33792 c:\windows\oeuninst.exe
- 2004-12-26 19:53 . 2004-12-26 19:53 66048 c:\windows\NOTEPAD.EXE
+ 2004-12-26 19:53 . 2009-04-14 19:22 66048 c:\windows\NOTEPAD.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2009-04-06 1883672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2009-04-06 1883672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-29 180269]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-06-03 81920]
"LVCOMSX"="c:\windows\System32\LVCOMSX.EXE" [2005-07-19 221184]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"parentalcontrol"="c:\program files\parentalcontrol\parentalcontrol.exe" [2006-08-31 36544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-04-06 1277584]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-13 65024]
"Dit"="Dit.exe" - c:\windows\Dit.exe [2004-07-20 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2006-09-06 2128016]

c:\documents and settings\Elliott Dobson\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-7-19 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-8-4 962661]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-3-15 884838]
Watch.lnk - c:\windows\twain_32\CIS600X\WATCH.exe [2004-10-29 356352]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-11-7 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

R2 gupdate1c98638fb739e5e;Google Update Service (gupdate1c98638fb739e5e);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
R3 CardReaderFilter;Card Reader Filter;c:\windows\System32\Drivers\USBCRFT.SYS [2009-04-14 17408]
R3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\DRIVERS\SWUSBFLT.sys [2001-08-17 3968]
S0 tffsport;M-Systems DiskOnChip 2000;c:\windows\System32\DRIVERS\tffsport.sys [2002-08-29 143104]
S2 SFC4;SFC4;c:\windows\system32\drivers\SFC4.sys [1998-09-16 41472]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\System32\DNINDIS5.SYS [2003-07-24 17149]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys [2005-09-26 362944]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2008-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-04-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-04-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 19:42]

2009-04-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 19:52]

2005-01-02 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2006-05-09 16:23]

2009-04-14 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 14:29]

2009-04-07 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 14:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.freeserve.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
mSearch Bar = www.google.co.uk
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = ;localhost;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?0717c59d2cc5443a9af1f742c931e1b3
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?0717c59d2cc5443a9af1f742c931e1b3
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Elliott Dobson\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: GIC - hxxps://www.ib.albb.co.uk/ebs/ie/classes.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {630F2610-7654-11D1-83E3-0080C71A8794} - hxxps://www.ib.albb.co.uk/ebs/ie/gic.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://ebanking.northernbank.co.uk/html/activex/e-Safekey/NB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\John Dobson\Application Data\Mozilla\Firefox\Profiles\qyab55kd.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-loader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-publisherloader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvideoegg-updaterloader.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 14:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\setupapi.log.0.old:hjakc 56320 bytes executable
c:\windows\oeuninst.exe:fnlsp 29696 bytes executable
c:\windows\twain_32.dll:cjgyz 56320 bytes executable
c:\windows\control.ini:dkxdy 56320 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(14412)
c:\windows\System32\msi.dll
.
Completion time: 2009-04-15 14:46
ComboFix-quarantined-files.txt 2009-04-15 13:46
ComboFix2.txt 2009-04-14 13:28
ComboFix3.txt 2009-04-08 11:57
ComboFix4.txt 2009-04-07 14:16

Pre-Run: 153,809,244,160 bytes free
Post-Run: 153,792,933,888 bytes free

196 --- E O F --- 2009-03-12 08:07





MBAM log


Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 1

15/04/2009 16:28:44
mbam-log-2009-04-15 (16-28-44).txt

Scan type: Quick Scan
Objects scanned: 90814
Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



And Finally a Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:28:55, on 15/04/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\twain_32\CIS600X\WATCH.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Parental Control Toolbar - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - C:\PROGRA~1\PARENT~1\PARENT~1.DLL
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?0717c59d2cc5443a9af1f742c931e1b3
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?0717c59d2cc5443a9af1f742c931e1b3
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Elliott Dobson\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (Interconnect Resources) - https://www.ib.albb.co.uk/ebs/ie/gic.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: distributed.net client (dnetc) - Unknown owner - C:\WINDOWS\System32\iosdt\iosdt.exe (file missing)
O23 - Service: Google Update Service (gupdate1c98638fb739e5e) (gupdate1c98638fb739e5e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 12291 bytes



Computer has been running fine for a while now with no signs of infection, didnt realise there could be so much underlying stuff left over from an infection, I'm planning to give my other computer the same rigorous check now.

Thanks!

Please go ahead now and install the latest Java and then do an Online Anti-Virus scan with Kaspersky. The scan will take a long time but will help verify the system is clean.

Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 13.

• Go to http://java.sun.com/javase/downloads/index.jsp
• Go to Java Runtime Environment (JRE) 6 Update 13 about half way down the page and click on the Download button.
• In Platform box choose Windows.
• Check the box to Accept License Agreement and click Continue.
• Click on Windows Offline Installation, click on the link under it which says jre-6u13-windows-i586-p.exe and save the downloaded file to your desktop.
• Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
• Uncheck the Toolbar button (unless you want the toolbar)
• Reboot your computer

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan and then put the kettle on!
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Here we go, HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:50:37, on 17/04/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\twain_32\CIS600X\WATCH.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\John Dobson\Local Settings\temp\jkos-John Dobson\binaries\ScanningProcess.exe
C:\Documents and Settings\John Dobson\Local Settings\temp\jkos-John Dobson\binaries\ScanningProcess.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Parental Control Toolbar - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - C:\PROGRA~1\PARENT~1\PARENT~1.DLL
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?0717c59d2cc5443a9af1f742c931e1b3
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?0717c59d2cc5443a9af1f742c931e1b3
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Elliott Dobson\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (Interconnect Resources) - https://www.ib.albb.co.uk/ebs/ie/gic.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: distributed.net client (dnetc) - Unknown owner - C:\WINDOWS\System32\iosdt\iosdt.exe (file missing)
O23 - Service: Google Update Service (gupdate1c98638fb739e5e) (gupdate1c98638fb739e5e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 13374 bytes




and the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, April 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, April 17, 2009 10:10:12
Records in database: 2053377
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\
J:\
L:\

Scan statistics:
Files scanned: 245067
Threat name: 14
Infected objects: 136
Suspicious objects: 0
Duration of the scan: 04:10:19


