I've got Malware/Adware

Question

samwhocan 0 Newbie Poster

14 Years Ago

Hello

I'm 99% sure I've got adware or malware running on my PC. I first noticed a problem when web pages took increasingly longer to load. The problem got worse when hyperlinks did not always link to the page they meant to e.g. Google search link would return Facebook or even Ask Jeeves and Yahoo pages!! This has made surfing tedious at times.

I have taken the steps suggested in the Read Me. Please find my results below. Any help would be greatly appreciated.

Sam

Steps taken:

1. COMPLETED
2. COMPLETED
3. COMPLETED
4. COMPLETED

5. Could not complete as could not run a Windows Update. Tried through Download Centre and Windows Update.

6. ATF Cleaner run. Could not do it for Firefox as greyed out.

7. COMPLETED (although AVG was running in some capacity)

8. Could not download MBA-M as server not found. Used the link and again server not found (404).

9. DDS ScanLog COMPLETED

10. GMER logs would not upload.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Sam at 9:13:44.71 on 06/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.606 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Plugins\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Plugins\Roland\VSC32\vscvol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.willrecordsradio.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOY5KNQ8OC] c:\docume~1\sam\locals~1\temp\Uh0.exe
uRun: [WEK9EMDHI9] c:\windows\Uzytaa.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [removecpl] RemoveCpl.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [vsc32cnf.exe] c:\program files\plugins\roland\vsc32\vsc32cnf.exe
mRun: [vscvol.exe] c:\program files\plugins\roland\vsc32\vscvol.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} - hxxp://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.162.179,93.188.161.62
TCP: {417CA8D1-2C11-43C2-9647-856AA61B70B0} = 93.188.162.179,93.188.161.62
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sam\applic~1\mozilla\firefox\profiles\pkhmnxws.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla\firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla\firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2008-9-6 16384]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-12 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-12 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-12 242696]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-25 390528]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-15 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-15 116328]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-9-6 11776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-15 779496]
R2 RVIEGVST;VSC VST Engine;c:\program files\plugins\roland\virtual sound canvas vst\RVIEg01VST.sys [2008-10-24 188276]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [2008-10-24 951284]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2008-9-6 109056]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [2008-9-6 15488]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2008-9-6 15232]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2009-2-26 90408]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2009-2-26 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2009-2-26 122024]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2009-2-26 115368]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2009-2-26 25768]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2009-2-26 111784]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2009-2-26 117544]

=============== Created Last 30 ================

2010-04-05 18:01:38 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~1
2010-04-05 18:01:01 0 d-----w- c:\program files\Lavasoft
2010-04-02 16:14:00 0 d-----w- c:\program files\iPod
2010-04-02 16:13:52 0 d-----w- c:\program files\iTunes
2010-04-02 16:13:52 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-19 21:26:19 0 d-----w- c:\documents and settings\sam\Tracing
2010-03-19 21:24:48 0 d-----w- c:\program files\Microsoft
2010-03-19 21:24:28 0 d-----w- c:\program files\Windows Live SkyDrive
2010-03-19 21:21:49 0 d-----w- c:\program files\common files\Windows Live
2010-03-17 20:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-03-17 20:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-03-17 09:22:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-12 13:01:07 0 d--h--w- C:\$AVG
2010-03-12 13:00:53 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 13:00:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 13:00:35 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-12 13:00:22 0 d-----w- c:\program files\AVG
2010-03-12 13:00:21 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-10 22:54:55 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 20:31:29 293376 ------w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-03-09 03:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 12:41:08 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-12 10:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 10:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-10-15 17:00:01 690 ---h-tr- c:\program files\Backup Log
2008-08-29 12:40:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 9:14:33.34 ===============

windows-virus

Attach.txt (17.08 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 28/08/2008 11:20:40
System Uptime: 04/06/2010 09:11:30 (-1416 hours ago)

Motherboard: Dell Inc.           |  | 0JC474
Processor:               Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 70.737 GiB free.
D: is CDROM ()
I: is FIXED (NTFS) - 466 GiB total, 200.695 GiB free.

