Well, after a partial fix to this problem achieved by running malwarebytes with the latest updates, it has fully reared up again.

The problem(s):
1. Fake Windows Security Centre on startup, which attempts to direct you to purchase a bunch of software.
2. Navigating to websites in IE is accompanied by random popup boxes that "virus activity has been detected".
3. Webpage advertisements & banners are randomly hijacked and display ads with various messages about privacy being compromised, virus threats, etc, etc.

Problems 1 and 2 were initially solved by running malwarebytes latest version with updates. After a hiatus for a couple of weeks, they're back.
Problem 3 was never really solved.

HIJACK THIS log follows.
MALWAREBYTES log also follows (it apparently didn't detect anything).
PANDA ACTIVE SCAN has been attempted twice but has caused a shutdown and reboot on both occasions less than 1/4 way through. It did detect problems by that point but obviously I can't tell what they were due to the shutdown. Will try again in safe mode soon.

Norton has just detected Trojan.Vundo but seems to have locked up. I'll see what happens on reboot into safe mode. All assistance appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 3:40:11 PM, on 15/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
D:\Norton AntiVirus\navapsvc.exe
D:\Norton AntiVirus\IWP\NPFMntor.exe
D:\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
E:\Palm\Hotsync.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Opdicom\OpdiTracker\OptT3STA.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Computer\Internet Utility\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = E:\Palm\Hotsync.exe
O4 - Global Startup: Start OpdiTracker.lnk = D:\Opdicom\OpdiTracker\OptT3STA.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Send to OneNote (HKLM)
O9 - Extra 'Tools' menuitem: S&end to OneNote (HKLM)
O9 - Extra button: Skype (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.cnn.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: bwh0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: offline-8876480 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

Malwarebytes' Anti-Malware 1.12
Database version: 750

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|J:\|M:\|)
Objects scanned: 296509
Time elapsed: 2 hour(s), 37 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OK well the Active Scan did run in safe mode, though along the way the system threw up a "problem has been detected and windows has been shutdown........" message together with an "OK" button, which seemed a bit odd because it didn't actually stop anything running, and it was in poor english. I ignored it and everything kept running OK to the end.

Here is the Active Scan log (which threw up a couple of infections that look significant aside from the usual tracking cookies):

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-05-15 18:04:29
PROTECTIONS: 1
MALWARE: 21
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Norton AntiVirus 2005 2005 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@trafficmp[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@atdmt[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@tribalfusion[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@com[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@yadro[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@xiti[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@ad.yieldmanager[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@bs.serving-sys[1].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@server.iad.liveperson[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@advertising[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@overture[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Sarah\Cookies\sarah@overture[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@questionmarket[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Mike&Sarah\Cookies\mike&sarah@adultfriendfinder[1].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{82CA51DE-1CBC-4EE0-968D-B843BDD449B5}\RP5\A0001598.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{82CA51DE-1CBC-4EE0-968D-B843BDD449B5}\RP2\A0000008.sys
02915475 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\.8CFE9A0B\8CFE9A0B.CORE.DLL
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location 4
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description 4
;===============================================================================
================================================================================
=
===================
182048 HIGH MS07-069 4
;===============================================================================
================================================================================
=
===================

Hello Dutchroll and Welcome to Malwarebytes

Well it looks like you "may" have followed the directions here Pre- HJT Post Instructions, Please follow these instructions prior to posting a HJT log but you didn't say if you've run the Spybot Search & Destroy and allowed it to remove items found.
Don't forget to update all Scanners before scanning.


Let me review your logs and information and I'll get back to you as it's quite late right now.

Yep, done all that.

You'll note in the logs I posted that Adaware and Spybot both rate a mention. I run them frequently.

Have read and followed to the letter all the instructions in your pre-amble posts. If I missed anything, it wasn't for lack of trying.

First - disable the Spybot Search & Destroy Tea Timer if it's running as it will interfere with some fixes.

Instructions on how to disable the Spybot Search & Destroy Tea Timer
Disable Spybot Search & Destroys' TEA TIMER:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Please run the following tasks.

Follow these instructions carefully.

• Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.
• You can also download it from Majorgeeks.com
• When you run ATF-Cleaner, check the items as shown below for Main.
• For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
• NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
• Then click on "Empty Selected".

.

Go into your Control Panel - Add/Remove and uninstall the following applications - you can get updates later on.
All Java versions, All Flash versions, All Shockwave versions, All QuickTime versions, Adobe Acrobat READER
Many of these programs have been recently updated to correct holes that have been found in the programs which help
facilitate Malware being installed onto your system. Updating to the most recent versions will help to eleviate this method of entry.
Unless you need the functionality of Adobe Reader 6 this program is now at version 8.12

Start HiJackThis and do a Scan Only and place a check mark in the following items

• O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
• O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
• O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
• O4 - Global Startup: Start OpdiTracker.lnk = D:\Opdicom\OpdiTracker\OptT3STA.exe
• This item - Aventail Installer could be legit or not it depends on if you installed it or someone else did without your knowledge so you decide
• O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab
• O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
• O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/armhelper.ocx
• O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
• Put a check in ALL the 018 entries - this is for your Logitech updates but in my opinion you'd be better off manually checking on updates instead of using this method.
• You can read up more about it here: What is backweb-8876480.exe
• Then click on "Fix selected".

Reset IE to defaults

• Start Internet Explorer - Tools, Internet Options, Advanced and select Reset... to reset all values back to their defaults
• Then start IE and select to keep the current settings.
• Quit and relaunch IE and make sure it goes to the default MSN page
• Quit IE

Run an Online scan with NOD32

• Run an online scan with ESET from Free Virus Scan: Use ESET's Online Antivirus Scanner
  
  • You must use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan.
    
  • Accept the terms and click "Start".
    
  • Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications".
    
  • Click "Start" to begin the scan.
    
  • When completed restart your computer

Software Updates
Here are links to get the latest versions of the software that you removed once we're all done scanning your system.
Don't reinstall them just yet.

• Java Runtime Environment (JRE) 6 Update 6
• Orbit Downloader
• Adobe Acrobat Reader 8.12 Full Download English
• Adobe Flash Player version 9.0.124.0 uncheck the Free Google Toolbar
• Shockwave Player 11
• QuickTime 7.4.5 for Windows XP or Vista uncheck the sign ups

Once the above has been completed run Malwarebytes and go to the Update tab and update it and do a Quick Scan
Then do a HJT scan only and post back that log and the MB log.

.

OK,

Firstly: Thankyou very much for your time AdvancedSetup. It really is appreciated.

Secondly: I've followed the instructions, and here's the latest info:

Extra Info which may or may not be helpful:

1. The situation on this PC has deteriorated to the point where most stuff has to be done in "Safe Mode". It is not particularly stable upon normal bootup, and the malware has slowed it down to a very slow crawl in the last 48 hrs, with continuous HD read/write activity and CPU usage. The problem I've found with "Safe Mode" of course is that there are restrictions on what I can achieve and so occasionally I've had to reboot normally and just wear the pain (to uninstall software, etc).

2. Booting into normal mode always throws up a "Trojan.Vundo" detection by Norton which cannot be fixed and remains on the screen until reboot into "Safe Mode".

3. Booting into "Safe Mode" fixes the system slowdown problem and para 2 above, but nothing else.

4. The fake "Windows Security Centre" with its display of "UltimateFixer", "SystemDefender" and "SysCleaner" always appears upon initial loading of the desktop, no matter what mode I'm in.

Info directly related to your instructions:

OK, did everything IAW the instructions except:

1. A personal mistake - I selected "All" with the ATF Cleaner. Ce la vie. I didn't need the cookies, recycle bin, etc anyway.

2. I did not uninstall Adobe Acrobat because I have the full version of Acrobat 7.0 (and no other versions of anything to do with Acrobat that I can find), which I need for work.

3. I did not check the O16 Aventail Installer entry in the hijackthis log (again as you alluded to) because this is a SecureID token I need for remote access to the Qantas Airlines server (who I work for).

4. No matter what mode, and how many times I tried, none of the O18 entries could be deleted.

5. The ESET scanner detected several infections, all related to Java, but could only fix one of them. I tried to copy the scanner results but only got the jibberish in the headers etc without the guts of the messages. Sorry, probably a copy/paste screwup on my part.

Here are the new logs (BTW, the malware problem still remains - pesky critter eh!)

Logfile of HijackThis v1.97.7
Scan saved at 6:26:45 PM, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Computer\Internet Utility\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = E:\Palm\Hotsync.exe
O9 - Extra button: Send to OneNote (HKLM)
O9 - Extra 'Tools' menuitem: S&end to OneNote (HKLM)
O9 - Extra button: Skype (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - https://qvpn.qantas.com.au/postauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O18 - Protocol: bwh0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: offline-8876480 - {EE688E9E-3A22-4570-B537-AE904ECAE937} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:

Malwarebytes' Anti-Malware 1.12
Database version: 755

Scan type: Quick Scan
Objects scanned: 39305
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Yes, some times Malware can be quite difficult to remove, but with patience we should be able to get you cleaned up.


Download this program and run it. RogueRemover FREE

Go into the Control Panel - Add/Remove and remove these items.
Uninstall Spybot Search & Destroy (or similar name)- this item below does not look like the correct one.
Uninstall the Logitech Desktop Messenger only. Not the other Logitech items. This should remove the 018 items.

Then go download and install this version and update it (do not enable the Tea Timer)
Spybot Search and Destroy 1.5.2.20
Then run a scan with it and allow it to repair any items it finds.

Start HJT and do a Scan Only
Put a check mark on these items
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Then click on Fix selected

Then try to do an online PANDA Scan
PandaActive Scan

I will have to check with one of the updaters to see why MB is missing one of the items.

Let me know if Spybot or MB or Panda run into any errors or what it finds.

After all scanning and reboot please run a new HJT scan and post that log.
If you're still having issues then we'll need to possibly run some other tools for cleanup.

.

Sorry about the obvious time zone diff here. Allrighty here's the latest (run to your instructions):

1. RogueRemover, with the latest update just now, found nothing.

2. There were 2 Spybot S&D entries in the Add/Remove programs and I uninstalled both of them, then installed and ran the latest version, 1.5.2.20. Nothing was detected.

3. Malwarebytes detected nothing.

4. Removing the Logitech Desktop Messenger fixed all of the O18 problems in Hijackthis.

5. Panda again ended up detecting several items, but threw up a "system rebooting" (or words to that effect) screen which actually did result in an uncontrollable reboot half-way through the scan. So once again unfortunately I couldn't get any useful info from Panda.

Here's the latest Hijackthis log:

Logfile of HijackThis v1.97.7

Logfile of HijackThis v1.97.7
Scan saved at 9:42:01 PM, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Computer\Internet Utility\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = E:\Palm\Hotsync.exe
O9 - Extra button: Send to OneNote (HKLM)
O9 - Extra 'Tools' menuitem: S&end to OneNote (HKLM)
O9 - Extra button: Skype (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - https://qvpn.qantas.com.au/postauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640

Yes, different time zones - sorry about that.