File name / Threat name / Threats count
csrss.exe\swpg.dat/csrss.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
C:\Program Files\Spyware Doctor\tools\swpg.dat/C:\Program Files\Spyware Doctor\tools\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 53
winlogon.exe\swpg.dat/winlogon.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
services.exe\swpg.dat/services.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
lsass.exe\swpg.dat/lsass.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
ati2evxx.exe\swpg.dat/ati2evxx.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 2
svchost.exe\swpg.dat/svchost.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 5
brsvc01a.exe\swpg.dat/brsvc01a.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
brss01a.exe\swpg.dat/brss01a.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
spoolsv.exe\swpg.dat/spoolsv.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
alg.exe\swpg.dat/alg.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
GoogleUpdate.exe\swpg.dat/GoogleUpdate.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
jqs.exe\swpg.dat/jqs.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
KService.exe\swpg.dat/KService.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
MDM.EXE\swpg.dat/MDM.EXE\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
sdhelp.exe\swpg.dat/sdhelp.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
slserv.exe\swpg.dat/slserv.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
wdfmgr.exe\swpg.dat/wdfmgr.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
UAService7.exe\swpg.dat/UAService7.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
explorer.exe\swpg.dat/explorer.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
wuauclt.exe\swpg.dat/wuauclt.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
SOUNDMAN.EXE\swpg.dat/SOUNDMAN.EXE\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
atiptaxx.exe\swpg.dat/atiptaxx.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
realsched.exe\swpg.dat/realsched.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
Dit.exe\swpg.dat/Dit.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
SSAAD.exe\swpg.dat/SSAAD.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
LVCOMSX.EXE\swpg.dat/LVCOMSX.EXE\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
pptd40nt.exe\swpg.dat/pptd40nt.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
dragdiag.exe\swpg.dat/dragdiag.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
qttask.exe\swpg.dat/qttask.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
iTunesHelper.exe\swpg.dat/iTunesHelper.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
apdproxy.exe\swpg.dat/apdproxy.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
parentalcontrol.exe\swpg.dat/parentalcontrol.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
BrMfcWnd.exe\swpg.dat/BrMfcWnd.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
SSScsiSV.exe\swpg.dat/SSScsiSV.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
jusched.exe\swpg.dat/jusched.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
ctfmon.exe\swpg.dat/ctfmon.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
iPodService.exe\swpg.dat/iPodService.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
BrccMCtl.exe\swpg.dat/BrccMCtl.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
GoogleToolbarNotifier.exe\swpg.dat/GoogleToolbarNotifier.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
KHost.exe\swpg.dat/KHost.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
dslmon.exe\swpg.dat/dslmon.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
WPN111.exe\swpg.dat/WPN111.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
BrMfcMon.exe\swpg.dat/BrMfcMon.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
WATCH.exe\swpg.dat/WATCH.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
WZQKPICK.EXE\swpg.dat/WZQKPICK.EXE\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
firefox.exe\swpg.dat/firefox.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
java.exe\swpg.dat/java.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
ScanningProcess.exe\swpg.dat/ScanningProcess.exe\swpg.dat Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\4EBE0140d01 Infected: not-a-virus:Dialer.Win32.Small.gen 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\A0001779.exe Infected: not-a-virus:AdWare.Win32.180Solutions.as 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\A0001780.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ax 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\A0001781.exe Infected: not-a-virus:WebToolbar.Win32.Zango.b 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\A0001782.exe Infected: not-a-virus:WebToolbar.Win32.Zango.b 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\A0001783.exe Infected: not-a-virus:WebToolbar.Win32.Zango.b 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\A0001784.exe Infected: Trojan-Downloader.Win32.Zlob.bug 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\axaccessctrl.ocx Infected: Trojan.Win32.Agent.rnw 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\axaccessctrl1.ocx Infected: Trojan.Win32.Agent.rqv 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\MeeWinks13.exe Infected: not-a-virus:AdWare.Win32.180Solutions.as 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\Setup(2).exe Infected: not-a-virus:AdWare.Win32.180Solutions.ax 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\Setup(5).exe Infected: not-a-virus:WebToolbar.Win32.Zango.b 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\Setup(6).exe Infected: not-a-virus:WebToolbar.Win32.Zango.b 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\Setup(7).exe Infected: not-a-virus:WebToolbar.Win32.Zango.b 1
C:\Documents and Settings\John Dobson\DoctorWeb\Quarantine\setup.exe Infected: Trojan-Downloader.Win32.Zlob.bug 1
C:\Program Files\Microsoft Games\Flight Simulator 9\Aircraft\zips\sdsetup.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
C:\Program Files\Spyware Doctor\tools\swpg.DAT Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
C:\Qoobox\Quarantine\C\WINDOWS\sppaz.dll.vir Infected: Trojan-Downloader.Win32.WinShow.ak 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\Winma23.sys.vir Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_Winma23_.sys.zip Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Dropper.Win32.Agent.amcb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ybudm.dll.vir Infected: Trojan-Downloader.Win32.WinShow.ak 1
C:\Qoobox\Quarantine\C\WINDOWS\vczww.dll.vir Infected: Trojan-Downloader.Win32.WinShow.ak 1
C:\Qoobox\Quarantine\C\WINDOWS\wgudg.dll.vir Infected: Trojan-Downloader.Win32.WinShow.ak 1
C:\WINDOWS\control.ini Infected: Trojan-Downloader.Win32.WinShow.ak 1
C:\WINDOWS\istremas.dll Infected: Trojan.Win32.Agent.cack 1
C:\WINDOWS\oeuninst.exe Infected: Trojan-Downloader.Win32.Agent.ap 1
C:\WINDOWS\setupapi.log.0.old Infected: Trojan-Downloader.Win32.WinShow.ak 1
C:\WINDOWS\system32\oyzocyc.dll Infected: Trojan.Win32.Obfuscated.ev 1
C:\WINDOWS\twain_32.dll Infected: Trojan-Downloader.Win32.WinShow.ak 1

The selected area was scanned.


Quite a few false positives there I think, computer is acting fine, havent had any trouble in a while now

Yes, very odd that Kaspersky would do that. Oh well I don't see anything that should be causing an issue either.

Please empty the Quarantine for DoctorWeb and you can remove Kaspersky


I HIGHLY suggest you update to SP3 for Windows XP but first install IE7 as it is more secure than IE6






Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP A

Uninstall ComboFix.exe

• Click START then RUN
• Now type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  This will reset your time, create a new System Restore point, reset your files and folders back to hidden.

• 

• When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed

STEP B

Uninstall GMER
Click on START - RUN and type in or copy/paste %windir%\gmer_uninstall.cmd to remove GMER.

STEP C

Uninstall other tools
Please Download OTMoveIt3 by Old Timer and save it to your Desktop.

• Double-click OTMoveIt3.exe to run it.
• While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.
• It should ask if you want to clean up, select Yes and allow the system to clean up these items.
  NOW please reboot your computer to finish the cleanup process

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
• Give the new Restore Point a name, then click "Create".
• The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use the Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr.exe
• Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.
• On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
• These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org