==== Disabled Device Manager Items =============

Class GUID: 
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_8384&DEV_7690&SUBSYS_102801C4&REV_1022\4&2434F4F0&0&0201
Manufacturer: 
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_8384&DEV_7690&SUBSYS_102801C4&REV_1022\4&2434F4F0&0&0201
Service: 

Class GUID: 
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_01C41028&REV_04\4&10BD256C&0&40F0
Manufacturer: 
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_01C41028&REV_04\4&10BD256C&0&40F0
Service: 

==== System Restore Points ===================

RP376: 20/01/2010 09:50:28 - Installed Java(TM) 6 Update 17
RP377: 20/01/2010 17:40:51 - Software Distribution Service 3.0
RP378: 21/01/2010 17:45:47 - System Checkpoint
RP379: 22/01/2010 18:45:48 - System Checkpoint
RP380: 23/01/2010 03:00:21 - Software Distribution Service 3.0
RP381: 24/01/2010 13:22:37 - System Checkpoint
RP382: 25/01/2010 14:25:52 - System Checkpoint
RP383: 26/01/2010 12:29:51 - Removed Pro Tools LE
RP384: 26/01/2010 14:03:40 - Removed Pro Tools LE
RP385: 26/01/2010 14:13:45 - Removed Pro Tools LE
RP386: 26/01/2010 15:14:07 - Removed Adobe Flash Player 9 ActiveX.
RP387: 26/01/2010 15:14:46 - Removed Pro Tools LE
RP388: 26/01/2010 17:11:37 - Removed Pro Tools LE
RP389: 27/01/2010 20:17:25 - System Checkpoint
RP390: 28/01/2010 16:56:26 - Installed Microsoft Visual C++ 2005 Redistributable
RP391: 28/01/2010 16:56:41 - Installed PHOTOfunSTUDIO
RP392: 28/01/2010 16:59:14 - Installed Software Suite
RP393: 29/01/2010 18:26:49 - System Checkpoint
RP394: 31/01/2010 11:41:16 - System Checkpoint
RP395: 01/02/2010 21:50:29 - System Checkpoint
RP396: 03/02/2010 09:22:10 - System Checkpoint
RP397: 04/02/2010 21:51:35 - System Checkpoint
RP398: 06/02/2010 10:09:43 - System Checkpoint
RP399: 07/02/2010 13:50:42 - System Checkpoint
RP400: 09/02/2010 09:13:33 - System Checkpoint
RP401: 10/02/2010 13:15:59 - System Checkpoint
RP402: 10/02/2010 23:41:18 - Software Distribution Service 3.0
RP403: 12/02/2010 09:02:22 - System Checkpoint
RP404: 14/02/2010 16:18:29 - System Checkpoint
RP405: 15/02/2010 17:55:56 - System Checkpoint
RP406: 17/02/2010 12:47:47 - System Checkpoint
RP407: 18/02/2010 22:46:02 - System Checkpoint
RP408: 20/02/2010 08:47:45 - System Checkpoint
RP409: 21/02/2010 09:23:41 - System Checkpoint
RP410: 22/02/2010 14:40:31 - System Checkpoint
RP411: 23/02/2010 15:12:36 - System Checkpoint
RP412: 24/02/2010 10:26:45 - Installed Rapport
RP413: 24/02/2010 20:06:39 - Software Distribution Service 3.0
RP414: 25/02/2010 20:10:16 - System Checkpoint
RP415: 26/02/2010 20:10:24 - System Checkpoint
RP416: 01/03/2010 10:49:16 - System Checkpoint
RP417: 02/03/2010 11:32:23 - System Checkpoint
RP418: 03/03/2010 16:50:48 - System Checkpoint
RP419: 04/03/2010 19:28:09 - System Checkpoint
RP420: 05/03/2010 20:06:38 - System Checkpoint
RP421: 06/03/2010 20:07:19 - System Checkpoint
RP422: 07/03/2010 21:05:37 - System Checkpoint
RP423: 07/03/2010 23:40:52 - Software Distribution Service 3.0
RP424: 09/03/2010 08:51:22 - System Checkpoint
RP425: 10/03/2010 12:29:08 - System Checkpoint
RP426: 10/03/2010 23:28:41 - Software Distribution Service 3.0
RP427: 12/03/2010 13:00:19 - Installed AVG Free 9.0
RP428: 12/03/2010 13:43:35 - Avg8 Update
RP429: 13/03/2010 14:20:46 - System Checkpoint
RP430: 14/03/2010 18:41:31 - System Checkpoint
RP431: 15/03/2010 20:53:33 - System Checkpoint
RP432: 16/03/2010 23:05:11 - System Checkpoint
RP433: 17/03/2010 09:18:47 - Avg8 Update
RP434: 17/03/2010 09:22:42 - Avg Update
RP435: 18/03/2010 12:36:24 - System Checkpoint
RP436: 19/03/2010 14:11:33 - System Checkpoint
RP437: 20/03/2010 16:24:31 - System Checkpoint
RP438: 21/03/2010 19:15:29 - System Checkpoint
RP439: 22/03/2010 21:39:52 - System Checkpoint
RP440: 24/03/2010 02:24:02 - System Checkpoint
RP441: 24/03/2010 10:42:29 - Installed Rapport
RP442: 25/03/2010 12:40:36 - System Checkpoint
RP443: 26/03/2010 14:32:40 - System Checkpoint
RP444: 27/03/2010 18:29:19 - System Checkpoint
RP445: 29/03/2010 11:08:29 - System Checkpoint
RP446: 30/03/2010 12:24:16 - System Checkpoint
RP447: 30/03/2010 22:06:41 - Installed Java(TM) 6 Update 19
RP448: 01/04/2010 09:09:47 - System Checkpoint
RP449: 02/04/2010 09:20:35 - System Checkpoint
RP450: 03/04/2010 09:46:03 - System Checkpoint
RP451: 04/04/2010 11:02:43 - System Checkpoint
RP452: 04/04/2010 19:13:55 - Removed 4oD.
RP453: 04/04/2010 19:17:08 - Removed Samsung PC Studio 3
RP454: 04/04/2010 19:19:52 - Removed YouSendIt Express
RP455: 04/04/2010 19:21:38 - Removed PHOTOfunSTUDIO
RP456: 04/04/2010 19:23:10 - Removed Pro Tools LE
RP457: 05/04/2010 23:11:42 - Removed Ad-Aware Email Scanner for Outlook