So both PANDA and NOD32 online scans crash before they can complete?
Maybe you can try this one: Kaspersky Lab Free Virus Scan

Please notice here that Tea Timer is running and needs to be disabled for now. It can be restarted later on.
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Instructions on how to disable the Spybot Search & Destroy Tea Timer
Disable Spybot Search & Destroys' TEA TIMER:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Also - you have an old version of HJT (don't think it is a real issue but better to remove that version and install an updated one)
Your current HJT version is: 1.97.7 The latest is: 2.0.2
Please go here and get an updated version and install it AFTER removing the old version
Download TrendSecure TrendMicro HijackThis

Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

.

OK AdvancedSetup, thanks for bearing with me - getting anything to run on this machine has been quite time-consuming!

Fixed the tea-timer issue. Forgot to uncheck it at the previous step above when I uninstalled & re-installed Spybot.

Kaspersky scan crashed like the others, causing a system shutdown. In either normal or safe mode the machine seems to invariably want to shutdown and reboot at some point. On several occasions where I've left it unattended with no programs running, I've come back to find it re-booted.

I decided to try another Panda scan and this ran almost to the end before crashing. Fortunately I was in attendance throughout, and managed to quickly cancel the scan and save the logfile while the system was going through its shutdown with about 3 seconds to spare. There had been no further detections since it finished on the C drive about 20% through.

You'll notice more stuff in the hijackthis (latest version now BTW). Obviously due to running DSS in normal rather than Safe Mode (which it told me it didn't like). A lot of the other stuff I've done has been in Safe Mode where possible due to the system stability problems I'm getting. The malware is still quite active in Safe Mode, but I don't get the continuous HDD activity and severe resource-hogging which makes things much easier to do.

Here are the relevant logs:

Pandascan:
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-05-17 12:18:00
PROTECTIONS: 1
MALWARE: 9
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Norton AntiVirus 2005 2005 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
00187949 Cookie/adstat TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@adstat.4u[1].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{82CA51DE-1CBC-4EE0-968D-B843BDD449B5}\RP5\A0001598.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{82CA51DE-1CBC-4EE0-968D-B843BDD449B5}\RP2\A0000008.sys
02915475 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\.8CFE9A0B\8CFE9A0B.CORE.DLL
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location ˁ
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description ˁ
;===============================================================================
================================================================================
=
===================
182048 HIGH MS07-069 ˁ
;===============================================================================
================================================================================
=
===================

DSS Main

Deckard's System Scanner v20071014.68
Run by Mike&Sarah on 2008-05-17 12:26:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2008-05-17 02:26:49 UTC - RP23 - Deckard's System Scanner Restore Point
22: 2008-05-16 12:29:58 UTC - RP22 - Software Distribution Service 3.0
21: 2008-05-16 10:20:42 UTC - RP21 - Configured QuickTime
20: 2008-05-16 05:28:03 UTC - RP20 - Removed J2SE Runtime Environment 5.0 Update 6
19: 2008-05-16 05:26:36 UTC - RP19 - Removed Adobe Flash Player 9 ActiveX


-- First Restore Point --
1: 2008-04-24 04:41:54 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:15 PM, on 17/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\Norton AntiVirus\navapsvc.exe
D:\Norton AntiVirus\IWP\NPFMntor.exe
D:\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
D:\Computer\Mike&Sarah.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = E:\Palm\Hotsync.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: sgkwdelo - C:\WINDOWS\SYSTEM32\sgkwdelo.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11502 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 WmBEnum (Logitech Virtual Bus Enumerator Driver) - c:\windows\system32\drivers\wmbenum.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>
R3 WmXlCore (Logitech WingMan Translation Layer Driver) - c:\windows\system32\drivers\wmxlcore.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>
R3 yukonwxp (NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller) - c:\windows\system32\drivers\yk51x86.sys <Not Verified; Marvell; Marvell Yukon Ethernet Controller>

S2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
S3 ALCXWDM (Service for Realtek AC97 Audio (WDM)) - c:\windows\system32\drivers\alcxwdm.sys (file missing)
S3 ausbmon (Advanced USB Port Monitor Filter Driver) - c:\windows\system32\ausbmon.sys (file missing)
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
S3 hap17v2k (Creative P17V HAL Driver) - c:\windows\system32\drivers\hap17v2k.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20070628.004\symidsco.sys (file missing)
S3 WmFilter (Logitech WingMan HID Filter Driver) - c:\windows\system32\drivers\wmfilter.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>
S3 WmHidLo (Logitech WingMan USB Filter Driver) - c:\windows\system32\drivers\wmhidlo.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 NTService1 (MaxSyncService) - d:\maxtor\onetouch\utils\syncservices.exe <Not Verified; ; SyncServices>

S2 MaxBackServiceInt - "d:\maxtor\maxtor backup\maxbackserviceint.exe" <Not Verified; ; MaxBackServiceInt Module>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NBService - d:\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-17 12:25:21 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-17 00:43:28 268 --a------ C:\WINDOWS\Tasks\Windows Update.job
2008-01-18 19:01:57 522 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Mike&Sarah.job


-- Files created between 2008-04-17 and 2008-05-17 -----------------------------

2008-05-17 10:38:04 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:38:04 0 d-------- C:\Program Files\Interapple
2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 10:22:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 22:38:03 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent
2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21:52 0 d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-15 11:03:11 249856 --a------ C:\WINDOWS\system32\sgkwdelo.dll
2008-05-13 16:40:19 0 d-------- C:\Program Files\RogueRemover FREE
2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>
2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>
2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL
2008-04-29 17:19:05 0 d-------- C:\acrsk
2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media
2008-04-25 08:23:30 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-24 16:34:20 0 d-------- C:\cmdcons
2008-04-24 15:24:47 0 d-------- C:\Program Files\Windows Defender
2008-04-24 15:21:11 0 d-------- C:\Program Files\Panda Security
2008-04-24 14:49:23 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-24 14:41:36 68096 --a------ C:\WINDOWS\zip.exe
2008-04-24 14:41:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-24 14:41:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-24 14:41:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-24 14:41:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-24 14:41:36 98816 --a------ C:\WINDOWS\sed.exe
2008-04-24 14:41:36 80412 --a------ C:\WINDOWS\grep.exe
2008-04-24 14:41:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 14:11:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:52:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-05-17 12:23:53 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech
2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime
2008-05-16 15:30:13 0 d-------- C:\Program Files\Common Files
2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia
2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia
2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml
2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real
2008-04-17 10:17:02 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon
2008-04-10 12:07:31 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe
2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest
2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2
2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared
2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley
2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini
2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader
2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 11:52:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype
2008-03-31 15:48:12 278 --a------ C:\053347d72ebcd5e.dat
2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX
2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc
2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild
2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET
2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-03-21 11:49:08 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Autodesk
2008-03-02 07:34:23 0 --a------ C:\Program Files\temp01


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]
"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/01/2007 05:32 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 06:53 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 01:49 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - E:\Palm\Hotsync.exe [9/06/2004 2:27:34 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoUserNameInStartMenu"=01000000
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sgkwdelo]
sgkwdelo.dll 15/05/2008 11:03 AM 249856 C:\WINDOWS\system32\sgkwdelo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
AutoRun\command- H:\InstallTomTomHOME.exe




-- End of Deckard's System Scanner: finished at 2008-05-17 12:32:49 ------------

DSS Extra

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6600 @ 2.40GHz
CPU 1: Intel® Core™2 CPU 6600 @ 2.40GHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 2046.41 MiB / 1467.59 MiB
Pagefile Memory (total/avail): 3939.59 MiB / 3527.08 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1903.1 MiB

C: is Fixed (NTFS) - 16.7 GiB total, 3.47 GiB free.
D: is Fixed (NTFS) - 24.31 GiB total, 12.3 GiB free.
E: is Fixed (NTFS) - 27.35 GiB total, 20.15 GiB free.
F: is Fixed (NTFS) - 43.43 GiB total, 3.53 GiB free.
G: is CDROM (No Media)
H: is Fixed (NTFS) - 112.74 GiB total, 110.67 GiB free.
J: is Fixed (NTFS) - 107.22 GiB total, 107.16 GiB free.
M: is Fixed (NTFS) - 78.13 GiB total, 45.3 GiB free.

\\.\PHYSICALDRIVE0 - ST3120026AS - 111.79 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 16.7 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 95.09 GiB - D: - E: - F:

\\.\PHYSICALDRIVE1 - WDC WD3200JS-00PDB0 - 298.09 GiB - 3 partitions
\PARTITION0 - Installable File System - 78.13 GiB - M:
\PARTITION1 - Installable File System - 112.74 GiB - H:
\PARTITION2 - Installable File System - 107.22 GiB - J:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: Norton Internet Worm Protection v2005 (Symantec)
AV: Norton AntiVirus 2005 v2005 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"E:\\tomtom home\\TomTomHOME.exe"="E:\\tomtom home\\TomTomHOME.exe:*:Enabled:TomTomHOME"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"="F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD:*:Disabled:Age of Empires II Expansion"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"="D:\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"D:\\Microsoft Office\\Office12\\GROOVE.EXE"="D:\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"="D:\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mike&Sarah\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MIKE-SARAH
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mike&Sarah
LOGONSERVER=\\MIKE-SARAH
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MIKE&S~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MIKE&S~1\LOCALS~1\Temp
USERDOMAIN=MIKE-SARAH
USERNAME=Mike&Sarah
USERPROFILE=C:\Documents and Settings\Mike&Sarah
windir=C:\WINDOWS
XPCDrive=G:\
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Mike&Sarah (admin)
Sarah (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type30747 / Error
Event Submitted/Written: 05/17/2008 00:26:01 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application CCAPP.EXE, version 103.0.9.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type30732 / Warning
Event Submitted/Written: 05/17/2008 11:02:31 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type30731 / Warning
Event Submitted/Written: 05/17/2008 11:02:31 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{5783F2D7-6001-0409-0002-0060B0CE6BBA}', feature 'MS_Core' failed during request for component '{FC3E0B6E-F62B-11D1-B144-00C04F990B2B}'

Event Record #/Type30730 / Warning
Event Submitted/Written: 05/17/2008 11:02:31 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{5783F2D7-6001-0409-0002-0060B0CE6BBA}', feature 'P', component '{3C13777B-241D-1048-3CB6-C63AF9512C47}' failed. The resource 'HKEY_CURRENT_USER\Software\Autodesk\MC3\MC3OptIn' does not exist.

Event Record #/Type30725 / Warning
Event Submitted/Written: 05/17/2008 10:49:30 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24798 / Warning
Event Submitted/Written: 05/17/2008 00:30:31 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE-SARAH27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE-SARAH27 can't undo changes that you allow.

