I jave been Jacked

coll

Hi All,

I hope someone can help, After useing the internet, I found my desktop was acting funny. ie blinking on and off. so I run all the scan and still it was acting up. It so bad I cant open any programes. I sending this log from my work laptop, because I cant get onto the net. Here is my log. Ps I unstalled my COMODO Firewall Pro for a few hours and then this all happened. Also when i tryed to use system restore, it was reset and i could not go backwards

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 11:05:47, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Hjack This\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bitcomet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.serial99.com/?a
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NavigationEnhancer - {391C0909-C026-3B63-FFDB-93FFF4E81675} - C:\Program Files\NavigationEnhancer\NavigationEnhancer-2.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8BE84D8E-9577-493B-B270-A6A2B062A211} - C:\WINDOWS\system32\khfFYPIy.dll
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\cbXRhFxy.dll
O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - (no file)
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0A5EC01-1625-4F65-8CB7-7FD9F101995C}: NameServer = 192.168.10.1
O20 - Winlogon Notify: cbXRhFxy - C:\WINDOWS\SYSTEM32\cbXRhFxy.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

Thomas

Hello coll,

There is some serious infeciton showing here, but the security software you have there is going to be as tough to work around as the infection will be to remove. You will need to do your very best in making sure eTrust and Comodo and it's BOClean are all completely disabled when doing any of the repair steps coming up.

As for Iolo's System Mechanic Professional, undo whatever changes you have allowed it to make as far as blocking or security issues and then also shut it down completely. Please leave it disabled until all repairs are completed. As is I am not sure this software, with what all you have there, will prove to be beneficial in the long run, and may make the wrong changes to the wrong items if it hasn't already.


Once you have gotten all that disabled/changed let's get a more detailed look and then make repairs from that.


Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Options, place a check next to the following:

Backup Registry Hives

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

You can use extra posts here if needed for that.

coll

Thanks Thomas, for responding promptly. You were not jocking when you said that it's going to be as tough to work around. eack time i move the mouse over an icon the descktop go's blank. I fully unstalled Iolo's System Mechanic Professional & BOClean, it was easier. I will reinstall them later if that is ok?

Ok here is the two log you asked for

Deckard's System Scanner v20071014.68
Run by Colm Sharkey on 2008-04-28 19:38:36
Computer is in Normal Mode.

---

Backed up registry hives.



-- HijackThis (run as Colm Sharkey.exe)

---

Unable to find log (file not found); running clone.
-- HijackThis Clone

---

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-28 19:39:41
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\cavrid.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Documents and Settings\Colm Sharkey\Desktop\dss.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bitcomet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.serial99.com/?a
F0 - win.ini: run=
F3 - REG:win.ini: Run=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NavigationEnhancer - {391C0909-C026-3B63-FFDB-93FFF4E81675} - C:\Program Files\NavigationEnhancer\NavigationEnhancer-2.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {73F2C5D2-09BC-486A-822F-9A82502E7019} - C:\WINDOWS\system32\khfFYPIy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\cbXRhFxy.dll
O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - (no file)
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/fhg.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{F0A5EC01-1625-4F65-8CB7-7FD9F101995C}: NameServer = 192.168.10.1
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: cbXRhFxy - C:\WINDOWS\system32\cbXRhFxy.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe


--
End of file - 9044 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HJACKT~1\backups\)

---

backup-20070502-165833-420 O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20070704-201700-773 O2 - BHO: (no name) - {E6280729-9251-41D7-BC1C-572C9548C962} - C:\WINDOWS\system32\HPI4.dll (file missing)
backup-20070705-202844-728 O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\iehelper3.dll

-- File Associations

---

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"
.txt - txtfile - shell\open\command - C:\WINDOWS\NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R0 PzWDM - c:\windows\system32\drivers\pzwdm.sys <Not Verified; Prassi Technology; PzWDM>
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R3 Cap7134 (Philips Cap7134 Capture) - c:\windows\system32\drivers\cap7134.sys <Not Verified; Philips Semiconductors; Philips cap7134>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 PhTVTune (Philips WDM TVTuner) - c:\windows\system32\drivers\phtvtune.sys <Not Verified; Philips Semiconductors; Philips TVTuner WDM Driver>