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 1.5
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Reader 9.3.1
Adobe Setup
Adobe Shockwave Player 11
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
Torrent
Avanquest update
AVG Free 9.0
BBC iPlayer Download Manager
Bonjour
Broomstick Bass 1.0.0
Digidesign Pro Tools LE 7.3
Digidesign Shared Plug-Ins 7.3
Drive Manager
Edirol HQ Orchestral VSTi v1.03
foobar2000 v0.9.6.3
Free Bomb Factory Plug-Ins 7.3
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Graphics Media Accelerator Driver
InterLok Driver Kit
iPhone Configuration Utility
iTunes
Java Auto Updater
Java DB 10.4.1.3
Java(TM) 6 Update 19
Java(TM) SE Development Kit 6 Update 10
Korg Legacy Collection VSTi v1.0.02
LimeWire 5.5.8
Macromedia Director MX 2004
Magic ISO Maker v5.5 (build 0272)
Max 5.0.5
Melodyne 3.1
Mercury 1
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders  (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
N.I Pro-53 v3.0-OxYGeN
Native Instruments B4 Tone Wheels Bundle v1.11
Native Instruments B4 v1.11
Native Instruments Battery
Native Instruments Battery 3
Native Instruments FM7
Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS
Native Instruments Guitar Rig 3
Native Instruments Kontakt 3
Native Instruments Kontakt v1.02
Native Instruments Spektral Delay
PDF Settings
PixiePack Codec Pack
Power Tab Editor 1.7
QuickTime
Rapport
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft

6 Contributors
26 Replies
454 Views
3 Months Discussion Span
Latest Post 14 Years Ago Latest Post by arethalee

jholland1964 650 Posting Expert

14 Years Ago

Hello and welcome to daniweb,
Download HiJackThis.
Run a full scan with it and save the log. Post back here with that log.
What was the reason you gave up Avast for the much lower rated AVG9?
Where is the GMER log? We need to see that also.
Judy

jholland1964 650 Posting Expert

14 Years Ago

Shall I copy and paste the GMER logs? Attaching didn't work.

Yes. Please post them as GMER One log and then GMER two log. With the exception of the DDS Attach.txt log we prefer that ALL logs be copy/pasted.

The HiJackThis scan should take no more than a few moments. Please copy/paste that log also.

FYI, Avast and Avira are much higher rated av programs and neither one slow a computer.

Edited 14 Years Ago by jholland1964 because: n/a

jholland1964 650 Posting Expert

14 Years Ago

Run HiJackThis again. This time place check marks next to the following entries:
O17 - HKLM\System\CCS\Services\Tcpip\..\{417CA8D1-2C11-43C2-9647-856AA61B70B0}: NameServer = 93.188.162.179,93.188.161.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.179,93.188.161.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.179,93.188.161.62

Once you have placed those check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer.