For more information please see the following:
%MIKE-SARAH275

Scan ID: {79061E5F-E75F-44EC-8826-85DE4A3C458F}

User: MIKE-SARAH\Mike&Sarah

Name: %MIKE-SARAH271

ID: %MIKE-SARAH272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE-SARAH276

Alert Type: %MIKE-SARAH278

Detection Type: 1.1.1593.02

Event Record #/Type24797 / Warning
Event Submitted/Written: 05/17/2008 00:30:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE-SARAH27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE-SARAH27 can't undo changes that you allow.

For more information please see the following:
%MIKE-SARAH275

Scan ID: {3FD07953-8462-4C97-93A5-48444B2B58EE}

User: MIKE-SARAH\Mike&Sarah

Name: %MIKE-SARAH271

ID: %MIKE-SARAH272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE-SARAH276

Alert Type: %MIKE-SARAH278

Detection Type: 1.1.1593.02

Event Record #/Type24796 / Warning
Event Submitted/Written: 05/17/2008 00:30:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE-SARAH27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE-SARAH27 can't undo changes that you allow.

For more information please see the following:
%MIKE-SARAH275

Scan ID: {FD952A4E-6E83-42FD-82D5-CBA36BAF45C8}

User: MIKE-SARAH\Mike&Sarah

Name: %MIKE-SARAH271

ID: %MIKE-SARAH272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE-SARAH276

Alert Type: %MIKE-SARAH278

Detection Type: 1.1.1593.02

Event Record #/Type24795 / Warning
Event Submitted/Written: 05/17/2008 00:30:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE-SARAH27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE-SARAH27 can't undo changes that you allow.

For more information please see the following:
%MIKE-SARAH275

Scan ID: {99124C5A-94FD-4C06-8C4A-9FF0314E9142}

User: MIKE-SARAH\Mike&Sarah

Name: %MIKE-SARAH271

ID: %MIKE-SARAH272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE-SARAH276

Alert Type: %MIKE-SARAH278

Detection Type: 1.1.1593.02

Event Record #/Type24794 / Warning
Event Submitted/Written: 05/17/2008 00:30:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE-SARAH27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE-SARAH27 can't undo changes that you allow.

For more information please see the following:
%MIKE-SARAH275

Scan ID: {57A32D62-64C2-495D-9706-CC2481040628}

User: MIKE-SARAH\Mike&Sarah

Name: %MIKE-SARAH271

ID: %MIKE-SARAH272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE-SARAH276

Alert Type: %MIKE-SARAH278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-05-17 12:32:49 ------------

What version of Norton Antivirus are you running? Do you have the installation key and media to re-install it if we remove it?
If so, I was thinking of uninstalling Norton AV and download a demo of NOD32 locally and install that.
Then do a scan on your system with it.

It looks like you may have something hiding from the scan tools and we may need to run some different tools to locate this infection.

Start MB and go to the MORE TOOLS tab and launch FileAssassin and browse and find this file: C:\WINDOWS\SYSTEM32\sgkwdelo.dll and remove it.

Then run HJT and put a check mark on this:
O20 - Winlogon Notify: sgkwdelo - C:\WINDOWS\SYSTEM32\sgkwdelo.dll
Then select "Fix selected" and remove the entry.

I will have to review some dedicated tools and see which one we should run on your system to try and catch this.

If you can remove Norton and download this 30 trial to run that would be good.
Here is a removal tool if it gives you problems removing it.
Download and run the Norton Removal Tool

NOD32 Antivirus 30 Day Trial

Delete the current ComboFix you have on your system and download a new version and run that as well.
how-to-use-combofix


Then post back the ComboFix log and a new HJT log, let me know what NOD32 finds if you can run it locally.

.

Norton Antivirus 2007. Re-installation is no problem - I have the CD.

So, yes I can remove Norton completely. I've done this before and I know it's a bit tedious due to the places that Symantec puts various components. I'll start working on that now along with the other suggestions. It certainly does look like this one is escaping all the conventional tools.

Combofix & HJT logs will follow when I'm done, hopefully in an hour or 2.

I'll be going away on business for 4 days tomorrow afternoon - about 20hrs from now. So if we're still stuck then, there'll be a short break before I can do anything. At least the Notebook is fine!

Okay thanks for the update. I'll be going to bed soon and wife has cleanup duties for me tomorrow

Will see what you post and do follow-up research for what we can do to get this detected and cleaned up.

You can also try the SDFIX if ComboFix does not find, correct it either.
How to use SDFix

Will check back on you in the morning if I can.

OK, we're getting somwhere now!

Deletion of the C:\WINDOWS\SYSTEM32\sgkwdelo.dll file has for the first time prevented the fake "Windows Security Centre" loading upon startup. I've just restarted into normal mode to begin the uninstallation of NAV. The system is still extremely sluggish (an understatement btw - it's almost unuseable in normal mode) with lots of HDD activity, so obviously we have a way to go.

Now if I can just manage to steal some CPU cycles and HDD time from this thing, I might be able to get NAV uninstalled.

Alright we've really made substantial progress now:

As noted above, the deletion of the offending .dll file prevented the fake Windows Security Centre starting up in the system tray. This also had the effect of preventing the random virus/security popups and ads.

Upon rebooting into normal mode however, the computer was still hamstrung in CPU time and HDD activity, so I couldn't do anything much at all. The unfixable Norton detection of Trojan.Vundo was still popping up too.

I tried one more reboot into normal mode, upon which I started control panel immediately (while other stuff was still loading) and managed to start the Norton removal. This had the almost immediate effect of fixing the system resources problem and the computer was running normally. I notice that the MaxBackServiceInt.exe process is still hogging 50% of CPU time at idle. Not sure whether that means anything in particular.

NOD32 Antivirus

Downloaded and ran no problem, but didn't detect anything at all (latest update too).

Combofix

Got the latest version and ran that. It ran fine, and the log is below. Dunno whether it has actually fixed anything.

Did another reboot into normal mode and the computer at least seems to be running fine now in a normal useable state. I'm not sure whether anything has actually found the root cause yet though. I haven't yet run SDFix but will do so if you want me to after looking at the logs.

COMBOFIX LOG

ComboFix 08-05-15.3 - Mike&Sarah 2008-05-17 18:49:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1363 [GMT 10:00]
Running from: C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe
* Created a new restore point
.
Error: Cfiles.dat
Error: Cfolders.dat

((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 18:31 . 2008-05-17 18:31 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-17 18:30 . 2008-05-17 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 12:21 . 2008-05-17 12:21 <DIR> d-------- C:\Deckard
2008-05-17 10:38 . 2008-05-17 10:38 <DIR> d-------- C:\Program Files\Interapple
2008-05-17 10:38 . 1997-01-24 04:52 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:37 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 20:30 . 2008-05-16 20:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 17:53 . 2008-05-16 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21 . 2008-05-16 16:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:42 . 2008-05-16 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 15:42 . 2008-05-16 15:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 15:08 . 2008-05-16 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-16 15:00 . 2008-05-17 18:48 1,024 --ah----- C:\Documents and Settings\Administrator\NTUSER.dat.LOG
2008-05-08 10:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 10:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media
2008-04-24 15:24 . 2008-04-24 15:24 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-24 15:21 . 2008-04-24 15:23 <DIR> d-------- C:\Program Files\Panda Security
2008-04-24 14:11 . 2008-04-24 14:11 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 14:11 . 2008-04-24 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:52 . 2008-04-24 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 12:51 . 2008-04-24 12:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 12:04 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-24 12:04 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 08:13 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-17 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 10:20 --------- d-----w C:\Program Files\Logitech
2008-05-16 06:07 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 05:45 --------- d-----w C:\Program Files\QuickTime
2008-05-16 05:13 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-05-14 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-06 00:52 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-05-06 00:52 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-04-24 23:29 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 05:47 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-24 02:38 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-16 04:18 --------- d-----w C:\Program Files\Canon
2008-04-09 11:04 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-09 07:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 07:43 --------- d-----w C:\Program Files\Gabest
2008-04-09 07:41 --------- d-----w C:\Program Files\URLSnooper2
2008-04-09 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grass Valley
2008-04-09 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 07:40 --------- d-----w C:\Program Files\Common Files\Canopus Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Grass Valley
2008-04-09 04:01 --------- d-----w C:\Program Files\Orbitdownloader
2008-04-09 03:52 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-03 01:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 01:51 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-03 01:49 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-03 01:49 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-03 01:49 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-04-03 01:49 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-04-03 01:49 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-04-03 01:49 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-04-03 00:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead
2008-03-31 05:52 --------- d-----w C:\Program Files\LCDHype
2008-03-31 05:48 278 ----a-w C:\053347d72ebcd5e.dat
2008-03-31 05:44 --------- d-----w C:\Program Files\DIFX
2008-03-31 05:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-03-31 05:43 --------- d-----w C:\Program Files\Common Files\Aladdin Shared
2008-03-31 05:43 --------- d-----w C:\Program Files\Chief Architect Inc
2008-03-31 05:43 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 04:58 --------- d-----w C:\Program Files\MSBuild
2008-03-31 04:58 --------- d-----w C:\Program Files\Microsoft Works
2008-03-31 04:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-31 04:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 00:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-21 01:49 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Autodesk
2008-03-21 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 21:34 0 ----a-w C:\Program Files\temp01
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_16.40.49.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 06:21:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 08:00:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-09-06 08:03:02 4,280,176 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\WRD12CNV.DLL
+ 2007-08-28 14:07:58 24,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\WRD12EXE.EXE
+ 2007-08-28 12:38:10 500,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\MORPH9.DLL
+ 2007-08-28 12:38:46 9,584,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\MSPUB.EXE
+ 2007-08-23 16:43:28 138,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\PRTF9.DLL
+ 2007-08-28 12:39:14 625,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\PTXT9.DLL
+ 2007-08-23 16:43:36 593,296 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\PUBCONV.DLL
+ 2007-08-28 12:16:00 350,064 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WINWORD.EXE
+ 2007-09-06 07:03:02 4,280,176 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WRD12CNV.DLL
+ 2007-08-28 13:07:58 24,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WRD12EXE.EXE
+ 2007-09-06 06:56:32 17,490,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WWLIB.DLL
+ 2008-04-28 23:05:46 97,566 ----a-r C:\WINDOWS\Installer\{11F66E7E-4865-4070-B289-A0DB052979E1}\ARPPRODUCTICON.exe
+ 2008-04-28 23:05:46 139,264 ----a-r C:\WINDOWS\Installer\{11F66E7E-4865-4070-B289-A0DB052979E1}\NewShortcut1_9ED656646A58425EA489DD37B45C784C.exe
+ 2008-04-28 23:05:46 97,566 ----a-r C:\WINDOWS\Installer\{11F66E7E-4865-4070-B289-A0DB052979E1}\NewShortcut2_5DA3E6B2BEC143748E1D1FBBA4DD86C3.exe
+ 2008-05-17 08:31:14 10,134 ----a-r C:\WINDOWS\Installer\{86A6E235-C08F-4A14-B14C-793C7D8844A0}\callmsi.exe
+ 2008-05-17 08:31:14 136,448 ----a-r C:\WINDOWS\Installer\{86A6E235-C08F-4A14-B14C-793C7D8844A0}\egui.exe
- 2008-04-16 15:03:09 38,240 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-05-14 11:57:14 38,240 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2008-04-16 15:04:57 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-05-14 11:59:10 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-04-16 15:04:58 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-05-14 11:59:10 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-16 15:04:58 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-05-14 11:59:10 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-04-16 15:04:58 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-05-14 11:59:10 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-04-16 15:04:58 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-14 11:59:10 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-16 15:04:58 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-05-14 11:59:10 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-16 15:04:58 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-05-14 11:59:11 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-16 15:04:58 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-05-14 11:59:10 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-04-16 15:04:58 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-05-14 11:59:10 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-16 15:04:58 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-05-14 11:59:10 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-04-16 15:04:58 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-14 11:59:10 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-16 15:04:58 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-05-14 11:59:10 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-03-25 04:50:25 554,008 -c----w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:28 518,944 -c----w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:30 326,432 -c----w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:34 1,516,568 -c----w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:40 355,112 -c----w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-27 08:12:54 151,583 -c----w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-25 04:50:42 60,192 -c----w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 248,608 -c----w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:44 219,936 -c----w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:45 355,104 -c----w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:47 432,928 -c----w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:49 322,336 -c----w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:52 559,904 -c----w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:55 264,992 -c----w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:57 838,432 -c----w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:58 621,344 -c----w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 355,104 -c----w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-13 06:43:42 40,456 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
+ 2008-03-13 06:44:36 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
+ 2008-03-13 06:52:18 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
+ 2005-05-24 02:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 05:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 05:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-07-27 04:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 04:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 09:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 02:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
- 2008-04-05 12:56:22 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
- 2004-08-03 14:56:44 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-03 14:56:44 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2004-08-03 14:56:44 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-07-17 01:34:48 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-03 14:56:44 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-03 14:56:44 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-03 14:56:44 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-03 14:56:44 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2004-08-03 14:56:44 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-03 14:56:44 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-03 14:56:44 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-03 14:56:44 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2004-08-03 14:56:46 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-03 14:56:46 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-03 14:56:46 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-02-10 23:39:26 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2008-02-10 23:39:18 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2008-02-08 03:53:46 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2008-02-04 22:48:04 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
- 2008-04-24 06:26:13 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-17 08:04:59 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-24 06:26:13 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-17 08:04:59 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 1996-07-28 18:55:00 250,880 ----a-w C:\WINDOWS\system32\TX32.DLL
+ 1996-07-22 15:21:00 64,000 ----a-w C:\WINDOWS\system32\TXTLS32.DLL
+ 1996-07-23 15:10:00 45,568 ----a-w C:\WINDOWS\system32\WNDTLS32.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 14:03 163840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 22:27 185784]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 23:05 7557120]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 23:05 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 17:45 389120]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"egui"="D:\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - E:\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"E:\\tomtom home\\TomTomHOME.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Microsoft Office\\Office12\\GROOVE.EXE"=
"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
S3 ausbmon;Advanced USB Port Monitor Filter Driver;C:\WINDOWS\system32\ausbmon.sys []
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-05 20:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

