Another Dr Watson Problem

Hello all,

I am hoping you can kindly give me some advice and guidance in eradicating the dreaded Dr Watson Postmortem Debugger error message from my PC.
I have dutifully carried out the steps posted by "Trogan" and below are the three report logs from HijackThis, Activescan (panda) and Kaspersky Online Scanner. Any help would be greatly appreciated.

ogfile of HijackThis v1.99.1
Scan saved at 20:42:30, on 01/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\JALS\PCMS3.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Thursday, February 01, 2007 8:39:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 1/02/2007
Kaspersky Anti-Virus database records: 263998

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan Statistics
Total number of scanned objects 115575
Number of viruses found 2
Number of infected objects 3 / 0
Number of suspicious objects 0
Duration of the scan process 01:38:02

Infected Object Name Virus Name Last Action
C:\be16dd8f0f99b0a73fcac788c184c7\feeddisc.wav Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\hmmapi.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\html.iec Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\html.iec.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\icardie.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\ie4uinit.exe.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\ieakeng.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\ieakmmc.chm Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\ieaksie.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\ieakui.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\ieapfltr.dat Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\iedkcs32.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\iedw.exe.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\ieeula.chm Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\ieframe.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\iepeers.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\iernonce.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\iesetup.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\iesupp.chm Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\ieui.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\ieunatt.exe.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\iexplore.chm Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\iexplore.exe.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\inetcorp.iem Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\inetcpl.cpl.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\inetres.adm Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\inetset.iem Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\infobar.wav Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\inseng.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\licmgr10.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\msfeedsbs.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\mshta.exe.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\mshtml.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\mshtmled.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\mshtmler.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\msrating.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\navstart.wav Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\occache.dll.mui Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\popupblk.wav Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\update\eula.rtf Object is locked skipped

C:\be16dd8f0f99b0a73fcac788c184c7\urlmon.dll.mui Object is locked skipped

Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\dgyrweiw.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\dgyrwevj.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\dgyrwevx.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\gmxjtidr.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\gmxjtioa.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\gmxjtiop.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\gmxjtqfe.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\gmxjtqfs.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\jswbqmif.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\jswbqmmf.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\jswbqmuj.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\myvsnqdp.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\myvsnqsq.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\myvsnyrq.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\pfukkdxl.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\pfukkujy.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\vrstedil.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\vrstedtq.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\aaaaaisj.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\dgyrwmdy.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\Fix\dgyrweie.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\Fix\gmxjtiog.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\Fix\myvsnyve.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\Fix\vrstediy.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\item_templ\coach\dgyrweir.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\item_templ\coach\dgyrwmdr.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\item_templ\coach\myvsnqpy.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\item_templ\coach\pfukkuhr.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\jswbqmqj.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\jswbqmuq.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\myvsnqpy.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\pfukkuhp.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\vrstediy.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\vrstedts.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\CIP\aaaaaacy.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\CIP\gmxjtioj.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\CIP\jswbqmjs.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\CIP\myvsnyvj.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\fix\aaaaaaqs.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\fix\myvsnqbe.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\fix\myvsnqbk.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\fix\pfukkdcd.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\item_templ\coach\gmxjtiox.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\item_templ\coach\jswbqqym.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\item_templ\coach\pfukkuvm.t
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\item_templ\coach\vrstelsl.t
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\ \Cookies\hamish@112.2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ \Cookies\hamish@atdmt[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\ \Cookies\hamish@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ \Cookies\hamish@doubleclick[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\ \Cookies\hamish@www.myaffiliateprogram[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\ Cookies\hamish@zedo[2].txt
Virus:W32/Nuwar.A.worm Disinfected C:\Documents and Settings\ \gmxjtmir.t
Dialer:Dialer.ABR Not disinfected C:\WINDOWS\Downloaded Program Files\startbf2.inf
Dialer:dialer.xd Not disinfected C:\WINDOWS\switchagreement.txt
Virus:Trj/Alanchum.MP Disinfected C:\WINDOWS\system32\google.png.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\vbsys.dll_old
Adware:Adware/PurityScan

Many thanks and kind regards,

MSnewby

Comments

  • TroganTrogan London, UK
    edited February 2007
    Hi MSnewby! Welcome to Short-Media!

    I have some bad news.

    Your computer is infected by a variant of the SDBot Trojan, which has Backdoor functionality. This can give intruders complete control of your computer, logging key strokes, stealing information, etc. :(

    You are strongly advised to do the following immediately!:
    • Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
    • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    • From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
        Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
      Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

      To help you make a more informed decision, please read the following articles: Should you have any questions, please feel free to ask

      Please let me know your decision and we'll get started with clean up if that's what you choose.
    • edited February 2007
      Hi Trogan,

      Thank you so much for your prompt response. I will definitely heed your advice straight away, however as I am fairly new to the computer scene, I would be very greatful if you could help me clean the PC. I will disconnect right now and and notify my banks etc. I will reconnect in a couple of hours to see if you have received this message and if we can proceed with the necessary steps to rectify this problem.

      Thank you for your help once again
      Kind regards,
      MSnewby
    • TroganTrogan London, UK
      edited February 2007
      Hi MSnewby, sorry for the delay.

      This may take several rounds to get your PC as clean as possible.

      Please do the following...