Next attempt to download Malwarebytes again but do it this way using instructions from the Malwarebytes' Anti-Malware Forum:
Please try this version of malwarebytes: Click the link here
Save it on your desktop. You'll see it will have a random name.
Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.
In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.
In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a Full scan and let it remove what it found. Reboot afterwards (important).
After reboot, post the malwarebytes log together with a new HijackThislog.

Edited 14 Years Ago by jholland1964 because: n/a

jholland1964 650 Posting Expert

14 Years Ago

And did you reboot the computer after clicking the Fix Checked boxes? This was to be done before attempting the MBA-M steps.
It doesn't appear that those were followed as the log looks the same.

Edited 14 Years Ago by jholland1964 because: n/a

jholland1964 650 Posting Expert

14 Years Ago

Have to ask, have you been using the computer these past two weeks?

Yes I have.

Then you are going to have to begin at the beginning. As the MBA-M log shows you are STILL infected and very likely MORE infected.
In your very first post in this thread you said the following:

I have taken the steps suggested in the Read Me

Since you did go to the Read Me sticky, didn't you also read the following?

Please endeavor to reply to your thread promptly and to follow all cleaning steps in a timely manner. The reason for this request is twofold:
• Our volunteers can only address a limited number of threads at a time. If you wait too long to reply, they may move on to helping others and no longer have the free time to devote to your issues.
• Malware tends to reconstitute itself if not addressed quickly and completely.

You have not done this. You posted the Combofix log, did not wait for or comment to my reply and then returned 16 days later, admitting that you used this infected computer throughout the 16 days you failed to return. You obviously are not bothered enough by these serious infections because you to continued to use the computer so I will advise you to look elsewhere for assistance.
The only thing I will tell you to do is Uninstall Combofix using these steps as this copy of the program cannot be used again.
* Click START then RUN
* Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
When shown the disclaimer, Select "2"

Salem commented: Well said! +20

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

mabpest 0 Newbie Poster · Answer 1 · 2010-04-06T20:44:52+00:00

mabpest 0 Newbie Poster

14 Years Ago

Hello.........

Try norton 360 or download spybot it is free

Edited 14 Years Ago by PhilliePhan because: Removed long unnecessary quotation

samwhocan 0 Newbie Poster · Answer 2 · 2010-04-06T20:59:40+00:00

Try norton 360 or download spybot it is free

Thanks for your reply.

I should have said that I've recently changed from Avast to AVG and I tried to install Spybot but it wouldn't let me. The same problem occurred when I tried to update or scan with Ad-Aware.

samwhocan 0 Newbie Poster · Answer 3 · 2010-04-07T00:00:27+00:00

Hello and welcome to daniweb,
Download HiJackThis.
Run a full scan with it and save the log. Post back here with that log.
What was the reason you gave up Avast for the much lower rated AVG9?
Where is the GMER log? We need to see that also.
Judy

Hello. I shall get and run Hijack-This now. To answer your questions, I changed from Avast to AVG because I originally thought that was the reason for my PC's slow performance.

Shall I copy and paste the GMER logs? Attaching didn't work.

samwhocan 0 Newbie Poster · Answer 4 · 2010-04-07T00:08:40+00:00

Hello and welcome to daniweb,
Download HiJackThis.
Run a full scan with it and save the log. Post back here with that log.
What was the reason you gave up Avast for the much lower rated AVG9?
Where is the GMER log? We need to see that also.
Judy

Please find below:
1. Hijack This log
2. GMER One
3.GMER Two

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:03:30, on 06/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Plugins\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Plugins\Roland\VSC32\vscvol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla\Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.willrecordsradio.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Plugins\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Plugins\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\Sam\LOCALS~1\Temp\Uh0.exe
O4 - HKCU\..\Run: [WEK9EMDHI9] C:\WINDOWS\Uzytaa.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{417CA8D1-2C11-43C2-9647-856AA61B70B0}: NameServer = 93.188.162.179,93.188.161.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.179,93.188.161.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.179,93.188.161.62
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 9588 bytes