*Newly Created Service* - EAMON
*Newly Created Service* - EASDRV
*Newly Created Service* - EKRN
*Newly Created Service* - EPFWTDIR
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 08:03:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 14:43:28 C:\WINDOWS\Tasks\Windows Update.job"
- C:\WINDOWS\system32\wupdmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 18:52:22
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe [508] 0x89D62440

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\MIKE&S~1\LOCALS~1\Temp\tmp16C.tmp.8cfe9a0b.tmp 249344 bytes executable
C:\WINDOWS\TEMP\tmp95.tmp.8cfe9a0b.tmp 249856 bytes executable
C:\WINDOWS\system32\.8cfe9a0b

scan completed successfully
hidden files: 3

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\8cfe9a0b]
"ImagePath"="C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.core.dll
.
Completion time: 2008-05-17 18:53:55
ComboFix-quarantined-files.txt 2008-05-17 08:53:42
ComboFix2.txt 2008-04-24 06:42:03

Pre-Run: 3,967,873,024 bytes free
Post-Run: 4,101,378,048 bytes free

328 --- E O F --- 2008-05-16 12:31:38


HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:45 PM, on 17/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
D:\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\ESET NOD32 Antivirus\ekrn.exe
D:\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Computer\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [egui] "D:\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = E:\Palm\Hotsync.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9312 bytes

Hello Dutchroll and thank you for the updated information.

Yes your system is still infected (or at least has pieces of it left over). This appears to be a fairly new method of infection so I need to review and ensure we clean it up properly. Since neither one of us has the time to do it justice today then we will tackle it when you get back.

As for the Norton 2007 - you can see why it is not recommended by too many people now days. It is a HUGE resource hog and a laptop due to slower components makes it even worse. Try using the NOD32 for a while and see how you like it instead, hopefully it is more friendly on resources than Norton AV.

Okay I'll check back on you in a few days. Just post back here when you get back and are ready to continue.

Please go to this site below

uploads.malwarebytes.org

Then browse and locate these files and upload them to the site for review

C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\drivers\logiflt.iad



.

I got this message when trying to upload those files:

The file lvuvc.hs is 0 bytes. This could be because a virus scanner is blocking it or because it doesn't exist on your PC. Please check it exists and disable any virus scanners that are active.
The file logiflt.iad is 0 bytes. This could be because a virus scanner is blocking it or because it doesn't exist on your PC. Please check it exists and disable any virus scanners that are active.

Disabled the NOD32 but still got the same message.

Thanks for the info on Norton. I'll do some research on AV stuff while I'm away. I'll be back late Wed evening my time (Australian eastern time) Might be time to end the relationship with Norton. Kaspersky is looking favourable.

Okay well then just use the File Assissin as before and browse to those files and choose to delete them.

Let me know when you're back and we'll continue.

OK AdvancedSetup.

Back home for a few days now. FileAssassin deleted both those files successfully.

Okay, good. MB has had quite a few updates so please update MB and do another Quick Scan and post another Deckard's log and post back.

Alright, done that.

There's nothing new to report in the Malwarebytes run, though weirdly upon clicking the program icon it prompted me to insert my autocad setup cds. I cancelled out and tried again, and the same thing came up. So I figured what the heck, inserted cd 1 then cd2 as requested and it ran them very briefly, and the machine seems happy now. Weird.

Here's the Deckard's log (it only gave me the "main.txt" rather than the two logs like the first time. I assume that's correct?)

Deckard's System Scanner v20071014.68
Run by Mike&Sarah on 2008-05-22 08:15:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:06 AM, on 22/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
D:\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Mike&Sarah\Desktop\dss.exe
D:\Computer\MIKE&S~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [egui] "D:\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9345 bytes

-- Files created between 2008-04-22 and 2008-05-22 -----------------------------

2008-05-22 00:56:42 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent
2008-05-17 19:51:53 6528 -r-h----t C:\Documents and Settings\Mike&Sarah\Backup Status
2008-05-17 18:30:46 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 17:31:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-05-17 10:38:04 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:38:04 0 d-------- C:\Program Files\Interapple
2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 10:22:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21:52 0 d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>
2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>
2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL
2008-04-29 17:19:05 0 d-------- C:\acrsk
2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media
2008-04-25 08:23:30 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-24 16:34:20 0 d-------- C:\cmdcons
2008-04-24 15:24:47 0 d-------- C:\Program Files\Windows Defender
2008-04-24 15:21:11 0 d-------- C:\Program Files\Panda Security
2008-04-24 14:49:23 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-24 14:41:36 68096 --a------ C:\WINDOWS\zip.exe
2008-04-24 14:41:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-24 14:41:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-24 14:41:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-24 14:41:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-24 14:41:36 98816 --a------ C:\WINDOWS\sed.exe
2008-04-24 14:41:36 80412 --a------ C:\WINDOWS\grep.exe
2008-04-24 14:41:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 14:11:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:52:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-05-22 08:14:21 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-22 00:37:41 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-18 09:00:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe
2008-05-17 18:00:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-17 17:39:14 0 d-------- C:\Program Files\Common Files
2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech
2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime
2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia
2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia
2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml
2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real
2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon
2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest
2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2
2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared
2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley
2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini
2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader
2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 11:52:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype
2008-03-31 15:48:12 278 --a------ C:\053347d72ebcd5e.dat
2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX
2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc
2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild
2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET
2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-03-02 07:34:23 0 --a------ C:\Program Files\temp01


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]
"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 06:53 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]
"egui"="D:\ESET NOD32 Antivirus\egui.exe" [13/03/2008 04:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 01:49 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoUserNameInStartMenu"=01000000
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
AutoRun\command- H:\InstallTomTomHOME.exe




-- End of Deckard's System Scanner: finished at 2008-05-22 08:15:56 ------------

The insert CD dialog box is actually common. The Microsoft installer gets confused and brings that up. There are articles on how to correct that, but for this post it's not required.

What is in this folder C:\acrsk

Please upload these files for review
C:\053347d72ebcd5e.dat
C:\WINDOWS\fdsv.exe
http://uploads.malwarebytes.org

This folder is probably not needed. C:\Program Files\temp01
Please look in this folder and if it's not something you've created or stored data in it then delete it.

Not sure if this is a work computer or if you've set these policies on purpose but
all the recent documents and lists are using a policy to not display them, which is okay as long as you're aware of the setting.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoUserNameInStartMenu"=01000000
"ClearRecentDocsOnExit"=01000000

OK, no probs with the installer issue. It wasn't really a hassle. I just didn't realise it was prone to doing that until it happened today.

c:\acrsk is the startup directory for a program which runs from cdrom, called "ACR Skeletal" by the American College of Radiology. My wife recently installed it for some work study. Normally I install stuff for her on a separate partition with all her work stuff but she would've just installed it to its default. It's a learning program essentially, with xray images, descriptions, etc. But it only runs from CD. She's finished with it now so she's happy to delete it/uninstall it. It contains a .dll file, a couple of .dat files, several icon files, and the executable.

Those 2 other files have been uploaded as requested.

The file temp01 had a 0 byte size. I have no idea what it was related to. It has been deleted.

Yeah I've set those policies. This is a home computer and I usually try to setup windows to run at home without keeping lists, documents, etc in the start menus and so on. I found they just irritated me more than anything. Like a lot of things about windows. (I've always hated the default storage locations and folders for windows).

Thanks. Hopefully the programmers can check on those files soon and get back to me and we can finish up.