      1. Download SDFix and save it to your Desktop.

      Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Please then reboot your computer in Safe Mode by doing the following :
      • Restart your computer
      • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
      • Instead of Windows loading as normal, the Advanced Options Menu should appear;
      • Select the first option, to run Windows in Safe Mode, then press Enter.
      • Choose your usual account.
      • Open the extracted SDFix folder and double click RunThis.bat to start the script.
      • Type Y to begin the cleanup process.
      • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
      • Press any Key and it will restart the PC.
      • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
      • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
        (Report.txt will also be copied to Clipboard ready for posting back on the forum).
      • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log in your next reply
      2. I need to see another log from HijackThis.
      • Run Hijackthis.
      • Click on Open the Misc Tools section.
      • Next click on Open uninstall manager.
      • Press the Save list button.
      • Save the file to your desktop, with the default name of uninstall_list
      • Copy & Paste the entire contents of that file in your in your next post.
      3. Please post the following...
      • SDFix report.txt
      • Uninstall list
      • New HijackThis log
    • edited February 2007
      Dear Trogan,

      Thank you for your patience. Please find below the requested information in order:

      SDFix report.txt
      Uninstall list
      New HijackThis log


      SDFix: Version 1.63

      05/02/2007 - 20:00:52.68

      Microsoft Windows XP [Version 5.1.2600]

      Running From: C:\SDFix

      Safe Mode:
      Checking Services:

      Name:

      Path:


      Restoring Windows Registry Entries
      Restoring Default Hosts File


      Rebooting...

      Normal Mode:
      Checking Files:

      Below files will be copied to Backups folder then removed:

      C:\WINDOWS\system32\winsub.xml - Deleted



      ADS Check:

      C:\WINDOWS\system32
      No streams found.

      Final Check:

      Remaining Services:


      Authorized Application Key Export:

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
      "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
      "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
      "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
      "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
      "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
      "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
      "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
      "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
      "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
      "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
      "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
      "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
      "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
      "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
      "C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
      "C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
      "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
      "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Disabled:Nero Home"
      "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
      "C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
      "C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
      "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


      Remaining Files:

      Backups Folder: - C:\SDFix\backups\backups.zip


      Checking For Files with Hidden Attributes :