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-06 00:14:06
Windows 5.1.2600 Service Pack 3
Running: e2y7oymc.exe; Driver: C:\DOCUME~1\Sam\LOCALS~1\Temp\axliypog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-06 09:00:14
Windows 5.1.2600 Service Pack 3
Running: e2y7oymc.exe; Driver: C:\DOCUME~1\Sam\LOCALS~1\Temp\axliypog.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xAAE43D82]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xAAE4448E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xAAE445DA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xAAE47D54]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xAAE47D86]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xAAE4453E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xAAE43EC6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xAAE440B8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xAAE441EA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xAAE47E5E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xAAE47DC8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xAAE47DFA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xAAE47E2C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xAAE43D30]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xAAE4463A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xAAE47CEC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xAAE43CD4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xAAE43C30]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xAAE43C78]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F745DB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F745DB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F745DB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort2 [F745DB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F745DB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat A9181D20

AttachedDevice \FileSystem\Fastfat \Fat DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\Ide\IdePort2\imntsspv\imntsspv\z00clicker.dll (*** hidden *** ) @ C:\Program Files\Mozilla\Firefox\firefox.exe [3336] 0x00E60000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 52

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

samwhocan 0 Newbie Poster · Answer 5 · 2010-04-07T02:00:40+00:00

Run HiJackThis again. This time place check marks next to the following entries:
O17 - HKLM\System\CCS\Services\Tcpip\..\{417CA8D1-2C11-43C2-9647-856AA61B70B0}: NameServer = 93.188.162.179,93.188.161.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.179,93.188.161.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.179,93.188.161.62
Once you have placed those check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer.
Next attempt to download Malwarebytes again but do it this way using instructions from the Malwarebytes' Anti-Malware Forum:
Please try this version of malwarebytes: Click the link here
Save it on your desktop. You'll see it will have a random name.
Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.
In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.
When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.
In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.
Then perform a Full scan and let it remove what it found. Reboot afterwards (important).
After reboot, post the malwarebytes log together with a new HijackThislog.

I've tried all the suggested steps to install MBA-M but get the following errors:
MBAM_ERROR_UPDATING(0, 0, SHRegGetPath)
MBAM_ERROR_LOAD_DATABASE (2, 0)

I did the HJT scan with said checked boxes. Here are the results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:16:58, on 06/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Plugins\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Plugins\Roland\VSC32\vscvol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla\Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.willrecordsradio.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Plugins\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Plugins\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\Sam\LOCALS~1\Temp\Uh0.exe
O4 - HKCU\..\Run: [WEK9EMDHI9] C:\WINDOWS\Uzytaa.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{417CA8D1-2C11-43C2-9647-856AA61B70B0}: NameServer = 93.188.162.179,93.188.161.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.179,93.188.161.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.179,93.188.161.62
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 9588 bytes

samwhocan 0 Newbie Poster · Answer 6 · 2010-04-07T02:18:48+00:00

And did you reboot the computer after clicking the Fix Checked boxes? This was to be done before attempting the MBA-M steps.
It doesn't appear that those were followed as the log looks the same.

I did, yes.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 7 · 2010-04-07T02:19:58+00:00

Well the entries weren't repaired. Let me check with other Mods and myself or one of them will get back with you.

samwhocan 0 Newbie Poster · Answer 8 · 2010-04-07T02:24:05+00:00

I did, yes.

Here it is again, just in case.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:23:13, on 06/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Plugins\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Plugins\Roland\VSC32\vscvol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla\Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.willrecordsradio.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Plugins\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Plugins\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\Sam\LOCALS~1\Temp\Uh0.exe
O4 - HKCU\..\Run: [WEK9EMDHI9] C:\WINDOWS\Uzytaa.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 9278 bytes

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 9 · 2010-04-07T02:40:25+00:00

jholland1964 650 Posting Expert

14 Years Ago

Ok, NOW the entries are gone. Try the Malwarebytes' again.

samwhocan 0 Newbie Poster · Answer 10 · 2010-04-07T02:45:09+00:00

Ok, NOW the entries are gone. Try the Malwarebytes' again.

The earlier errors are still occuring thus preventing me from running the updates and program.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 11 · 2010-04-07T02:53:51+00:00

# Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
# Restart your computer (very important).
# Download and run this utility. mbam-clean.exe
# It will ask to restart your computer (please allow it to).
# After the computer restarts, Temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here to your desktop.
* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

samwhocan 0 Newbie Poster · Answer 12 · 2010-04-07T03:09:03+00:00

# Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
# Restart your computer (very important).
# Download and run this utility. mbam-clean.exe
# It will ask to restart your computer (please allow it to).
# After the computer restarts, Temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here to your desktop.
* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Thanks for your help.