In the mean time you can check and verify if Windows XP Service Pack 3 is available for your system language if it's not English.
Don't install it yet, just check to see if it's available for now. You would want to do a full backup before installing it just in case there are issues with it. There should not be and it can be un-installed if it were to be an issue.

My system language is English, so that's not an issue (though I can speak a few phrases in French and German ) I had been holding off SP3, because I'm seriously thinking of migrating this system across to Vista now that SP1 is out (and because I've had issues getting my Vista laptop to communicate with this XP workstation). I don't know how it compares for "malware-resistance" with XP Pro.

If we need to install it to fix this however, no problem. Just say the word.

What I neglected to say though, was that apart from SP3, XP is fully updated on this machine.

UH OH!

IIIIIIIT'S BAAAAAACK!!!!!

I kid you not.......................

From having the pc very much behaving itself over the last couple of days (since deletion of that offending .dll file), and from a couple of hours ago when I left it alone to go outside and do some work around the house, I have just switched it back on and ........lo and behold.......it booted up with the fake "windows security centre" again!!!

The NOD32 antivirus is still working. Everything else is still working. The only new software installed apart from what has been instructed was the very latest version of Flashplayer from the recommended website (that was a day or 2 ago because I needed it). System resources are fine at the moment and it is running things at normal speed.

My web access today has been no different to any other day. Trusted websites (if there is such a thing) I've been using for quite a while now. Nothing unusual has downloaded or happened. In fact, most web access has been on my uninfected laptop and it's still fine.

This is getting very, very weird. It is similar to what happened when I first posted, except that instead of the malware remnants apparently fixing themselves after a couple of weeks, it has managed to repair itself after a couple of days!

There it is, "Windows Security Centre", sitting down in the system tray, laughing its head off at me, sending its "virus activity detected" popups whenever I switch web pages. I'm also back to the popup threats that system will be shutdown while the virus scan is running, etc, etc, etc. I'm not particularly amused. I'm going to go out on a limb here and try a Panda scan again, while the system is still running OK.

Well now - isn't that a joy.

Please update MB and do a Quick Scan. Then run the Deckards scan again and post both logs and we'll see what we can find.

You should also install this product to help prevent future infections. SpywareBlaster 4.0 Download
Get all the updates and apply ALL the protection settings.

OK I'll install the SpywareBlaster.

An interesting turn of events happened while I was following the above instructions:

1. A Panda scan was running.

2. When I saw your reply, I immediately updated Malwarebytes and ran it, and saved the log. It detected new malware, as you'll see in the log, which required a reboot to fix. I selected not to do the reboot, because I wanted to run the Deckards straight away.

3. While the Deckard's was running, the system went into its uncontrollable "shutdown" mode, as was happening before with this malware and a Panda scan running. This prevented the Deckards from completing.

4. Upon rebooting, the "Windows Security Centre" did not start, presumably because the reboot ran the fix determined by Malwarebytes. So the system seems to be running normally again! (but for how long??)

Here are the Malwarebytes (pre-reboot) and Deckards (post-reboot) logs:

Malwarebytes' Anti-Malware 1.12
Database version: 779

Scan type: Quick Scan
Objects scanned: 42030
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xfxwjdol.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xfxwjdol (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xfxwjdol.dll (Trojan.FakeAlert) -> No action taken.


Deckard's System Scanner v20071014.68
Run by Mike&Sarah on 2008-05-23 18:21:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:11 PM, on 23/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
D:\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\Mike&Sarah\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Computer\MIKE&S~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [egui] "D:\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9405 bytes

-- Files created between 2008-04-23 and 2008-05-23 -----------------------------

2008-05-23 18:19:31 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent
2008-05-17 19:51:53 6528 -r-h----t C:\Documents and Settings\Mike&Sarah\Backup Status
2008-05-17 18:30:46 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 17:31:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-05-17 10:38:04 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:38:04 0 d-------- C:\Program Files\Interapple
2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 10:22:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21:52 0 d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>
2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>
2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL
2008-04-29 17:19:05 0 d-------- C:\acrsk
2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media
2008-04-25 08:23:30 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-24 16:34:20 0 d-------- C:\cmdcons
2008-04-24 15:24:47 0 d-------- C:\Program Files\Windows Defender
2008-04-24 15:21:11 0 d-------- C:\Program Files\Panda Security
2008-04-24 14:49:23 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-24 14:41:36 68096 --a------ C:\WINDOWS\zip.exe
2008-04-24 14:41:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-24 14:41:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-24 14:41:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-24 14:41:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-24 14:41:36 98816 --a------ C:\WINDOWS\sed.exe
2008-04-24 14:41:36 80412 --a------ C:\WINDOWS\grep.exe
2008-04-24 14:41:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 14:11:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:52:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-05-23 18:21:41 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-22 11:17:21 278 --a------ C:\053347d72ebcd5e.dat
2008-05-22 00:37:41 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-18 09:00:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe
2008-05-17 18:00:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-17 17:39:14 0 d-------- C:\Program Files\Common Files
2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech
2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime
2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia
2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia
2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml
2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real
2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon
2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest
2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2
2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared
2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley
2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini
2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader
2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 11:52:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype
2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX
2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc
2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild
2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET
2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]
"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 06:53 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]
"egui"="D:\ESET NOD32 Antivirus\egui.exe" [13/03/2008 04:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 01:49 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoUserNameInStartMenu"=01000000
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
AutoRun\command- H:\InstallTomTomHOME.exe




-- End of Deckard's System Scanner: finished at 2008-05-23 18:23:10 ------------

Please check for updates again for MB and run it again and fix selected if found.
That log from MB says you did not allow it to fix an item. So we want to make sure you select and fix it.

Please copy / paste this entry into notepad and do a Save As and for file type select "All Files" and save
it to your desktop as as MBSCAN.bat

Please run that batch file by double clicking it and it will create a new text file named MBFiles.txt and put it on your desktop.
Then reply back and attach that file here via the upload button - don't post it directly, just upload it.

Also download and install WinPatrol and it will watch for changes to your system as well. WinPatrol

OK no probs.

Malwarebytes has been run again and nothing was detected. Could it be that upon the reboot it fixed those items? This was what it suggested when it first discovered them (ie, that a reboot was necessary).

The file upload is done with this reply.

I've installed SpywareBlaster and WinPatrol and they are running. I'll switch the PC off now and check back in the morning for any updates. Cheers.

Yes the reboot removed them. You simply copied the log before it had actually cleaned up so that's fine.
Curious how or why you got reinfected so fast again though. I was hoping to find something obvious in the files listed but nothing stands out.

Please update Spybot Search & Destroy and run another scan with it and let me know if it finds anything.
Then after a reboot, run one more Deckard's scan and post that please.

I would hold of on any Vista upgrade plans for a least a few days.

Yes that makes at least two of us who are curious as to why this is happening!

I'm a bit confused about the turn of events yesterday prior to having this infection rear up again:

This PC is normally turned off at night. It was running (without the infection showing in any obvious way) fine yesterday afternoon with no apparent problems. Most of what I was doing on it involved monitoring this forum and some minor browsing, with most of my other internet access (and any downloads) being done through the uninfected laptop. I left it on & went outside. My wife got home from work and said that she just did her normal checking Outlook, hotmail, and a regular trusted website (a work discussion forum), and then left the computer running and went off to do other stuff. However when I got back from outside, it was shutdown. She says she may have inadvertently shut it down, though she wouldn't normally do this and doesn't remember doing it (she was very tired). It was upon turning it back on that the virus popped back up again and started the Security Centre, fake popups, etc.

I wonder about this because the infection certainly appears to have caused or led to random shutdowns/reboots when the PC was unattended in the past.

That last Malwarebytes run I did upon discovering the reinfection detected the fake warning alerts - interestingly this was the first time Malwarebytes had detected anything so I assume there was a relevant update sometime in the last 48hrs or so. BTW, the computer has been behaving again since Malwarebytes removed those items it detected.

Spybot run just now found only 5 tracking cookies, which were fixed.

Here is the Deckard's log after the subsequent reboot:

Deckard's System Scanner v20071014.68
Run by Mike&Sarah on 2008-05-24 10:36:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:49 AM, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
D:\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\ESET NOD32 Antivirus\egui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Documents and Settings\Mike&Sarah\Desktop\dss.exe
D:\Computer\MIKE&S~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [egui] "D:\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9757 bytes

-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 10:33:44 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent
2008-05-23 21:52:54 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol
2008-05-23 21:52:48 0 d-------- C:\Program Files\BillP Studios
2008-05-23 21:52:31 0 d-------- C:\Program Files\SpywareBlaster
2008-05-23 21:46:00 0 d-------- C:\MBHOLDING
2008-05-17 19:51:53 6528 -r-h----t C:\Documents and Settings\Mike&Sarah\Backup Status
2008-05-17 18:30:46 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 17:31:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-05-17 10:38:04 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:38:04 0 d-------- C:\Program Files\Interapple
2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 10:22:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21:52 0 d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>
2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>
2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL
2008-04-29 17:19:05 0 d-------- C:\acrsk
2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media
2008-04-25 08:23:30 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-24 16:34:20 0 d-------- C:\cmdcons
2008-04-24 15:24:47 0 d-------- C:\Program Files\Windows Defender
2008-04-24 15:21:11 0 d-------- C:\Program Files\Panda Security
2008-04-24 14:49:23 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-24 14:41:36 68096 --a------ C:\WINDOWS\zip.exe
2008-04-24 14:41:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-24 14:41:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-24 14:41:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-24 14:41:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-24 14:41:36 98816 --a------ C:\WINDOWS\sed.exe
2008-04-24 14:41:36 80412 --a------ C:\WINDOWS\grep.exe
2008-04-24 14:41:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 14:11:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:52:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-05-24 09:51:20 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-22 00:37:41 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-18 09:00:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe
2008-05-17 18:00:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-17 17:39:14 0 d-------- C:\Program Files\Common Files
2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech
2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime
2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia
2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia
2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml
2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real
2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon
2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest
2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2
2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared
2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley
2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini
2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader
2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 11:52:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype
2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX
2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc
2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild
2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET
2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]
"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 06:53 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]
"egui"="D:\ESET NOD32 Antivirus\egui.exe" [13/03/2008 04:48 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [26/04/2008 03:31 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 01:49 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoUserNameInStartMenu"=01000000
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
AutoRun\command- H:\InstallTomTomHOME.exe




-- End of Deckard's System Scanner: finished at 2008-05-24 10:37:45 ------------

Okay let me do some more research - I should have a fix for the System Restore being broken but I want to do some further research before having you continue with the repair.

Will try to get back later tonight if possible.

Sorry but I didn't have time last night and I have to cut trees today so hopefully later tonight.

Please delete your current ComboFix and download a new one and run it again and reply back with the log.

That's OK. I had to cut the horse paddocks on the tractor yesterday. Still need to finish them off today. Seems there's never enough time for everything!