      C:\Program Files\Makayama.com\iPod Media Studio - Demo\Setup.exe
      C:\Program Files\Makayama.com\iPod Media Studio - Demo\Setup.ini
      C:\Program Files\Makayama.com\iPod Media Studio - Demo\Setup.exe
      C:\CONFIG.SYS
      C:\hiberfil.sys
      C:\WINDOWS\system32\6C77C2FE68.sys
      C:\WINDOWS\system32\KGyGaAvL.sys
      C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
      C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
      C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
      C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
      C:\Documents and Settings\Clean\My Documents\~WRL0003.tmp
      C:\Documents and Settings\Clean\My Documents\ATPL\~WRL0005.tmp
      C:\Documents and Settings\Clean\My Documents\ATPL\~WRL3374.tmp
      C:\Documents and Settings\Clean\My Documents\House\House\~WRL0543.tmp
      C:\Documents and Settings\Clean\My Documents\House\House\~WRL3319.tmp
      C:\Documents and Settings\Clean\My Documents\House\House\~WRL3679.tmp
      C:\Documents and Settings\Clean\My Documents\House\House\~WRL3861.tmp
      C:\Documents and Settings\Clean\My Documents\Private\Book\book flie 2\~WRL0007.tmp
      C:\Documents and Settings\Clean\My Documents\Private\Book\Natio Oppidum\~WRL0007.tmp
      C:\Documents and Settings\Clean\My Documents\Private\Book\Natio Oppidum\~WRL3962.tmp
      C:\Documents and Settings\Clean\My Documents\Private\Comp 1 Book\Natio Oppidum\~WRL0007.tmp
      C:\Documents and Settings\Clean\My Documents\Private\Comp 1 Book\Natio Oppidum\~WRL3962.tmp
      C:\Documents and Settings\Clean\My Documents\Private\Comp 1 Book\Natio Oppidum\Natio Oppidum\~WRL0007.tmp
      C:\Documents and Settings\Clean\My Documents\University\Corporate Finance 572\~WRL0001.tmp
      C:\Documents and Settings\Clean\My Documents\University\Corporate Finance 572\~WRL0005.tmp
      C:\Documents and Settings\Clean\My Documents\University\Corporate Finance 572\~WRL0843.tmp
      C:\Documents and Settings\Clean\My Documents\University\Corporate Finance 572\~WRL0899.tmp
      C:\Documents and Settings\Clean\My Documents\University\Corporate Finance 572\~WRL0940.tmp
      C:\Documents and Settings\Clean\My Documents\University\Corporate Finance 572\~WRL1545.tmp
      C:\Documents and Settings\Clean\My Documents\University\Corporate Finance 572\~WRL2877.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0002.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0004.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0051.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0097.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0256.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0261.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0305.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0329.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0369.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0418.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0550.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0563.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0676.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0688.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0705.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL0835.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL1017.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL1032.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL1187.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL1411.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL1443.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL1522.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL1574.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL1907.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL1996.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL2021.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL2029.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL2048.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL2205.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL2236.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL2363.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL2558.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL2645.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL2688.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL2839.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3404.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3497.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3507.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3526.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3609.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3639.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3671.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3933.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3938.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3939.tmp
      C:\Documents and Settings\Clean\My Documents\University\Finance Trading Strategies 590\~WRL3964.tmp
      C:\Documents and Settings\Clean\My Documents\University\Legal Environment 560\~WRL0005.tmp
      C:\Documents and Settings\Clean\My Documents\University\Uni Finance\Corporate Finance 572\~WRL0001.tmp
      C:\Documents and Settings\Clean\My Documents\University\Uni Finance\Corporate Finance 572\~WRL0005.tmp
      C:\Documents and Settings\Clean\My Documents\University\Uni Finance\Corporate Finance 572\~WRL0843.tmp
      C:\Documents and Settings\Clean\My Documents\University\Uni Finance\Corporate Finance 572\~WRL0899.tmp
      C:\Documents and Settings\Clean\My Documents\University\Uni Finance\Corporate Finance 572\~WRL0940.tmp
      C:\Documents and Settings\Clean\My Documents\University\Uni Finance\Corporate Finance 572\~WRL1545.tmp
      C:\Documents and Settings\Clean\My Documents\University\Uni Finance\Corporate Finance 572\~WRL2877.tmp
      C:\Documents and Settings\Hamish\Desktop\Private\Book\book flie 2\~WRL0007.tmp
      C:\Documents and Settings\Hamish\Desktop\Private\Book\Natio Oppidum\~WRL0007.tmp
      C:\Documents and Settings\Hamish\Desktop\Private\Book\Natio Oppidum\~WRL3962.tmp
      C:\Documents and Settings\Hamish\Desktop\Private\Comp 1 Book\Natio Oppidum\~WRL0007.tmp
      C:\Documents and Settings\Hamish\Desktop\Private\Comp 1 Book\Natio Oppidum\~WRL3962.tmp
      C:\Documents and Settings\Hamish\Desktop\Private\Comp 1 Book\Natio Oppidum\Natio Oppidum\~WRL0007.tmp
      C:\Documents and Settings\Hamish\My Documents\~WRL0003.tmp
      C:\Documents and Settings\Hamish\My Documents\ATPL\~WRL0005.tmp
      C:\Documents and Settings\Hamish\My Documents\ATPL\~WRL3374.tmp
      C:\Documents and Settings\Hamish\My Documents\House\House\~WRL0543.tmp
      C:\Documents and Settings\Hamish\My Documents\House\House\~WRL3319.tmp
      C:\Documents and Settings\Hamish\My Documents\House\House\~WRL3679.tmp
      C:\Documents and Settings\Hamish\My Documents\House\House\~WRL3861.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Corporate Finance 572\~WRL0001.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Corporate Finance 572\~WRL0005.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Corporate Finance 572\~WRL0843.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Corporate Finance 572\~WRL0899.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Corporate Finance 572\~WRL0940.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Corporate Finance 572\~WRL1545.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Corporate Finance 572\~WRL2877.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0002.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0004.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0051.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0097.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0256.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0261.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0305.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0329.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0369.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0418.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0550.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0563.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0676.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0688.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0705.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL0835.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL1017.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL1032.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL1187.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL1411.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL1443.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL1522.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL1574.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL1907.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL1996.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL2021.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL2029.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL2048.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL2205.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL2236.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL2363.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL2558.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL2645.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL2688.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL2839.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3404.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3497.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3507.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3526.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3609.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3639.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3671.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3933.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3938.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3939.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Finance Trading Strategies 590\~WRL3964.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Legal Environment 560\~WRL0005.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Uni Finance\Corporate Finance 572\~WRL0001.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Uni Finance\Corporate Finance 572\~WRL0005.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Uni Finance\Corporate Finance 572\~WRL0843.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Uni Finance\Corporate Finance 572\~WRL0899.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Uni Finance\Corporate Finance 572\~WRL0940.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Uni Finance\Corporate Finance 572\~WRL1545.tmp
      C:\Documents and Settings\Hamish\My Documents\University\Uni Finance\Corporate Finance 572\~WRL2877.tmp
      C:\Documents and Settings\Ritchie\My Documents\Karen School Australia\Karen school\~WRL0141.tmp
      C:\Documents and Settings\Ritchie\My Documents\Karen School Australia\Karen school\~WRL0456.tmp
      C:\Documents and Settings\Ritchie\My Documents\Karen School Australia\Karen school\~WRL1304.tmp
      C:\Documents and Settings\Ritchie\My Documents\Karen School Australia\Karen school\~WRL1672.tmp
      C:\Documents and Settings\Ritchie\My Documents\Karen School Australia\Karen school\~WRL2362.tmp
      C:\Documents and Settings\Ritchie\My Documents\Karen School Australia\Karen school\~WRL3206.tmp