I cannot find MBA-M or any related name in the Add/Remove Programs list. So maybe it did not even install?? Shall I delete the MBA-M installer files on my desktop and reboot or just skip that step and download from the links in your post?

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 13 · 2010-04-07T03:51:56+00:00

Instead of Malwarebytes' do this and follow the instructions EXACTLY:

Please download ComboFix by sUBs from HERE or HERE
· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

samwhocan 0 Newbie Poster · Answer 14 · 2010-04-07T06:02:20+00:00

Instead of Malwarebytes' do this and follow the instructions EXACTLY:
Please download ComboFix by sUBs from HERE or HERE
· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Run Combofix ONCE only!!

Ok I've done all you said. Please find CF log followed by HJT log:

ComboFix 10-04-05.06 - Sam 07/04/2010 0:40.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.636 [GMT 1:00]
Running from: c:\documents and settings\Sam\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lsprst7.dll
c:\windows\system32\spool\prtprocs\w32x86\00007d70.tmp
c:\windows\system32\ssprs.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
I:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-06 22:41 . 2010-04-06 22:41 -------- d-----w- c:\documents and settings\Sam\Application Data\AVG9
2010-04-06 19:31 . 2010-04-06 19:31 -------- d-----w- c:\documents and settings\Sam\Application Data\Malwarebytes
2010-04-06 19:31 . 2010-04-06 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-06 19:31 . 2010-03-29 16:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 18:02 . 2010-04-06 18:02 -------- d-----w- c:\program files\Trend Micro
2010-04-05 18:01 . 2010-04-05 21:57 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~1
2010-04-05 18:01 . 2010-04-05 22:11 -------- d-----w- c:\program files\Lavasoft
2010-04-02 16:14 . 2010-04-02 16:14 -------- d-----w- c:\program files\iPod
2010-04-02 16:13 . 2010-04-02 16:14 -------- d-----w- c:\program files\iTunes
2010-04-02 16:13 . 2010-04-02 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-30 21:08 . 2010-03-30 21:08 -------- d-----w- c:\program files\Common Files\Java
2010-03-24 10:42 . 2010-03-24 10:42 -------- d-----w- c:\documents and settings\Default User\Application Data\Trusteer
2010-03-21 00:51 . 2010-03-21 00:51 -------- d-----w- c:\documents and settings\Sam Wooldridge
2010-03-19 21:26 . 2010-03-19 21:26 -------- d-----w- c:\documents and settings\Sam\Tracing
2010-03-19 21:24 . 2010-03-19 21:24 -------- d-----w- c:\program files\Microsoft
2010-03-19 21:24 . 2010-03-19 21:24 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-19 21:21 . 2010-03-19 21:21 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-17 15:02 . 2010-04-06 20:34 0 ----a-w- c:\documents and settings\Sam\Local Settings\Application Data\prvlcl.dat
2010-03-17 09:22 . 2010-03-17 09:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-12 13:01 . 2010-03-17 09:34 -------- d-----w- C:\$AVG
2010-03-12 13:00 . 2010-03-17 09:22 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 13:00 . 2010-03-17 09:21 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 13:00 . 2010-03-17 09:22 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-12 13:00 . 2010-04-06 22:56 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-12 13:00 . 2010-03-12 13:00 -------- d-----w- c:\program files\AVG
2010-03-12 13:00 . 2010-04-06 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-10 22:54 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 23:51 . 2008-08-28 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-04-05 21:55 . 2008-08-28 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-05 13:38 . 2009-09-10 22:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-04-05 08:02 . 2008-08-28 21:20 -------- d-----w- c:\program files\Kontiki
2010-04-04 19:48 . 2008-08-28 21:43 -------- d-----w- c:\documents and settings\Sam\Application Data\uTorrent
2010-04-04 18:21 . 2008-08-28 12:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-04 18:21 . 2010-02-06 09:46 -------- d-----w- c:\documents and settings\Sam\Application Data\Panasonic
2010-04-04 18:17 . 2008-09-07 12:53 -------- d-----w- c:\documents and settings\Sam\Application Data\Samsung
2010-04-04 18:15 . 2010-03-05 22:56 -------- d-----w- c:\program files\Flock
2010-04-04 18:15 . 2010-03-05 22:56 -------- d-----w- c:\documents and settings\Sam\Application Data\Flock
2010-04-02 16:17 . 2008-08-28 17:33 -------- d-----w- c:\documents and settings\Sam\Application Data\Apple Computer
2010-04-02 16:13 . 2008-08-28 17:31 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 16:10 . 2008-09-16 14:20 -------- d-----w- c:\program files\QuickTime
2010-04-02 16:06 . 2008-09-16 14:21 -------- d-----w- c:\program files\Bonjour
2010-04-02 15:49 . 2010-04-02 15:49 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 22:36 . 2008-08-29 14:07 -------- d-----w- c:\documents and settings\Sam\Application Data\LimeWire
2010-03-30 21:09 . 2010-03-30 21:09 503808 ----a-w- c:\documents and settings\Sam\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-317d3347-n\msvcp71.dll
2010-03-30 21:09 . 2010-03-30 21:09 499712 ----a-w- c:\documents and settings\Sam\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-317d3347-n\jmc.dll
2010-03-30 21:09 . 2010-03-30 21:09 348160 ----a-w- c:\documents and settings\Sam\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-317d3347-n\msvcr71.dll
2010-03-30 21:07 . 2010-03-30 21:07 61440 ----a-w- c:\documents and settings\Sam\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-570cf919-n\decora-sse.dll
2010-03-30 21:07 . 2010-03-30 21:07 12800 ----a-w- c:\documents and settings\Sam\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-570cf919-n\decora-d3d.dll
2010-03-30 21:07 . 2009-03-06 14:22 -------- d-----w- c:\program files\Java