S3 BOCDRIVE (BOClean Kernel Monitor.) - c:\program files\comodo\cboclean\bocdrive.sys (file missing)
S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; BVRP Software; BVRPNDIS Rawether for Windows>
S3 usbsermptxp (Motorola USB Modem Driver for MPT XP) - c:\windows\system32\drivers\usbsermptxp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

S2 KService - "c:\program files\kservice\kservice.exe" <Not Verified; Kontiki Inc.; Delivery Manager>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>


-- Device Manager: Disabled

---

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\A54B99E01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\A54B99E01800
Service: NIC1394


-- Scheduled Tasks

---

2008-04-28 19:29:17 330 --ah

---

C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-03-28 and 2008-04-28

---

2008-04-27 01:04:03 0 d--hs---- C:\INCINERATE
2008-04-25 22:03:48 202501 --ahs---- C:\WINDOWS\system32\yIPYFfhk.ini2
2008-04-25 22:03:20 281088 --a

---

C:\WINDOWS\system32\khfFYPIy.dll
2008-04-25 09:42:00 0 d

---

C:\Program Files\PFConfig
2008-04-24 19:02:56 97024 --a

---

C:\WINDOWS\system32\xxyaaaya.dll
2008-04-24 18:58:15 0 d

---

C:\WINDOWS\vbSkinner
2008-04-24 18:57:49 39936 --a

---

C:\WINDOWS\system32\cbXRhFxy.dll
2008-04-18 18:11:08 7864320 --a

---

C:\Documents and Settings\Colm Sharkey\ntuser.dat
2008-04-12 16:50:27 2048

---

n--- C:\WINDOWS\system32\drivers\rt73.bin
2008-04-05 01:00:07 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\Mp3tag
2008-04-05 00:59:44 0 d

---

C:\Program Files\Mp3tag
2008-04-05 00:52:49 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\gtk-2.0
2008-04-04 18:19:39 0 d

---

C:\GTK
2008-04-04 14:17:07 2560 --a

---

C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-04-04 00:04:34 0 d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 21:13:04 0 d

---

C:\Program Files\FBrowsingAdvisor
2008-04-03 21:13:02 0 d

---

C:\Program Files\FBrowserAdvisor
2008-04-03 21:12:57 0 d

---

C:\Program Files\NavigationEnhancer
2008-04-03 21:12:43 0 d

---

C:\Program Files\PlayMP3z
2008-04-02 22:18:17 0 d

---

C:\Program Files\VirtualDJ
2008-03-31 22:25:48 823296 --a

---

C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:48 823296 --a

---

C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:46 802816 --a

---

C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 22:25:46 831488 --a

---

C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 22:25:46 682496 --a

---

C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 21:47:47 0 d

---

C:\Program Files\AtomixMP3


-- Find3M Report

---

2008-04-28 19:39:40 0 d

---

C:\Program Files\Hjack This
2008-04-28 19:36:22 39464 --a

---

C:\Documents and Settings\Colm Sharkey\Application Data\wklnhst.dat
2008-04-28 19:26:30 8405015 --a

---

C:\WINDOWS\TempFile
2008-04-28 10:51:58 0 d

---

C:\Program Files\iolo
2008-04-27 12:30:01 0 d

---

C:\Program Files\SpywareBlaster
2008-04-27 01:16:10 0 d

---

C:\Program Files\Comodo
2008-04-23 21:50:24 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 21:47:07 0 d

---

C:\Program Files\ALDI Photo Service
2008-04-23 21:45:23 0 d

---

C:\Program Files\Investintech.com Inc
2008-04-23 20:08:25 0 d

---

C:\Program Files\Mozilla Thunderbird
2008-04-23 20:08:25 0 d

---

C:\Program Files\COED11
2008-04-23 03:00:45 0 d

---

C:\Program Files\BitComet
2008-04-20 13:07:45 0 d

---

C:\Program Files\DivX
2008-04-15 16:08:14 3154 --a

---

C:\Documents and Settings\Colm Sharkey\Application Data\SAS7_000.DAT
2008-04-12 16:51:35 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-04-02 22:17:07 0 d