      Finished
      Ad-Aware SE Personal
      Adobe Reader 8
      Air Canada A330-343
      Apple Software Update
      ATI Control Panel
      ATI Display Driver
      AviSynth 2.5
      BitTorrent 5.0.5
      blueyonder Instant Support Tool
      Cirrus SR20 V2 Six by GK
      Combined Community Codec Pack 2006-01-18 (Remove Only)
      Conexant D850 56K V.9x DFVc Modem
      Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
      Dell Driver Reset Tool
      Dell Support 5.0.0 (630)
      Digital Line Detect
      dvdXsoft DVD to iPod Converter 1.08
      EPSON Printer Software
      GROB SPn Utility Jet G180 rel. 1.3
      High Definition Audio Driver Package - KB835221
      Hijackthis 1.99.1
      HijackThis 1.99.1
      Hotfix for Windows Media Player 10 (KB903157)
      Hotfix for Windows XP (KB888795)
      Hotfix for Windows XP (KB891593)
      Hotfix for Windows XP (KB895961)
      Hotfix for Windows XP (KB899337)
      Hotfix for Windows XP (KB899510)
      Hotfix for Windows XP (KB902841)
      Hotfix for Windows XP (KB914440)
      Hotfix for Windows XP (KB915865)
      HP Extended Capabilities 5.3
      HP Imaging Device Functions 5.3
      HP Photosmart Essential
      HP PSC & OfficeJet 5.3.B
      HP Software Update
      HP Solution Center & Imaging Support Tools 5.3
      Intel Matrix Storage Manager
      Intel(R) PRO Network Connections Drivers
      Intel(R) PROSet for Wired Connections
      Internet Explorer Default Page
      iPod Media Studio - Demo 1.0
      iTunes
      JALS
      Java 2 Runtime Environment, SE v1.4.2_03
      Jet City Aircraft 717-200
      Kaspersky Online Scanner
      Macromedia Flash Player 8
      McAfee Uninstaller
      MCU
      Microsoft .NET Framework 1.0 Hotfix (KB887998)
      Microsoft .NET Framework 1.1
      Microsoft .NET Framework 1.1
      Microsoft .NET Framework 1.1 Hotfix (KB886903)
      Microsoft Flight Simulator 2004 A Century of Flight
      Microsoft Internationalized Domain Names Mitigation APIs
      Microsoft National Language Support Downlevel APIs
      Microsoft Office Standard Edition 2003
      Microsoft Works 7.0
      MSN Messenger 7.5
      MSXML 4.0 SP2 (KB925672)
      MSXML 4.0 SP2 (KB927978)
      NetWaiting
      Panda ActiveScan
      PeerGuardian 2.0
      PIAFpu
      PowerDVD 5.5
      QuickTime
      RealPlayer Basic
      Scientific-Atlanta WebSTAR 2000 series Cable Modem
      Security Update for Windows Internet Explorer 7 (KB929969)
      Security Update for Windows Media Player 10 (KB911565)
      Security Update for Windows Media Player 10 (KB917734)
      Security Update for Windows Media Player 6.4 (KB925398)
      Security Update for Windows XP (KB890046)
      Security Update for Windows XP (KB893066)
      Security Update for Windows XP (KB893756)
      Security Update for Windows XP (KB896358)
      Security Update for Windows XP (KB896424)
      Security Update for Windows XP (KB896428)
      Security Update for Windows XP (KB899587)
      Security Update for Windows XP (KB899589)
      Security Update for Windows XP (KB900725)
      Security Update for Windows XP (KB901017)
      Security Update for Windows XP (KB901190)
      Security Update for Windows XP (KB902400)
      Security Update for Windows XP (KB905414)
      Security Update for Windows XP (KB905749)
      Security Update for Windows XP (KB905915)
      Security Update for Windows XP (KB908519)
      Security Update for Windows XP (KB908531)
      Security Update for Windows XP (KB911280)
      Security Update for Windows XP (KB911562)
      Security Update for Windows XP (KB911567)
      Security Update for Windows XP (KB911927)
      Security Update for Windows XP (KB912812)
      Security Update for Windows XP (KB912919)
      Security Update for Windows XP (KB913446)
      Security Update for Windows XP (KB913580)
      Security Update for Windows XP (KB914388)
      Security Update for Windows XP (KB914389)
      Security Update for Windows XP (KB916281)
      Security Update for Windows XP (KB917159)
      Security Update for Windows XP (KB917344)
      Security Update for Windows XP (KB917422)
      Security Update for Windows XP (KB917953)
      Security Update for Windows XP (KB918439)
      Security Update for Windows XP (KB918899)
      Security Update for Windows XP (KB919007)
      Security Update for Windows XP (KB920213)
      Security Update for Windows XP (KB920214)
      Security Update for Windows XP (KB920670)
      Security Update for Windows XP (KB920683)
      Security Update for Windows XP (KB920685)
      Security Update for Windows XP (KB921398)
      Security Update for Windows XP (KB921883)
      Security Update for Windows XP (KB922616)
      Security Update for Windows XP (KB922819)
      Security Update for Windows XP (KB923191)
      Security Update for Windows XP (KB923414)
      Security Update for Windows XP (KB923689)
      Security Update for Windows XP (KB923694)
      Security Update for Windows XP (KB923980)
      Security Update for Windows XP (KB924191)
      Security Update for Windows XP (KB924270)
      Security Update for Windows XP (KB926255)
      Shockwave
      Sonic Encoders
      Spybot - Search & Destroy 1.4
      SpywareBlaster v3.5.1
      Update for Windows Media Player 10 (KB910393)
      Update for Windows Media Player 10 (KB913800)
      Update for Windows Media Player 10 (KB926251)
      Update for Windows XP (KB894391)
      Update for Windows XP (KB898461)
      Update for Windows XP (KB900485)
      Update for Windows XP (KB904942)
      Update for Windows XP (KB910437)
      Update for Windows XP (KB916595)
      Update for Windows XP (KB920872)
      Update for Windows XP (KB922582)
      Update Rollup 2 for Windows XP Media Center Edition 2005
      VideoLAN VLC media player 0.8.4a
      Visual Vision EbooksReader_g_e
      WD Backup
      WD Diagnostics
      Windows Genuine Advantage v1.3.0254.0
      Windows Installer 3.1 (KB893803)
      Windows Internet Explorer 7
      Windows Media Format Runtime
      Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
      Windows XP Hotfix - KB885836
      Windows XP Hotfix - KB886185
      Windows XP Hotfix - KB887742
      Windows XP Hotfix - KB888302
      Windows XP Hotfix - KB890859
      Windows XP Hotfix - KB890927
      Windows XP Media Center Edition 2005 KB908246
      WinRAR archiver
      XviD 1.1 final uninstall