2010-03-25 15:09 . 2008-08-29 14:03 -------- d-----w- c:\program files\LimeWire
2010-03-19 21:24 . 2008-09-20 21:31 -------- d-----w- c:\program files\Windows Live
2010-03-17 15:21 . 2009-03-16 21:55 -------- d-----w- c:\documents and settings\Sam\Application Data\foobar2000
2010-03-17 09:22 . 2010-03-17 09:22 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-17 09:22 . 2010-03-17 09:22 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-17 09:22 . 2010-03-17 09:22 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-12 13:00 . 2010-03-12 13:43 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-03-12 13:00 . 2010-03-12 13:43 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-03-12 13:00 . 2010-03-17 09:18 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-03-12 13:00 . 2010-03-17 09:18 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-12 13:00 . 2010-03-17 09:18 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-12 13:00 . 2010-03-17 09:18 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-03-12 08:47 . 2008-08-28 21:43 -------- d-----w- c:\program files\uTorrent
2010-03-10 23:31 . 2008-08-28 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 03:28 . 2008-10-17 12:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 12:41 . 2010-02-25 12:41 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-25 12:41 . 2010-02-25 12:41 390528 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBuka.sys
2010-02-25 12:41 . 2010-02-25 12:41 249856 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll
2010-02-25 06:24 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:09 . 2008-08-28 12:46 74448 ----a-w- c:\documents and settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 11:03 . 2010-02-24 11:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-02-24 10:26 . 2010-02-24 10:26 -------- d-----w- c:\documents and settings\Sam\Application Data\Trusteer
2010-02-24 10:26 . 2010-02-24 10:26 -------- d-----w- c:\program files\Trusteer
2010-02-24 10:25 . 2010-02-24 10:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-02-12 10:46 . 2010-02-12 10:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 10:46 . 2010-02-12 10:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 10:03 . 2010-03-07 20:31 293376 ------w- c:\windows\system32\browserchoice.exe
2010-01-20 09:42 . 2010-01-20 09:42 152576 ----a-w- c:\documents and settings\Sam\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-20 09:42 . 2010-01-20 09:42 79488 ----a-w- c:\documents and settings\Sam\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2008-10-15 17:00 . 2008-10-16 09:34 690 ---h-tr- c:\program files\Backup Log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2006-11-13 61440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"vsc32cnf.exe"="c:\program files\Plugins\Roland\VSC32\vsc32cnf.exe" [2000-02-07 36864]
"vscvol.exe"="c:\program files\Plugins\Roland\VSC32\vscvol.exe" [2000-02-08 36864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-10-11 31232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-17 09:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI5"=diomidi.dll
"MIDI6"=vscapi.dll
"WAVE4"=vscapi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
2008-02-27 16:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [06/09/2008 09:53 16384]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/03/2010 14:00 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/03/2010 14:00 242696]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [25/02/2010 13:41 390528]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 14:47 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 116328]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/03/2010 10:22 308064]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [06/09/2008 09:50 11776]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 779496]
R2 RVIEGVST;VSC VST Engine;c:\program files\Plugins\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [24/10/2008 11:54 188276]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [24/10/2008 11:52 951284]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [06/09/2008 09:50 109056]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [06/09/2008 09:43 15488]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [06/09/2008 09:48 15232]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [26/02/2009 14:10 90408]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [26/02/2009 14:10 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [26/02/2009 14:10 122024]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [26/02/2009 14:10 115368]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [26/02/2009 14:10 25768]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [26/02/2009 14:10 111784]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [26/02/2009 14:10 117544]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 14:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.willrecordsradio.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\pkhmnxws.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla\Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla\Firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla\Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla\Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla\Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla\Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla\Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla\Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla\Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla\Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla\Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WEK9EMDHI9 - c:\windows\Uzytaa.exe
HKLM-Run-removecpl - RemoveCpl.exe
AddRemove-C1 - c:\progra~1\Plugins\Waves\Plug-Ins\Unwise32