The PC is still behaving itself, so far, since the last Malwarebytes run.

Here's the Combofix log, latest version.

ComboFix 08-05-21.3 - Mike&Sarah 2008-05-25 7:27:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1472 [GMT 10:00]
Running from: C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe
* Created a new restore point
.
Error: Cfiles.dat
Error: Cfolders.dat

((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\BillP Studios
2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol
2008-05-23 21:46 . 2008-05-23 21:46 <DIR> d-------- C:\MBHOLDING
2008-05-17 18:30 . 2008-05-17 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 12:21 . 2008-05-17 12:21 <DIR> d-------- C:\Deckard
2008-05-17 10:38 . 2008-05-17 10:38 <DIR> d-------- C:\Program Files\Interapple
2008-05-17 10:38 . 1997-01-24 04:52 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:37 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 20:30 . 2008-05-16 20:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 17:53 . 2008-05-16 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21 . 2008-05-16 16:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:42 . 2008-05-16 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 15:42 . 2008-05-16 15:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 15:08 . 2008-05-16 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-08 10:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 10:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media
2008-04-24 15:24 . 2008-04-24 15:24 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-24 15:21 . 2008-04-24 15:23 <DIR> d-------- C:\Program Files\Panda Security
2008-04-24 14:11 . 2008-04-24 14:11 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 14:11 . 2008-04-24 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:52 . 2008-04-24 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 12:51 . 2008-04-24 12:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 12:04 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-24 12:04 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 21:25 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-21 14:37 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-17 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 10:20 --------- d-----w C:\Program Files\Logitech
2008-05-16 06:07 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 05:45 --------- d-----w C:\Program Files\QuickTime
2008-05-16 05:13 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-05-14 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-24 23:29 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 05:47 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-24 02:38 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-16 04:18 --------- d-----w C:\Program Files\Canon
2008-04-09 11:04 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-09 07:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 07:43 --------- d-----w C:\Program Files\Gabest
2008-04-09 07:41 --------- d-----w C:\Program Files\URLSnooper2
2008-04-09 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grass Valley
2008-04-09 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 07:40 --------- d-----w C:\Program Files\Common Files\Canopus Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Grass Valley
2008-04-09 04:01 --------- d-----w C:\Program Files\Orbitdownloader
2008-04-09 03:52 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-03 01:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 01:51 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-03 01:49 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-03 01:49 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-03 01:49 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-04-03 01:49 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-04-03 01:49 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-04-03 01:49 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-04-03 00:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead
2008-03-31 05:52 --------- d-----w C:\Program Files\LCDHype
2008-03-31 05:44 --------- d-----w C:\Program Files\DIFX
2008-03-31 05:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-03-31 05:43 --------- d-----w C:\Program Files\Common Files\Aladdin Shared
2008-03-31 05:43 --------- d-----w C:\Program Files\Chief Architect Inc
2008-03-31 05:43 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 04:58 --------- d-----w C:\Program Files\MSBuild
2008-03-31 04:58 --------- d-----w C:\Program Files\Microsoft Works
2008-03-31 04:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-31 04:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-17_18.53.04.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 08:00:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 21:17:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 08:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2008-03-24 09:33:02 1,527,056 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\FP_AX_CAB_INSTALLER.exe
+ 2008-03-24 09:33:02 1,527,056 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2007-02-12 06:24:56 114,792 ----a-w C:\WINDOWS\Downloaded Program Files\IDropENU.dll
+ 2007-07-18 03:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2008-01-18 00:53:20 73,728 ----a-r C:\WINDOWS\Installer\{5783F2D7-6001-0409-0002-0060B0CE6BBA}\Acad162_icon.exe
+ 2008-05-21 21:56:09 73,728 ----a-r C:\WINDOWS\Installer\{5783F2D7-6001-0409-0002-0060B0CE6BBA}\Acad162_icon.exe
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
+ 2008-05-17 23:00:16 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-05-17 08:04:59 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-24 21:22:04 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-17 08:04:59 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-24 21:22:04 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 14:03 163840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 22:27 185784]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 23:05 7557120]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 23:05 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 17:45 389120]
"egui"="D:\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-26 03:31 333120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"E:\\tomtom home\\TomTomHOME.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Microsoft Office\\Office12\\GROOVE.EXE"=
"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
S3 ausbmon;Advanced USB Port Monitor Filter Driver;C:\WINDOWS\system32\ausbmon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 21:20:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 14:43:28 C:\WINDOWS\Tasks\Windows Update.job"
- C:\WINDOWS\system32\wupdmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 07:30:10
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe [788] 0x8A46A7A8

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\MIKE&S~1\LOCALS~1\Temp\tmp16C.tmp.8cfe9a0b.tmp 249344 bytes executable
C:\WINDOWS\TEMP\tmp95.tmp.8cfe9a0b.tmp 249856 bytes executable
C:\WINDOWS\TEMP\tmp15C.tmp.8cfe9a0b.tmp 249856 bytes executable
C:\WINDOWS\system32\.8cfe9a0b

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\8cfe9a0b]
"ImagePath"="C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.core.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
.
Completion time: 2008-05-25 7:31:36
ComboFix-quarantined-files.txt 2008-05-24 21:31:24
ComboFix2.txt 2008-04-24 06:42:03

Pre-Run: 3,950,338,048 bytes free
Post-Run: 4,039,208,960 bytes free

219 --- E O F --- 2008-05-21 14:37:43

Please remove ComboFix and the backup files it created by running this.
Click START then RUN
Now type Combofix /u in the runbox and click OK
When shown the disclaimer, Select "2"

Then reboot your computer and run the ATF Temporary file cleaner you downloaded and ran before.

Then reboot your computer again and browse with Explorer to this location and see if you can find this folder and file.
C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.core.dll
If it's is not found then try to locate it in a DOS prompt.
Click START then RUN and type in CMD
Then type the following - followed by the ENTER key after each line.
CD\
CD WINDOWS
CD SYSTEM32
DIR /AD /P
Do you see the folder .8cfe9a0b
CD .8cfe9a0b
DIR

Do you see the file 8cfe9a0b.core.dll
If not then try this
attrib *.dll
Do you see the file now?


Please post back your findings.

.

No, nothing even resembling that file was found in c:\windows\system32 using either technique.

However winpatrol is picking up a change to the ".REG" file type associations. This just popped up apparently randomly on the screen a few secs ago (I'm writing this on the laptop - the PC is on, but not being used apart from following your requests above).

It is wanting to reassociate "regedit.exe %1 %*" to "regedit.exe %1" whatever that means. I'll select NO unless you advise that this is OK. PC going off for a while anyway, as we're going out.

Yes you can accept the change. That is the correct entry. Not sure where the old one came from.

Okay delete any versions of ComboFix you have and download a new version once again and run it and post back the logs.
ComboFix.exe download.

I want to see if that file is showing up again with ComboFix still.

I got the error message "COMSPEC environment variable was found to be corrupt" on initially running the new download of combofix but it appeared to repair itself and then ran OK.

Here's the log (that entry seems to still be there)

ComboFix 08-05-24.1 - Mike&Sarah 2008-05-25 20:34:44.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1465 [GMT 10:00]
Running from: C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe
* Created a new restore point
.
Error: Cfiles.dat
Error: Cfolders.dat

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\BillP Studios
2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol
2008-05-23 21:46 . 2008-05-23 21:46 <DIR> d-------- C:\MBHOLDING
2008-05-17 18:30 . 2008-05-17 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 10:38 . 2008-05-17 10:38 <DIR> d-------- C:\Program Files\Interapple
2008-05-17 10:38 . 1997-01-24 04:52 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:37 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 20:30 . 2008-05-16 20:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 17:53 . 2008-05-16 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21 . 2008-05-16 16:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:42 . 2008-05-16 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 15:42 . 2008-05-16 15:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 15:08 . 2008-05-16 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-08 10:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 10:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 10:31 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-21 14:37 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-17 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 10:20 --------- d-----w C:\Program Files\Logitech
2008-05-16 06:07 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 05:45 --------- d-----w C:\Program Files\QuickTime
2008-05-16 05:13 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-05-14 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-24 23:29 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 05:47 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-24 05:24 --------- d-----w C:\Program Files\Windows Defender
2008-04-24 05:23 --------- d-----w C:\Program Files\Panda Security
2008-04-24 04:11 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 02:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 02:38 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-16 04:18 --------- d-----w C:\Program Files\Canon
2008-04-09 11:04 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-09 07:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 07:43 --------- d-----w C:\Program Files\Gabest
2008-04-09 07:41 --------- d-----w C:\Program Files\URLSnooper2
2008-04-09 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grass Valley
2008-04-09 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 07:40 --------- d-----w C:\Program Files\Common Files\Canopus Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Grass Valley
2008-04-09 04:01 --------- d-----w C:\Program Files\Orbitdownloader
2008-04-09 03:52 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-03 01:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 01:51 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-03 01:49 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-03 01:49 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-03 01:49 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-04-03 01:49 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-04-03 01:49 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-04-03 01:49 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-04-03 00:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead
2008-03-31 05:52 --------- d-----w C:\Program Files\LCDHype
2008-03-31 05:44 --------- d-----w C:\Program Files\DIFX
2008-03-31 05:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-03-31 05:43 --------- d-----w C:\Program Files\Common Files\Aladdin Shared
2008-03-31 05:43 --------- d-----w C:\Program Files\Chief Architect Inc
2008-03-31 05:43 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 04:58 --------- d-----w C:\Program Files\MSBuild
2008-03-31 04:58 --------- d-----w C:\Program Files\Microsoft Works
2008-03-31 04:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-31 04:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 14:03 163840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 22:27 185784]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 23:05 7557120]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 23:05 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 17:45 389120]
"egui"="D:\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-26 03:31 333120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"E:\\tomtom home\\TomTomHOME.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Microsoft Office\\Office12\\GROOVE.EXE"=
"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
S3 ausbmon;Advanced USB Port Monitor Filter Driver;C:\WINDOWS\system32\ausbmon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d077a16-2a04-11dd-94a4-101111111111}]
\Shell\AutoRun\command - K:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 04:53:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 14:43:28 C:\WINDOWS\Tasks\Windows Update.job"
- C:\WINDOWS\system32\wupdmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 20:37:33
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe [816] 0x8A2A4DA0

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\MIKE&S~1\LOCALS~1\Temp\tmp16C.tmp.8cfe9a0b.tmp 249344 bytes executable
C:\WINDOWS\TEMP\tmp95.tmp.8cfe9a0b.tmp 249856 bytes executable
C:\WINDOWS\TEMP\tmp15C.tmp.8cfe9a0b.tmp 249856 bytes executable
C:\WINDOWS\system32\.8cfe9a0b

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\8cfe9a0b]
"ImagePath"="C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.core.dll
.
Completion time: 2008-05-25 20:38:53
ComboFix-quarantined-files.txt 2008-05-25 10:38:41
ComboFix2.txt 2008-05-24 21:31:38

Pre-Run: 5,088,317,440 bytes free
Post-Run: 5,076,852,736 bytes free

196 --- E O F --- 2008-05-21 14:37:43

Okay that confirms that you do have a hidden RootKit on your system.
Please follow the instructions below carefully as we will have to use another tool for removal.
This is a very powerful tool that can fix this but can also do great harm if used incorrectly.