      Logfile of HijackThis v1.99.1
      Scan saved at 20:16:04, on 05/02/2007
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.5730.0011)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\eHome\ehRecvr.exe
      C:\WINDOWS\eHome\ehSched.exe
      C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
      c:\program files\mcafee.com\agent\mcdetect.exe
      c:\PROGRA~1\mcafee.com\vso\mcshield.exe
      c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
      C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
      C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\ehome\ehtray.exe
      C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
      C:\WINDOWS\stsystra.exe
      C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      C:\WINDOWS\eHome\ehmsas.exe
      C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
      C:\Program Files\Real\RealPlayer\RealPlay.exe
      C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
      C:\Program Files\McAfee.com\VSO\oasclnt.exe
      C:\PROGRA~1\mcafee.com\agent\mcagent.exe
      C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
      C:\Program Files\McAfee.com\VSO\mcvsshld.exe
      C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
      c:\progra~1\mcafee.com\vso\mcvsescn.exe
      C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      C:\Program Files\QuickTime\qttask.exe
      C:\WINDOWS\system32\dllhost.exe
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Program Files\Dell Support\DSAgnt.exe
      C:\Program Files\PeerGuardian2\pg2.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\BitTorrent\bittorrent.exe
      C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\Program Files\Digital Line Detect\DLG.exe
      C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
      C:\Program Files\My Book\WD Backup\uBBMonitor.exe
      C:\Program Files\blueyonder IST\bin\mpbtn.exe
      C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
      C:\Program Files\Hijackthis\HijackThis.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
      O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
      O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
      O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
      O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
      O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
      O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
      O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
      O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
      O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
      O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
      O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
      O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
      O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
      O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
      O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
      O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
      O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
      O4 - Global Startup: Digital Line Detect.lnk = ?
      O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
      O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
      O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O11 - Options group: [INTERNATIONAL] International*
      O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
      O16 - DPF: {33331111-1111-1111-1111-611111193423} -
      O16 - DPF: {33331111-1111-1111-1111-611111193429} -
      O16 - DPF: {33331111-1111-1111-1111-615111193427} -
      O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
      O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
      O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
      O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
      O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
      O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
      O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
      O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
      O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

      Thank you very much for your assistance again.

      Kind Regards,

      MSNewby
    • TroganTrogan London, UK
      edited February 2007
      Hi MSnewby! Thanks for the logs.

      Please do the following...

      1. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

      Updating Java:
      • Download the latest version of Java Runtime Environment (JRE) 6.
      • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
      • Click the "Download" button to the right.
      • Check the box that says: "Accept License Agreement."
      • The page will refresh.
      • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
      • Close any programs you may have running - especially your web browser.
      • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
        • Java 2 Runtime Environment, SE v1.4.2_03
      • Reboot your computer once all Java components are removed.
      • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
      2. Open HijackThis
      - Click the Do a system scan only button
      - Check the following entries (below)

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway

      O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

      O16 - DPF: {33331111-1111-1111-1111-611111193423} -
      O16 - DPF: {33331111-1111-1111-1111-611111193429} -
      O16 - DPF: {33331111-1111-1111-1111-615111193427} -


      - Close ALL open windows (especially Internet Explorer!)
      - Click Fix Checked
      Close HiajckThis

      3. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
      This program is for XP and Windows 2000 only!

      Double-click ATF Cleaner.exe to open it.

      Under Main select the following:
      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Java Cache
      *The other boxes are optional*
      Then click the Empty Selected button.

      Click Exit on the Main menu to close the program.

      4. You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

      Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
      http://www.ewido.net/en/download/
      • Install AVG Anti-Spyware by double clicking the installer.
      • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
      • On the main screen under Your Computer's security.
        • Click on Change state next to Resident shield. It should now change to inactive.
        • Click on Change state next to Automatic updates. It should now change to inactive.
        • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
        • Wait until you see the Update succesfull message.
      • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
      • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
      If you are having problems with the updater, you can use this link to manually update ewido.
      AVG Anti-Spyware manual updates.
      Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

      Reboot your computer in Safe Mode.
      • If the computer is running, shut down Windows, and then turn off the power.
      • Wait 30 seconds, and then turn the computer on.
      • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
      • Ensure that the Safe Mode option is selected.
      • Press Enter. The computer then begins to start in Safe mode.
      • Login on your usual account.
      Once in Safe Mode:

      Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
      • Click on Scanner on the toolbar.
      • Click on the Settings tab.
        • Under How to act?
          • Click on Recommended Action and choose Quarantine from the popup menu.
        • Under How to scan?
          • All checkboxes should be ticked.
        • Under Possibly unwanted software:
          • All checkboxes should be ticked.
        • Under Reports:
          • Select Automatically generate report after every scan and uncheck Only if threats were found.
        • Under What to scan?
          • Select Scan every file.
      • Click on the Scan tab.
      • Click on Complete System Scan to start the scan process.
      • Let the program scan the machine.
      • When the scan has finished, follow the instructions below.
        IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
        • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
        • At the bottom of the window click on the Apply all Actions button. (3)
          scanavgjk2.jpg
      • When done, click the Save Scan Report button. (4)
        • Click the Save Report as button.
        • Save the report to your Desktop.
      • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
      Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.
    • edited February 2007
      Hi Trogan,

      Here is the information requested. When I ran the AVG Anti-Spyware scan only two objects were found and I was unable to Quarantine one of them as it was not given as an option. The other one I did quarantine.
      AVG Anti-Spyware - Scan Report

      + Created at: 14:17:00 06/02/2007

      + Scan result:



      C:\WINDOWS\system32\vbsys.dll_old -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
      C:\WINDOWS\system32\vbsys2.dll -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hamish\Cookies\hamish@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.