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 00:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ôw*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6504)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-04-07 00:55:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 23:54

Pre-Run: 75,560,009,728 bytes free
Post-Run: 75,594,358,784 bytes free

- - End Of File - - 576F43DF8D608177355C2320493216DB

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:55:58, on 07/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Plugins\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Plugins\Roland\VSC32\vscvol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.willrecordsradio.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Plugins\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Plugins\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 8762 bytes

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 15 · 2010-04-07T06:18:56+00:00

Fantastic. Now try the MBA-M again. Go ahead and delete the installer from the desktop and begin again by downloading, etc. Run the full scan, remove items found, reboot and post the log...I am keeping my fingers crossed!

samwhocan 0 Newbie Poster · Answer 16 · 2010-04-23T04:57:15+00:00

Fantastic. Now try the MBA-M again. Go ahead and delete the installer from the desktop and begin again by downloading, etc. Run the full scan, remove items found, reboot and post the log...I am keeping my fingers crossed!

Hi again. Been really busy these last 2 weeks. Would appreciate if you could still help. I've now managed to download and run the MBA-M. I removed 5 items and rebooted. Here is the log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4023

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/04/2010 23:49:44
mbam-log-2010-04-22 (23-49-44).txt

Scan type: Full scan (C:\|D:\|I:\|)
Objects scanned: 255244
Time elapsed: 2 hour(s), 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Plugins\Waves\DiamondUninstall\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
C:\Program Files\Plugins\Waves\UninstalIL3\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
C:\Program Files\Steinberg\Cubase SX\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
C:\Program Files\Waves\DiamondUninstall\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
C:\Program Files\Waves\UninstalIL3\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 17 · 2010-04-23T06:03:08+00:00

Have to ask, have you been using the computer these past two weeks?

samwhocan 0 Newbie Poster · Answer 18 · 2010-04-23T13:17:52+00:00

Have to ask, have you been using the computer these past two weeks?

Yes I have.

birellar 0 Light Poster · Answer 19 · 2010-04-23T13:30:26+00:00

If still you getting the problem then last option you need to recover your OS (operating System) to get back you virus attack data.

ghostsinmachine 0 Newbie Poster · Answer 20 · 2010-07-21T16:34:55+00:00

I have discovered something that i can not find anything of the web about...

Uh0.exe and Uzyqua.exe.

They work together and are malware/adware. They run in processes but i have found them in my WINDOWS/Prefetch file. They must be erased manually. These end up coming back with each start up but once they are removed the problem seemed solved...at least for me it did. On yours it is Uh0 and Uzytaa (which im guessing is another name for the same program).

If anyone knows any info about these programs please post them.

arethalee 0 Newbie Poster · Answer 21 · 2010-07-28T14:31:32+00:00

Hii,
I think you shud block the pop-ups in ur IE but this also will not solve the problem completely

as it may not block all the pop-ups.And yes pop-ups
can also make u install spywares accidentally. so u need some gud antispyware along with

blocking the pop-ups.I have 1 good application installed on my system
Advanced System Protector , it not only blocks the spyware b4 it can enter your system,and will

also clean the infections if any and it gives routine updates of the latest definitions and is

very easy to use..
The On Execution Scanner & Alert Shields make it more efficient in the case of internet access.
For me the Advanced System Protector is the Best Antispyware...U can also give a try...
free version of ASP is also available at cnet