Step 1

• Download IceSword English Version 1.22
• Extract the files - C:\is_en would be the default but it can be extracted where you want as long as you know where it's at.
• Launch the program - on the left side are 3 panels Functions, Registry, and File
• Click on the File panel and browse to this location C:\WINDOWS\system32\.8cfe9a0b
• Right click all files in that folder and force delete them as well as the directory .8cfe9a0b
• Now click on the Registry panel and browse to this location HKEY_LOCAL_MACHINE\system\ControlSet001\Services\8cfe9a0b
• Then right click on the 8cfe9a0b key and delete it.
• Look for the entry in each of the following as well and if found delete them as well
• HKEY_LOCAL_MACHINE\system\ControlSet\Services\8cfe9a0b , HKEY_LOCAL_MACHINE\system\ControlSet002\Services\8cfe9a0b , HKEY_LOCAL_MACHINE\system\ControlSet003\Services\8cfe9a0b , HKEY_LOCAL_MACHINE\system\ControlSet004\Services\8cfe9a0b
• Quit IceSword - do not reboot

Step 2

• Run ComboFix again and scan your system.
• Now reboot your system and run ComboFix once again

Step 3

• Run Deckard's System Scanner again as well and post back both those logs

Right, we seem to have some success there, though I did have difficulty deleting the 8cfe9a0b directory. The .exe and .core.dll files within the hidden directory had to be force deleted whereas the others were easy. Trying to force delete the directory itself kept resulting in a "failed delete" message. So I went onto the registry entries (of which there were only two - in the .....ControlSet001\..... key and the .....ControlSet003\....key. When I returned to have another go at the directory it was gone.

I notice that directory still gets a mention in the log in the "....currentcontrolset....safeboot......" key, which I didn't realise until just now when I was browsing the logs. Would it be correct to assume that this key should be deleted too?

I'm assuming this malware has escaped detection by AV software by being hidden in the rootkit?

Here are the post-reboot combofix and Deckards logs (I have the pre-reboot combofix one as well if you want it).

ComboFix 08-05-24.1 - Mike&Sarah 2008-05-26 8:47:57.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1493 [GMT 10:00]
Running from: C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe
.
Error: Cfiles.dat
Error: Cfolders.dat

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\BillP Studios
2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol
2008-05-23 21:46 . 2008-05-23 21:46 <DIR> d-------- C:\MBHOLDING
2008-05-17 18:30 . 2008-05-17 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 10:38 . 2008-05-17 10:38 <DIR> d-------- C:\Program Files\Interapple
2008-05-17 10:38 . 1997-01-24 04:52 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:37 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 20:30 . 2008-05-16 20:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 17:53 . 2008-05-16 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21 . 2008-05-16 16:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:42 . 2008-05-16 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 15:42 . 2008-05-16 15:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 15:08 . 2008-05-16 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-08 10:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 10:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 22:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-21 14:37 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-17 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 10:20 --------- d-----w C:\Program Files\Logitech
2008-05-16 06:07 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 05:45 --------- d-----w C:\Program Files\QuickTime
2008-05-16 05:13 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-05-14 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-24 23:29 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 05:47 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-24 05:24 --------- d-----w C:\Program Files\Windows Defender
2008-04-24 05:23 --------- d-----w C:\Program Files\Panda Security
2008-04-24 04:11 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 02:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 02:38 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-16 04:18 --------- d-----w C:\Program Files\Canon
2008-04-09 11:04 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-09 07:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 07:43 --------- d-----w C:\Program Files\Gabest
2008-04-09 07:41 --------- d-----w C:\Program Files\URLSnooper2
2008-04-09 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grass Valley
2008-04-09 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 07:40 --------- d-----w C:\Program Files\Common Files\Canopus Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Grass Valley
2008-04-09 04:01 --------- d-----w C:\Program Files\Orbitdownloader
2008-04-09 03:52 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-03 01:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 01:51 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-03 01:49 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-03 01:49 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-03 01:49 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-04-03 01:49 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-04-03 01:49 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-04-03 01:49 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-04-03 00:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead
2008-03-31 05:52 --------- d-----w C:\Program Files\LCDHype
2008-03-31 05:44 --------- d-----w C:\Program Files\DIFX
2008-03-31 05:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-03-31 05:43 --------- d-----w C:\Program Files\Common Files\Aladdin Shared
2008-03-31 05:43 --------- d-----w C:\Program Files\Chief Architect Inc
2008-03-31 05:43 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 04:58 --------- d-----w C:\Program Files\MSBuild
2008-03-31 04:58 --------- d-----w C:\Program Files\Microsoft Works
2008-03-31 04:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-31 04:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_20.38.08.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 04:50:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 22:46:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-25 04:55:12 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-25 22:23:02 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-25 04:55:12 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-25 22:23:02 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 14:03 163840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 22:27 185784]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 23:05 7557120]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 23:05 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 17:45 389120]
"egui"="D:\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-26 03:31 333120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\8cfe9a0b]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"E:\\tomtom home\\TomTomHOME.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Microsoft Office\\Office12\\GROOVE.EXE"=
"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
S3 ausbmon;Advanced USB Port Monitor Filter Driver;C:\WINDOWS\system32\ausbmon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d077a16-2a04-11dd-94a4-101111111111}]
\Shell\AutoRun\command - K:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 22:49:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 14:43:28 C:\WINDOWS\Tasks\Windows Update.job"
- C:\WINDOWS\system32\wupdmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 08:50:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-26 8:51:53
ComboFix-quarantined-files.txt 2008-05-25 22:51:41
ComboFix2.txt 2008-05-25 22:42:57
ComboFix3.txt 2008-05-25 10:38:55
ComboFix4.txt 2008-05-24 21:31:38

Pre-Run: 5,094,744,064 bytes free
Post-Run: 5,079,425,024 bytes free

195 --- E O F --- 2008-05-21 14:37:43


Deckard's System Scanner v20071014.68
Run by Mike&Sarah on 2008-05-26 08:52:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:41 AM, on 26/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
D:\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mike&Sarah\Desktop\dss.exe
D:\Computer\MIKE&S~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [egui] "D:\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9365 bytes

-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 08:45:11 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent
2008-05-25 20:33:58 68096 --a------ C:\WINDOWS\zip.exe
2008-05-25 20:33:58 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-25 20:33:58 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-25 20:33:58 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-25 20:33:58 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-25 20:33:58 98816 --a------ C:\WINDOWS\sed.exe
2008-05-25 20:33:58 80412 --a------ C:\WINDOWS\grep.exe
2008-05-25 20:33:58 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-23 21:52:54 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol
2008-05-23 21:52:48 0 d-------- C:\Program Files\BillP Studios
2008-05-23 21:52:31 0 d-------- C:\Program Files\SpywareBlaster
2008-05-23 21:46:00 0 d-------- C:\MBHOLDING
2008-05-17 19:51:53 6528 -r-h----t C:\Documents and Settings\Mike&Sarah\Backup Status
2008-05-17 18:30:46 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 17:31:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-05-17 10:38:04 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:38:04 0 d-------- C:\Program Files\Interapple
2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 10:22:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21:52 0 d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>
2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>
2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL
2008-04-29 17:19:05 0 d-------- C:\acrsk
2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media


-- Find3M Report ---------------------------------------------------------------

2008-05-26 08:47:16 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-22 00:37:41 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-18 09:00:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe
2008-05-17 18:00:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-17 17:39:14 0 d-------- C:\Program Files\Common Files
2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech
2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime
2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia
2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia
2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml
2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-24 15:24:48 0 d-------- C:\Program Files\Windows Defender
2008-04-24 15:23:14 0 d-------- C:\Program Files\Panda Security
2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real
2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon
2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest
2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2
2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared
2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley
2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini
2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader
2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 11:52:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype
2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX
2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc
2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild
2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET
2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]
"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 06:53 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]
"egui"="D:\ESET NOD32 Antivirus\egui.exe" [13/03/2008 04:48 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [26/04/2008 03:31 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 01:49 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoUserNameInStartMenu"=01000000
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\8cfe9a0b]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d077a16-2a04-11dd-94a4-101111111111}]
AutoRun\command- K:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
AutoRun\command- H:\InstallTomTomHOME.exe




-- End of Deckard's System Scanner: finished at 2008-05-26 08:53:21 ------------

Download ERUNT The Emergency Recovery Utility NT
Run the program and create a backup of your Registry

Use IceSword and remove this entry, then quit IceSword
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\8cfe9a0b]
@="Service"

Download and run this file to repair the Safe Boot Option SafeBootKeyRepair.exe

Download and run SDFIX from here: How to use SDFix

Let me know if you run into any issues with the above procedures.

Then after getting back into Normal mode run the ComboFix once again and post back the logs from both programs.

.

Make sure you have Data backups as well.

Please not that ESET NOD32 has had a recent False Positive that could potentially delete data files and or single archive mail files.
Please read more about it below.

Directions on how to update the NOD32 program.
Help: My PC is freezing during startup
NOD32 3.0 messing up Adobe CS3 applications (false positives)

From another forum:


I know you were asked to use NOD32 as a scanner for this malware so I don't want you to accidentally become one of these unhappy users.

Alright, thanks very much AdvancedSetup. I'm away overseas for a couple of days for work at the moment but I'll be back early this Thurs morning my local time (which I think is Wed afternoon/evening your time). I'll do all that stuff and post the results & log as soon as I get back.

Thanks for the warning about the NOD32 incident. That's a rather unfortunate bug. I'll do another email & data backup to the Maxtor when I get home, as I haven't done one for a month or 2. The wife has had a bit of important work correspondence over the last 2 weeks (he says, staring at ceiling trying to think of a reason why he hasn't already backed it up). I'm getting a creepy, uncomfortable feeling trying to imagine her reaction if it was wiped with no backup.

Just got back this morning. The link for SafeBootKeyRepair is not working (it's just giving me a "page not found"). In the meantime I'll run the other stuff.

EDIT:

Just tried the safebootkeyrepair link one more time and it downloaded. Running now........

OK all done except the safeboot repair as mentioned above.

The SDFix Log:

SDFix: Version 1.186
Run by Administrator on Thu 29/05/2008 at 10:05 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\.exe - Deleted
C:\.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 10:08:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"E:\\tomtom home\\TomTomHOME.exe"="E:\\tomtom home\\TomTomHOME.exe:*:Enabled:TomTomHOME"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"="F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD:*:Disabled:Age of Empires II Expansion"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"="D:\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"D:\\Microsoft Office\\Office12\\GROOVE.EXE"="D:\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"="D:\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 23 May 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Fri 10 Nov 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT7D.tmp"
Wed 28 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd52934c80a35f08ed61683a6bd658a4\BITA.tmp"
Fri 12 Jan 2007 15,505,200 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0df81499cac89a98c5419c9cf752b89e\BIT13.tmp"

Finished!