      ::Report end



      Logfile of HijackThis v1.99.1
      Scan saved at 12:45:48, on 06/02/2007
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.5730.0011)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\eHome\ehRecvr.exe
      C:\WINDOWS\eHome\ehSched.exe
      C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
      c:\program files\mcafee.com\agent\mcdetect.exe
      c:\PROGRA~1\mcafee.com\vso\mcshield.exe
      c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
      C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
      C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
      C:\WINDOWS\system32\HPZipm12.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\dllhost.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\ehome\ehtray.exe
      C:\WINDOWS\stsystra.exe
      C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
      C:\Program Files\Real\RealPlayer\RealPlay.exe
      C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
      C:\Program Files\McAfee.com\VSO\oasclnt.exe
      C:\PROGRA~1\mcafee.com\agent\mcagent.exe
      C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
      C:\Program Files\McAfee.com\VSO\mcvsshld.exe
      C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
      C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      C:\Program Files\QuickTime\qttask.exe
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Program Files\Dell Support\DSAgnt.exe
      C:\Program Files\PeerGuardian2\pg2.exe
      C:\WINDOWS\system32\ctfmon.exe
      c:\progra~1\mcafee.com\vso\mcvsescn.exe
      C:\Program Files\BitTorrent\bittorrent.exe
      C:\WINDOWS\eHome\ehmsas.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\Program Files\Digital Line Detect\DLG.exe
      C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\Program Files\My Book\WD Backup\uBBMonitor.exe
      C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
      C:\Program Files\blueyonder IST\bin\mpbtn.exe
      C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
      C:\WINDOWS\system32\msiexec.exe
      C:\Program Files\Hijackthis\HijackThis.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
      O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
      O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
      O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
      O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
      O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
      O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
      O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
      O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
      O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
      O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
      O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
      O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
      O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
      O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
      O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
      O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
      O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
      O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
      O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
      O4 - Global Startup: Digital Line Detect.lnk = ?
      O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
      O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
      O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O11 - Options group: [INTERNATIONAL] International*
      O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
      O16 - DPF: {33331111-1111-1111-1111-611111193423} -
      O16 - DPF: {33331111-1111-1111-1111-611111193429} -
      O16 - DPF: {33331111-1111-1111-1111-615111193427} -
      O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
      O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
      O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
      O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
      O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
      O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
      O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
      O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
      O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

      Thank you once again for your great assistance!

      Kind regards,

      MSnewby
    • TroganTrogan London, UK
      edited February 2007
      Hi MSnewby!

      Could you go back into Safe Mode and try removing the HijackThis entries listed in my previous post.

      Once that is done, reboot back into Normal Mode and post a new HijackThis log. Let me know how things are too.
    • edited February 2007
      Hi Trogan,

      Ok..Hijack file done as requested, please see attached below.

      The situation seems to be unchanged. After I attempt to open My Documents an error message pops up saying that windows explorer must close. If I ignore this I then get the Dr Watson Message and the computer freezes.

      Also in safe mode I noticed that at the windows start screen their is an extra Administrator account that is not present during a normal start (ie. non-safe mode) I don't know whether this is significant. Maybe a total renewal of the OS is unavoidable.

      Thank you for all your help again!!

      Kind regards,

      MSnewby.


      Logfile of HijackThis v1.99.1
      Scan saved at 23:17:06, on 06/02/2007
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.5730.0011)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Hijackthis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
      O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
      O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
      O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
      O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
      O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
      O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
      O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
      O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
      O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
      O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
      O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
      O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
      O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
      O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
      O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
      O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
      O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
      O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
      O4 - Global Startup: Digital Line Detect.lnk = ?
      O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
      O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
      O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O11 - Options group: [INTERNATIONAL] International*
      O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
      O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
      O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
      O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
      O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
      O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
      O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
      O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
      O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
      O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    • TroganTrogan London, UK
      edited February 2007
      Hi MSnewby!

      Your HijackThis log is clean and we have eliminated any evidence of infection. You can run a new Kaspersky online scan and post the log back here.

      I believe this is a Windows problem. The infection we removed with SDFix may have played a part in this, but there is no way to tell.

      Do you have a Windows CD? Could you post a screenshot of the errors you receive?
      Also in safe mode I noticed that at the windows start screen their is an extra Administrator account that is not present during a normal start (ie. non-safe mode) I don't know whether this is significant. Maybe a total renewal of the OS is unavoidable.
      That is perfectly normal.
    • edited February 2007
      Hi Trogan,

      The Kapersky scan located a problem, see below. I also am unsure as to what Windows CD you mean? (I really am computer illiterate!) I will check as this is a one year old Dell, and I got a bunch of discs with it.

      KASPERSKY ONLINE SCANNER REPORT
      Wednesday, February 07, 2007 11:39:42 PM
      Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
      Kaspersky Online Scanner version: 5.0.83.0
      Kaspersky Anti-Virus database last update: 8/02/2007
      Kaspersky Anti-Virus database records: 265910

      Scan Settings:
      Scan using the following antivirus database: extended
      Scan Archives: true
      Scan Mail Bases: true

      Scan Target - Critical Areas:
      C:\WINDOWS
      C:\DOCUME~1\Hamish\LOCALS~1\Temp\

      Scan Statistics:
      Total number of scanned objects: 24353
      Number of viruses found: 1
      Number of infected objects: 1 / 0
      Number of suspicious objects: 0
      Duration of the scan process: 00:20:09