---

C:\Program Files\AviSynth 2.5
2008-04-02 22:15:24 0 d

---

C:\Program Files\Gabest
2008-04-02 21:08:16 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\iolo
2008-04-02 21:07:04 0 d

---

C:\Program Files\Avery Wizard 3.1
2008-04-02 21:01:43 540 --a

---

C:\Documents and Settings\Colm Sharkey\Application Data\AutoGK.ini
2008-03-21 21:30:08 3596288 --a

---

C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 21:28:54 196608 --a

---

C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 21:28:54 81920 --a

---

C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 21:28:20 12288 --a

---

C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-15 21:06:39 0 d

---

C:\Program Files\MediaMonkey
2008-03-15 21:06:29 0 d

---

C:\Program Files\Ares Destiny
2008-03-13 16:44:04 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\U3
2008-02-29 20:57:36 43698 --a

---

C:\WINDOWS\system32\xvid-uninstall.exe
2008-02-29 20:44:47 0 d

---

C:\Program Files\Intertech DVD Converter
2008-02-06 12:56:08 1080 --a

---

C:\WINDOWS\AUTOLNCH.REG


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{391C0909-C026-3B63-FFDB-93FFF4E81675}]
30/12/2007 21:48 1019904 --a

---

C:\Program Files\NavigationEnhancer\NavigationEnhancer-2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73F2C5D2-09BC-486A-822F-9A82502E7019}]
25/04/2008 22:03 281088 --a

---

C:\WINDOWS\system32\khfFYPIy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}]
24/04/2008 18:57 39936 --a

---

C:\WINDOWS\system32\cbXRhFxy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [30/04/2007 10:36]
"AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 09:06 C:\WINDOWS\AGRSMMSG.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [10/06/2003 00:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [31/08/2007 19:15]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [16/10/2006 21:12]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [16/10/2006 21:17]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [16/10/2006 21:13]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [16/02/2005 16:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [16/02/2005 16:15]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [27/04/2008 01:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F50B3F5E-856E-4757-9BB1-B35D46CA7719}"= C:\WINDOWS\system32\cbXRhFxy.dll [24/04/2008 18:57 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRhFxy]
cbXRhFxy.dll 24/04/2008 18:57 39936 C:\WINDOWS\system32\cbXRhFxy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap C:\WINDOWS\system32\khfFYPIy

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TV Remote Control.lnk]
backup=C:\WINDOWS\pss\TV Remote Control.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Colm Sharkey^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Colm Sharkey\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Colm Sharkey^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Photo Service]
"C:\Program Files\ALDI Photo Service\ALDI_Photo_Service\FotoSuite.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"C:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR Agent]
C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"EPSON Stylus Photo R240 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63f361f4-ac90-11db-919b-00112fa6711c}]
AutoRun\command- D:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-04-28 19:41:02

---

EXTRA TEXT

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

---

-- System Information

---

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 3200+
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 511.48 MiB / 238.77 MiB
Pagefile Memory (total/avail): 1247.13 MiB / 951.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.48 MiB

C: is Fixed (NTFS) - 49.68 GiB total, 32.62 GiB free.
D: is Removable (FAT)
E: is Fixed (NTFS) - 99.37 GiB total, 68.89 GiB free.
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)
L: is Removable (No Media)
M: is Removable (No Media)
N: is CDROM (No Media)
O: is CDROM (No Media)
P: is Fixed (NTFS) - 465.76 GiB total, 122.95 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD1600BB-22GUA0 - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 49.68 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 99.37 GiB - E:

\\.\PHYSICALDRIVE6 - EPSON Stylus Storage USB Device

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE5 - SAMSUNG HD501LJ USB Device - 465.76 GiB - 1 partition
\PARTITION0 - Installable File System - 465.76 GiB - P:

\\.\PHYSICALDRIVE7 - Ut163 USB2FlashStorage USB Device - 478.5 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 481.98 MiB - D:



-- Security Center

---

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: COMODO Firewall Pro v2.3.035 (COMODO) Disabled
AV: CA Anti-Virus v8.4.0.24 (CA, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables

---

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Colm Sharkey\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COLM
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Colm Sharkey
LOGONSERVER=\\COLM
MIGO_DRIVE=Q
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COLMSH~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COLMSH~1\LOCALS~1\Temp
USERDOMAIN=COLM
USERNAME=Colm Sharkey
USERPROFILE=C:\Documents and Settings\Colm Sharkey
windir=C:\WINDOWS


-- User Profiles

---

Colm Sharkey (admin)
Hilary (admin)


-- Add/Remove Programs

---

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Able2Extract v4.0 --> C:\Program Files\Investintech.com Inc\Able2Extract 4.0\Uninstal.exe
Acronis*True*Image*Home --> MsiExec.exe /X{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Digital Editions --> C:\Documents and Settings\Colm Sharkey\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions2x0\digitaleditions2x0.exe -uninstall
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Reader for Palm OS, 3.05 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\Adobe Reader for Palm OS\AcroDesk.isu" -c"C:\Program Files\Adobe\Adobe Reader for Palm OS\unpdf.dll"
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Agere Systems PCI Soft Modem --> agrsmdel
ALDI Photo Manager (free) 4.1.1.200 (UK) --> C:\Program Files\ALDI Photo Service\ALDI_Photo_Manager_Free\instslct.exe /p
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
AutoCAD 2005 - English --> MsiExec.exe /I{5783F2D7-0301-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Avanquest update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
Avery Wizard 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{EB7A2041-6A16-4BAC-8079-43B985673C2C}
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVI & MPEG Splitter 1.48 --> "C:\Program Files\AVI MPEG Splitter\unins000.exe"
AVI/MPEG/RM/WMV Joiner 4.11 --> "C:\Program Files\AVI MPEG RM WMV Joiner\unins000.exe"
Bink and Smacker --> C:\PROGRA~1\RADVideo\UNWISE.EXE C:\PROGRA~1\RADVideo\INSTALL.LOG
BitComet 1.00 --> C:\Program Files\BitComet\uninst.exe
Blaze Media Pro --> "C:\Documents and Settings\Colm Sharkey\Application Data\{FBDA53F5-763E-4114-A576-612E9769C133}\setup_blazemp.exe" REMOVE=TRUE MODIFY=FALSE
CA Anti-Virus --> "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u /product=av
Canon Utilities PhotoStitch 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F11A403B-0DE9-4953-B790-7A2F014FBB2B}
Canon Utilities RemoteCapture 2.7 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{AB3AC39D-9915-435D-ACC4-9881E75326BC}
CloneCD --> "C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Concise Oxford English Dictionary (Eleventh Edition) --> C:\Program Files\COED11\Uninstal.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Documents To Go --> MsiExec.exe /X{BDFE199D-E889-4BB6-BECB-C4BDF5700849}
Dragon NaturallySpeaking 9 --> MsiExec.exe /I{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}
DustBuster XP --> MsiExec.exe /I{7BEF8E43-094D-4C07-9684-EAEBE79BFA04}
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
Easy Video Joiner 5.21 --> "C:\Program Files\Easy Video Joiner\unins000.exe"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EssentialPIM --> C:\Program Files\EssentialPIM\uninstall.exe
FBrowsingAdvisor --> "C:\Program Files\FBrowsingAdvisor\unins000.exe"