The Combofix Log:

ComboFix 08-05-24.1 - Mike&Sarah 2008-05-29 10:21:45.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1476 [GMT 10:00]
Running from: C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe
.
Error: Cfiles.dat
Error: Cfolders.dat

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 10:04 . 2008-05-29 10:04 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-29 09:54 . 2008-05-29 10:13 <DIR> d-------- C:\SDFix
2008-05-29 09:46 . 2008-05-29 09:46 <DIR> d-------- C:\Program Files\ERUNT
2008-05-26 08:52 . 2008-05-26 08:52 <DIR> d-------- C:\Deckard
2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\BillP Studios
2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol
2008-05-23 21:46 . 2008-05-23 21:46 <DIR> d-------- C:\MBHOLDING
2008-05-17 18:30 . 2008-05-17 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 10:38 . 2008-05-17 10:38 <DIR> d-------- C:\Program Files\Interapple
2008-05-17 10:38 . 1997-01-24 04:52 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2008-05-17 10:37 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 20:30 . 2008-05-16 20:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 17:53 . 2008-05-16 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 16:21 . 2008-05-16 16:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-16 15:42 . 2008-05-16 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 15:42 . 2008-05-16 15:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 15:08 . 2008-05-16 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-08 10:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 10:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 00:15 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-21 14:37 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-17 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 10:20 --------- d-----w C:\Program Files\Logitech
2008-05-16 06:07 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 05:45 --------- d-----w C:\Program Files\QuickTime
2008-05-16 05:13 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-05-14 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-24 23:29 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 05:47 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-24 05:24 --------- d-----w C:\Program Files\Windows Defender
2008-04-24 05:23 --------- d-----w C:\Program Files\Panda Security
2008-04-24 04:11 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-24 02:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 02:38 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-16 04:18 --------- d-----w C:\Program Files\Canon
2008-04-09 11:04 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-09 07:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 07:43 --------- d-----w C:\Program Files\Gabest
2008-04-09 07:41 --------- d-----w C:\Program Files\URLSnooper2
2008-04-09 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grass Valley
2008-04-09 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 07:40 --------- d-----w C:\Program Files\Common Files\Canopus Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Grass Valley
2008-04-09 04:01 --------- d-----w C:\Program Files\Orbitdownloader
2008-04-09 03:52 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-03 01:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 01:51 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-03 01:49 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-03 01:49 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-03 01:49 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-04-03 01:49 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-04-03 01:49 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-04-03 01:49 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-04-03 00:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead
2008-03-31 05:52 --------- d-----w C:\Program Files\LCDHype
2008-03-31 05:44 --------- d-----w C:\Program Files\DIFX
2008-03-31 05:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-03-31 05:43 --------- d-----w C:\Program Files\Common Files\Aladdin Shared
2008-03-31 05:43 --------- d-----w C:\Program Files\Chief Architect Inc
2008-03-31 05:43 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 04:58 --------- d-----w C:\Program Files\MSBuild
2008-03-31 04:58 --------- d-----w C:\Program Files\Microsoft Works
2008-03-31 04:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-31 04:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_20.38.08.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 04:50:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 00:07:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 17:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-29 00:04:07 950,272 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-29 00:04:07 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-26 17:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-29 00:04:05 950,272 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-29 00:04:05 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-03 14:56:44 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
- 2008-05-25 04:55:12 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-29 00:12:05 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-25 04:55:12 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-29 00:12:05 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 14:03 163840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 22:27 185784]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 23:05 7557120]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 23:05 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 17:45 389120]
"egui"="D:\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-26 03:31 333120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"E:\\tomtom home\\TomTomHOME.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Microsoft Office\\Office12\\GROOVE.EXE"=
"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
S3 ausbmon;Advanced USB Port Monitor Filter Driver;C:\WINDOWS\system32\ausbmon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d077a16-2a04-11dd-94a4-101111111111}]
\Shell\AutoRun\command - K:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 00:10:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 14:43:28 C:\WINDOWS\Tasks\Windows Update.job"
- C:\WINDOWS\system32\wupdmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 10:24:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-29 10:26:48
ComboFix-quarantined-files.txt 2008-05-29 00:26:40
ComboFix2.txt 2008-05-29 00:20:27
ComboFix3.txt 2008-05-25 22:51:54
ComboFix4.txt 2008-05-25 22:42:57
ComboFix5.txt 2008-05-25 10:38:55

Pre-Run: 4,832,190,464 bytes free
Post-Run: 4,815,482,880 bytes free

205 --- E O F --- 2008-05-28 11:33:52

Okay it looks like we're just about done. Just want to run a few more things first before we call it a day.

I updated the URL for the SafeBootKeyRepair.exe repair file. Download and run this file. (link above)

Start a DOS prompt by clicking START - RUN and type in CMD and press the ENTER KEY
Then type each command below followed by the ENTER KEY
proxycfg -d
net stop wuauserv
Then start Windows Explorer or My Computer and browse and find this folder C:\WINDOWS\SoftwareDistribution and delete the folder SoftwareDistribution
Then in the DOS prompt type this
net start wuauserv
CHKDSK C: /F /V
The chkdsk will alert and ask to run on reboot. Press the Y key and then the ENTER KEY
You can now quit this DOS prompt.
Then launch Internet Explorer and check for and install all CRITICAL UPDATES as found. Windows Update
Then reboot the system [the Disk Check should run] once back in normal Windows run the Deckard's System Scan
Deckard's System Scanner (DSS)
Then update MB and run a Quick Scan and post back both logs.

.

Excellent - done all that list. Checkdisk was OK.

I tried that safeboot link again and posted an edit to say it worked OK, but I think we "crossed posts" on the thread just after you fixed it. Anyway it ran fine.

Sorry, I accidentally ran the MB before the Deckards (ie, in the reverse order to what you asked for) - hope that's not an issue. MB picked up more "trojan.fakealert" items, which I selected to fix. Also this morning I installed Kaspersky AV full version, so that's up and running now (though I disabled it for the MB and Deckards scans), and did a bit of a cleanout (uninstall) of Adobe and a few other programs unrelated to any malware tools. I've been on a shopping spree so the latest versions of some of that stuff will go on when this system is clean, and the rest, well it can go into the dustbin.

Here are the logs:

Malwarebytes' Anti-Malware 1.12
Database version: 796

Scan type: Quick Scan
Objects scanned: 41407
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuAdminTools (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuFavorites (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Deckard's System Scanner v20071014.68
Run by Mike&Sarah on 2008-05-29 12:23:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:50 PM, on 29/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Mike&Sarah\Desktop\dss.exe
D:\Computer\MIKE&S~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVP] "D:\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8688 bytes

-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-29 12:06:59 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent
2008-05-29 11:44:27 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-05-29 11:39:51 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-29 11:39:51 88262 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-29 11:39:51 331552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-29 11:39:19 6688 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-29 11:39:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 11:38:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-29 10:04:03 0 d-------- C:\WINDOWS\ERUNT
2008-05-25 20:33:58 68096 --a------ C:\WINDOWS\zip.exe
2008-05-25 20:33:58 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-25 20:33:58 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-25 20:33:58 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-25 20:33:58 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-25 20:33:58 98816 --a------ C:\WINDOWS\sed.exe
2008-05-25 20:33:58 80412 --a------ C:\WINDOWS\grep.exe
2008-05-25 20:33:58 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-23 21:52:54 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol
2008-05-23 21:52:48 0 d-------- C:\Program Files\BillP Studios
2008-05-23 21:52:31 0 d-------- C:\Program Files\SpywareBlaster
2008-05-23 21:46:00 0 d-------- C:\MBHOLDING
2008-05-17 19:51:53 6528 -r-h----t C:\Documents and Settings\Mike&Sarah\Backup Status
2008-05-17 18:30:46 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-17 17:31:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>
2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>
2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL
2008-04-29 17:19:05 0 d-------- C:\acrsk
2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media
2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media


-- Find3M Report ---------------------------------------------------------------

2008-05-29 12:08:51 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype
2008-05-29 11:31:16 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe
2008-05-29 11:18:02 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-29 11:09:50 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-22 00:37:41 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-17 18:00:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-17 17:39:14 0 d-------- C:\Program Files\Common Files
2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech
2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit
2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime
2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia
2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia
2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml
2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson
2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-24 15:24:48 0 d-------- C:\Program Files\Windows Defender
2008-04-24 15:23:14 0 d-------- C:\Program Files\Panda Security
2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes
2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft
2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real
2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon
2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley
2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest
2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2
2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared
2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared
2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley
2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini
2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader
2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder
2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype
2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX
2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11
2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc
2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild
2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET
2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]
"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]
"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]
"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]
"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [26/04/2008 03:31 AM]
"AVP"="D:\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [28/06/2007 12:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

Looks good. You can delete this folder and contents C:\MBHOLDING
Click on START - RUN and type in ComboFix /u and remove this application and it's settings.
I would also delete the other tools as they could be dangerous if not properly used and also become out of date quickly.
IceSword, SDFIX, and HiJackThis. If you ever do need them again they're easily downloaded with up to date versions.

At this time I no longer see anything to indicate that you're system is infected.

I believe you're already running a hosts file application but if not then please take a look at the following: hpHosts

QUOTE

What is hpHosts?
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites.

• Keep all your Security applications up to date and do scans at least once a week
• There is no single application out there that can scan and locate everything as I think you've seen, so use at least a couple of anti-malware scanners as well as your anti-virus product to ensure your system is clean.

Look at using the following software which will help to protect you
• WinPatrol
• FireFox
• NoScript
• Adblock Plus
• Enable Microsoft Automatic Updates to perform the critical updates for Microsoft products for you.
• As you've already been doing, review your Add/Remove programs and remove any applications that you no longer use or want and look for updates to any programs that might require an update due to security issues such as plugins for Internet Explorer.

Best of luck and let me know if you have any questions and don't forget to tell your friends and also
don't forget we also offer Free PC support in the PC Help forum.

Well, I don't think there is any real way to thank you enough for the inordinate amount of time you've spent helping me clean this very insidious and difficult piece of malware. Suffice to say that you are a bloody legend in my opinion, AdvancedSetup, and I would buy you a beer (or several) any day.

I'll go through and delete all the tools apart from the ones you recommended. Despite considering myself relatively computer-literate, some of them are downright frightening in their power & I'd hate to accidentally have them do something bad to my system. I'll get some serious system house-keeping done too. Kaspersky seems to be working well and gets very complimentary reviews at the moment.

Thanks again.