      Infected Object Name / Virus Name / Last Action
      C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
      C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
      C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D2AC2CD4-A2A6-415D-BDBA-C7B92C7D01A4}.crmlog Object is locked skipped
      C:\WINDOWS\SchedLgU.Txt Object is locked skipped
      C:\WINDOWS\SoftwareDistribution\EventCache\{D8157928-6762-4930-83DF-A86915B6A0C9}.bin Object is locked skipped
      C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
      C:\WINDOWS\Sti_Trace.log Object is locked skipped
      C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
      C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
      C:\WINDOWS\system32\config\default.LOG Object is locked skipped
      C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
      C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
      C:\WINDOWS\system32\config\SAM Object is locked skipped
      C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
      C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
      C:\WINDOWS\system32\config\SECURITY Object is locked skipped
      C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
      C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
      C:\WINDOWS\system32\config\software.LOG Object is locked skipped
      C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
      C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
      C:\WINDOWS\system32\config\system.LOG Object is locked skipped
      C:\WINDOWS\system32\h323log.txt Object is locked skipped
      C:\WINDOWS\system32\sbrhojcg.exe Infected: Trojan-Downloader.Win32.Small.dam skipped
      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
      C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
      C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
      C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
      C:\WINDOWS\wiadebug.log Object is locked skipped
      C:\WINDOWS\wiaservc.log Object is locked skipped
      C:\WINDOWS\WindowsUpdate.log Object is locked skipped
      C:\DOCUME~1\Hamish\LOCALS~1\Temp\fla7EF.tmp Object is locked skipped
      C:\DOCUME~1\Hamish\LOCALS~1\Temp\hpodvd09.log Object is locked skipped
      C:\DOCUME~1\Hamish\LOCALS~1\Temp\~DF6235.tmp Object is locked skipped
      C:\DOCUME~1\Hamish\LOCALS~1\Temp\~DF6242.tmp Object is locked skipped

      Scan process completed.

      Thank you again for your patience and perserverance!

      Kind regards,

      MSnewby
    • TroganTrogan London, UK
      edited February 2007
      Hi MSnewby,

      Kaspersky found one new problem, which we will deal with now.

      Run HijackThis and click on Open the Misc Tools section.
      Click on Delete a file on reboot...
      Copy and paste the following into the "File name:" text box and then click Open:

      C:\WINDOWS\system32\sbrhojcg.exe

      When you are asked "Do you want to restart your computer now?", click OK.

      Your PC MUST reboot to delete the file!

      Can I look at one more log please.
      • Download this file to your Desktop - combofix.exe
      • Double click combofix.exe & follow the prompts.
      • When finished, it shall produce a log for you. Post that log in your next reply
        • Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
      Also, your McAfee software. Is it still receiving updates/got a subcsription?
    • edited February 2007
      Hi Trogan,

      I deleted the file and below is the combofix report. As far as McAfee is concerned I have a current subscription to their service which ends in Oct 2007. I was also wondering if you could answer this...I backed up my hard drive to WD back up drive prior to sorting out this problem. Is it likely that the information I saved will be corrupted? If so, if I import data from the drive will it corrupt my cleaned machine???

      Thanks again
      MSnewby
      Hamish" - 07-02-08 19:59:02 Service Pack 2
      ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Hamish\Desktop"

      ((((((((((((((((((((((((((((((( Files Created from 2007-01-08 to 2007-02-08 ))))))))))))))))))))))))))))))))))


      2007-02-06 12:51 3,968 --a
      C:\WINDOWS\system32\drivers\AvgAsCln.sys
      2007-02-06 12:51 <DIR> d
      C:\Program Files\Grisoft
      2007-02-03 14:04 <DIR> d----c--- C:\SDFix
      2007-02-01 20:42 <DIR> d
      C:\Program Files\Hijackthis
      2007-02-01 18:21 <DIR> d
      C:\WINDOWS\system32\Kaspersky Lab
      2007-02-01 17:01 <DIR> d
      C:\WINDOWS\system32\ActiveScan
      2007-02-01 16:58 <DIR> d
      C:\Program Files\SpywareBlaster
      2007-02-01 16:29 <DIR> d
      C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
      2007-02-01 16:25 <DIR> d
      C:\Program Files\Lavasoft
      2007-02-01 16:19 <DIR> d
      C:\DOCUME~1\Hamish\Application Data\Lavasoft
      2007-02-01 14:05 <DIR> d
      C:\DOCUME~1\Clean\Application Data\McAfee.com Personal Firewall
      2007-02-01 14:05 <DIR> d
      C:\DOCUME~1\Clean\Application Data\ArcSoft
      2007-02-01 14:05 <DIR> d
      C:\DOCUME~1\Clean\Application Data\Adobe
      2007-02-01 14:04 1,310,720 --ah
      C:\DOCUME~1\Clean\NTUSER.DAT
      2007-02-01 14:04 <DIR> d--h
      C:\DOCUME~1\Clean\Application Data\Gtek
      2007-02-01 14:04 <DIR> d
      C:\DOCUME~1\Clean\Application Data\You've Got Pictures Screensaver
      2007-02-01 14:04 <DIR> d
      C:\DOCUME~1\Clean\Application Data\Sun
      2007-02-01 14:04 <DIR> d
      C:\DOCUME~1\Clean\Application Data\Corel
      2007-01-27 22:49 21,504 --a
      C:\WINDOWS\system32\hidserv.dll
      2007-01-27 14:27 <DIR> d
      C:\Program Files\Makayama.com
      2007-01-24 10:50 <DIR> d
      C:\Program Files\dvdXsoft
      2007-01-22 20:50 <DIR> d
      C:\Program Files\iTunes
      2007-01-22 20:50 <DIR> d
      C:\Program Files\iPod
      2007-01-22 13:08 <DIR> d
      C:\WINDOWS\ie7updates