GetDataBack for NTFS --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Runtime Software\GetDataBack for NTFS\DeIsL1.isu" -c"C:\Program Files\Runtime Software\GetDataBack for NTFS\_ISREG32.DLL"
getPlus(R)_dll --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSd.INF, DefaultUninstall
HijackThis 1.99.1 --> C:\Program Files\Hjack This\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP PrecisionScan LTX --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\Uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\HPUninstallIs.dll"
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
Intertech DVD Converter v2.1 - Trial Version --> "C:\Program Files\Intertech DVD Converter\unins000.exe"
InterVideo MP3 XPack --> "C:\Program Files\InstallShield Installation Information\{99755640-9633-11D5-AB3C-0050DAB311CC}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K-Lite Mega Codec Pack 1.53 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LimeWire PRO 4.9.20 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Magic Video Converter Trial Version (English) 8.0.2.18 --> "C:\Program Files\Magic Video Converter\unins000.exe"
MediaFACE 4.01 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{41979C2F-34B8-4F92-8111-B13C5864682D} /l1033
MediaFACE 4.01 Image Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{82AF77BC-423D-42DA-BE5B-FFCA04752181} /l1033
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Photo Standard 9 --> C:\WINDOWS\system32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0903}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{B9966F27-9678-4620-9579-925E3084647E}
Microsoft Works 2004 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2004\Setup\Launcher.exe /ARP N:\
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{33BEE6F3-9987-4F98-A069-97A64EC8321A}
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.9) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
Mp3tag v2.40 --> C:\Program Files\Mp3tag\Mp3tagUninstall.EXE
MpcStar 2.2 --> C:\Program Files\MpcStar\uninst.exe
NavigationEnhancer --> C:\Program Files\NavigationEnhancer\uninstall.exe
Nero 6 Ultra Edition --> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
Nero 7 Ultra Edition --> MsiExec.exe /I{FC98FBE9-E931-494C-8717-497185371033}
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
palmOne --> MsiExec.exe /X{FF8157AA-F640-45BD-B7C2-BAA1016B267A}
PConPoint v3.5 --> "C:\Program Files\PConPoint\unins000.exe"
PFConfig 1.0.193 --> C:\Program Files\PFConfig\uninst.exe
Philips TeleText --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{70FDCCEE-E169-47DB-9D2A-2EF70377910E}\Setup.exe" -l0x9 -uninst
Philips TV713X WDM Drivers --> C:\WINDOWS\p3xunist.exe
Photo Viewer 2.3 --> "C:\Program Files\Photo Viewer\uninstall.exe"
PlayMP3z --> C:\Program Files\PlayMP3z\uninstall.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
PowerQuest PartitionMagic 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
PVR Plus --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B893587-00A8-4A4E-83F0-8AFA7BFC7C1A}\setup.exe" -l0x9
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Tevion TV713X Utilities --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{477AB148-138C-46D2-820B-0DBFA744CEE8}\Setup.exe" -l0x9 -uninst
Virtual DJ - Atomix Productions --> C:\PROGRA~1\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\VIRTUA~1\INSTALL.LOG
Win2PDF 3.10 --> "C:\WINDOWS\system32\spool\drivers\w32x86\3\Win2PDF\unins000.exe"
WinAVI VideoConverter --> "C:\Program Files\WinAVI VideoConverter\unins000.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XviD MPEG4 Video Codec (remove only) --> "C:\WINDOWS\system32\xvid-uninstall.exe"


-- Application Event Log

---

Event Record #/Type3664 / Error
Event Submitted/Written: 04/27/2008 02:30:36 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Event Record #/Type3645 / Error
Event Submitted/Written: 04/27/2008 01:23:35 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application cpfupdat.exe, version 2.4.0.5, faulting module unknown, version 0.0.0.0, fault address 0x00d36a83.
Processing media-specific event for [cpfupdat.exe!ws!]

Event Record #/Type3617 / Error
Event Submitted/Written: 04/25/2008 10:10:18 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module khffypiy.dll, version 0.0.0.0, fault address 0x00054ebd.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type3616 / Error
Event Submitted/Written: 04/25/2008 10:07:43 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 738208514.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type3615 / Error
Event Submitted/Written: 04/25/2008 10:07:24 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module khffypiy.dll, version 0.0.0.0, fault address 0x00054ebd.
Processing media-specific event for [firefox.exe!ws!]



-- Security Event Log

---

No Errors/Warnings found.


-- System Event Log

---

Event Record #/Type4457 / Error
Event Submitted/Written: 04/28/2008 07:26:49 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The KService service terminated with the following error:
%%2147500037

Event Record #/Type4445 / Error
Event Submitted/Written: 04/28/2008 11:12:51 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The KService service terminated with the following error:
%%2147500037

Event Record #/Type4428 / Error
Event Submitted/Written: 04/28/2008 10:52:36 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The KService service terminated with the following error:
%%2147500037

Event Record #/Type4424 / Error
Event Submitted/Written: 04/28/2008 10:51:18 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type4423 / Error
Event Submitted/Written: 04/28/2008 10:48:51 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}



-- End of Deckard's System Scanner: finished at 2008-04-28 19:41:02

---

Thomas

Uninstall will likely be helpful for overall repair success now, but be very sure that CA software is disabled as well. As for reinstall after surely your choice - since Iolo gives access to change in areas of the registry without truly informing the user what the changes might do, it can be considered more like a registry mulcher than a method to make things better.


Though the infection is still active we will let some tools that target some of what shows here clean now.

Download SDFix.exe and save it to your desktop.

Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

===================================================


Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

=============================

After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

============================

Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the MBAM log and the SDFix report.txt log please.

coll

Thomas,

My CA was due to be renewed next week, so I uninstalled that too. I would be aslo very grateful, it you could suggest a good security software or will I just renew my CA?

=========


SDFix: Version 1.176
Run by Colm Sharkey on 29/04/2008 at 09:46

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 09:52:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd500551]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0009dd500551]

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{365B5D85-F7C6-8C36-44F9-D3AD2962D3DD}]
"abpdckmdlbccoeelgjdliocklfnjbdkmod"=hex:68,62,63,62,64,6a,6f,65,67,6a,6f,64,64,67,65,6f,63,65,6b,67,61,..
"bbpdckmdlbccoeelgjmlhmmmllcknanpmbdi"=hex:61,62,69,61,6a,63,69,6b,67,6b,6a,66,69,6a,69,63,6d,67,67,67,61,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 20 Oct 2003 73,688 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"

Finished!

=========

Malwarebytes' Anti-Malware 1.11
Database version: 692

Scan type: Quick Scan
Objects scanned: 32602
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 37
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 14
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\khfFYPIy.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\cbXRhFxy.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3001f22d-c768-44ed-9ae3-570e7aecc237} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3001f22d-c768-44ed-9ae3-570e7aecc237} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxrhfxy (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\iehelper3.iehelperop (Spyware-Logger.Unknown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hpi3.hpi2 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hpi4.hpi2 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\playmp3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khffypiy -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khffypiy -> Delete on reboot.

Folders Infected:
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.0.26 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Start Menu\Programs\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\khfFYPIy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yIPYFfhk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yIPYFfhk.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXRhFxy.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyaaaya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Local Settings\Temporary Internet Files\Content.IE5\58SCOAA4\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\uninstall.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colm Sharkey\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

===============

Deckard's System Scanner v20071014.68
Run by Colm Sharkey on 2008-04-29 10:16:50
Computer is in Normal Mode.

---

-- HijackThis (run as Colm Sharkey.exe)

---

Logfile of HijackThis v1.99.1
Scan saved at 10:16:54, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colm Sharkey\desktop\dss.exe
C:\PROGRA~1\HJACKT~1\COLMSH~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bitcomet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.serial99.com/?a
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NavigationEnhancer - {391C0909-C026-3B63-FFDB-93FFF4E81675} - C:\Program Files\NavigationEnhancer\NavigationEnhancer-2.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0A5EC01-1625-4F65-8CB7-7FD9F101995C}: NameServer = 192.168.10.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HJACKT~1\backups\)

---

backup-20070502-165833-420 O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20070704-201700-773 O2 - BHO: (no name) - {E6280729-9251-41D7-BC1C-572C9548C962} - C:\WINDOWS\system32\HPI4.dll (file missing)
backup-20070705-202844-728 O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\iehelper3.dll