      (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


      2007-02-06 12:44
      d
      C:\Program Files\java
      2007-02-01 23:11
      d
      C:\Program Files\jals
      2007-02-01 18:01
      d
      C:\Program Files\quicktime
      2007-02-01 18:00
      d
      C:\Program Files\peerguardian2
      2007-02-01 17:38
      d
      C:\Program Files\digital line detect
      2007-02-01 17:38
      d
      C:\Program Files\dell support
      2007-02-01 17:36
      d
      C:\Program Files\bittorrent
      2007-01-23 02:35
      d
      C:\DOCUME~1\Hamish\Application Data\bittorrent
      2007-01-22 20:47
      d
      C:\Program Files\apple software update
      2007-01-04 23:02
      d
      C:\Program Files\microsoft games
      2006-12-28 17:37
      d
      C:\DOCUME~1\Hamish\Application Data\adobe
      2006-12-28 17:33
      d
      C:\Program Files\Common Files\adobe
      2006-12-15 11:05
      d
      C:\DOCUME~1\Hamish\Application Data\apple computer
      2006-12-13 23:52
      d--h
      C:\Program Files\installshield installation information
      2006-12-13 16:10
      d
      C:\DOCUME~1\Hamish\Application Data\arcsoft
      2006-12-13 16:09
      d
      C:\Program Files\my book
      2006-12-13 16:09
      d
      C:\Program Files\Common Files\arcsoft
      2006-12-13 16:08
      d---s---- C:\DOCUME~1\Hamish\Application Data\microsoft
      2006-12-13 16:08
      d
      C:\Program Files\western digital technologies
      2006-12-11 17:16
      d
      C:\DOCUME~1\Hamish\Application Data\.bittorrent
      2006-12-11 17:03
      d
      C:\Program Files\msxml 4.0
      2006-12-11 15:24
      d
      C:\DOCUME~1\Hamish\Application Data\mcafee.com personal firewall
      2006-12-11 15:15 0 -rahsc--- C:\MSDOS.SYS
      2006-12-11 15:15 0 -rahsc--- C:\IO.SYS
      2006-12-11 14:38
      d
      C:\Program Files\hp
      2006-12-11 14:38
      d
      C:\Program Files\Common Files\hp
      2006-12-11 14:32 32783 --a
      C:\DOCUME~1\Hamish\Application Data\patchupdate_hp_counterreport_update_hpsu.log
      2006-12-11 14:32 2087 --a
      C:\DOCUME~1\Hamish\Application Data\hpsu_48bitscanupdate.log
      2006-12-11 14:25 96494 --a
      C:\DOCUME~1\Hamish\Application Data\update_hp_redboxhprblog_hpsu.log
      2006-12-11 14:25 139264 --a
      C:\WINDOWS\system32\hpzjrd01.dll
      2006-12-11 14:23
      d
      C:\DOCUME~1\Hamish\Application Data\btl
      2006-12-11 14:18
      d
      C:\Program Files\divx
      2006-12-11 14:18
      d
      C:\DOCUME~1\Application Data\skype
      2006-12-07 04:14 2330624 --a
      C:\WINDOWS\system32\wmvcore.dll
      2006-11-08 05:06 679424 --a
      C:\WINDOWS\system32\inetcomm.dll


      (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

      *Note* empty entries & legit default entries are not shown

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
      "DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
      "PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
      "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
      "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
      "BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
      "ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
      "SigmatelSysTrayApp"="stsystra.exe"
      "IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
      "ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
      "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
      "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
      "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
      "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
      "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
      "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
      "MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
      "MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
      "MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
      "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
      "MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
      "NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
      "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
      "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
      "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
      "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
      "Installed"="1"

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
      "Installed"="1"
      "NoChange"="1"

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
      "Installed"="1"


      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
      "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
      "InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
      63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
      6d,73,73,74,79,6c,65,73,00
      "InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
      73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
      "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
      HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
      LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
      NetworkService REG_MULTI_SZ DnsCache\0\0
      DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
      rpcss REG_MULTI_SZ RpcSs\0\0
      imgsvc REG_MULTI_SZ StiSvc\0\0
      termsvcs REG_MULTI_SZ TermService\0\0


      [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
      Shell\AutoRun\command D:\stub.exe

      [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
      Shell\AutoRun\command E:\setup.exe
      *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_PGFILTER


      Contents of the 'Scheduled Tasks' folder
      C:\WINDOWS\tasks\AppleSoftwareUpdate.job
      C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (D8GTJ12J-Ritchie).job


      ********************************************************************

      catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
      http://www.gmer.net

      scanning hidden processes ...

      scanning hidden services ...

      scanning hidden autostart entries ...

      scanning hidden files ...

      scan completed successfully
      hidden processes: 0
      hidden services: 0
      hidden files: 0

      ********************************************************************

      Completion time: 07-02-08 20:00:06
      C:\ComboFix2.txt ... 07-02-08 19:40
    • TroganTrogan London, UK
      edited February 2007
      Hi MSnewby!

      The ComboFix log is clean.

      The Dr Watson Postmortem Debugger error message is unlikely to be malware related. Have a look here to see which "Debugging" problem you have.

      I also suggest starting a thread in the Windows Forum, where you can receive help with this problem. Point back to this thread so they know what has happened, malware wise.
      I was also wondering if you could answer this...I backed up my hard drive to WD back up drive prior to sorting out this problem. Is it likely that the information I saved will be corrupted? If so, if I import data from the drive will it corrupt my cleaned machine???
      You would get a better answer in the Windows Forum.

      Good luck! :)
    • TroganTrogan London, UK
      edited February 2007
      Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

      Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum

      If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

      Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
      If you are not the user who started this thread, you must start a new Thread instead :)
    This discussion has been closed.