-- File Associations

---

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R0 PzWDM - c:\windows\system32\drivers\pzwdm.sys <Not Verified; Prassi Technology; PzWDM>
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R3 Cap7134 (Philips Cap7134 Capture) - c:\windows\system32\drivers\cap7134.sys <Not Verified; Philips Semiconductors; Philips cap7134>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 PhTVTune (Philips WDM TVTuner) - c:\windows\system32\drivers\phtvtune.sys <Not Verified; Philips Semiconductors; Philips TVTuner WDM Driver>

S3 BOCDRIVE (BOClean Kernel Monitor.) - c:\program files\comodo\cboclean\bocdrive.sys (file missing)
S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; BVRP Software; BVRPNDIS Rawether for Windows>
S3 catchme - c:\docume~1\colmsh~1\locals~1\temp\catchme.sys (file missing)
S3 usbsermptxp (Motorola USB Modem Driver for MPT XP) - c:\windows\system32\drivers\usbsermptxp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

S2 KService - "c:\program files\kservice\kservice.exe" <Not Verified; Kontiki Inc.; Delivery Manager>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>


-- Device Manager: Disabled

---

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\A54B99E01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\A54B99E01800
Service: NIC1394


-- Scheduled Tasks

---

2008-04-29 10:05:44 330 --ah

---

C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-03-29 and 2008-04-29

---

2008-04-29 10:05:58 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\Malwarebytes
2008-04-29 10:05:43 0 d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 10:05:43 0 d

---

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-29 09:41:32 0 d

---

C:\WINDOWS\ERUNT
2008-04-27 01:04:03 0 d--hs---- C:\INCINERATE
2008-04-25 22:03:20 281088

---

n--- C:\WINDOWS\system32\khfFYPIy.dll
2008-04-25 09:42:00 0 d

---

C:\Program Files\PFConfig
2008-04-24 18:58:15 0 d

---

C:\WINDOWS\vbSkinner
2008-04-24 18:57:49 39936

---

n--- C:\WINDOWS\system32\cbXRhFxy.dll
2008-04-18 18:11:08 7864320 --a

---

C:\Documents and Settings\Colm Sharkey\ntuser.dat
2008-04-12 16:50:27 2048

---

n--- C:\WINDOWS\system32\drivers\rt73.bin
2008-04-05 01:00:07 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\Mp3tag
2008-04-05 00:59:44 0 d

---

C:\Program Files\Mp3tag
2008-04-05 00:52:49 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\gtk-2.0
2008-04-04 18:19:39 0 d

---

C:\GTK
2008-04-04 14:17:07 2560 --a

---

C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-04-04 00:04:34 0 d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 21:12:57 0 d

---

C:\Program Files\NavigationEnhancer
2008-04-02 22:18:17 0 d

---

C:\Program Files\VirtualDJ
2008-03-31 22:25:48 823296 --a

---

C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:48 823296 --a

---

C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:46 802816 --a

---

C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 22:25:46 831488 --a

---

C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 22:25:46 682496 --a

---

C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 21:47:47 0 d

---

C:\Program Files\AtomixMP3


-- Find3M Report

---

2008-04-29 10:16:54 0 d

---

C:\Program Files\Hjack This
2008-04-29 10:15:31 39464 --a

---

C:\Documents and Settings\Colm Sharkey\Application Data\wklnhst.dat
2008-04-29 10:14:29 8405015 --a

---

C:\WINDOWS\TempFile
2008-04-29 10:05:23 0 d

---

C:\Program Files\Common Files\Download Manager
2008-04-28 10:51:58 0 d

---

C:\Program Files\iolo
2008-04-27 12:30:01 0 d

---

C:\Program Files\SpywareBlaster
2008-04-27 01:16:10 0 d

---

C:\Program Files\Comodo
2008-04-23 21:50:24 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 21:47:07 0 d

---

C:\Program Files\ALDI Photo Service
2008-04-23 21:45:23 0 d

---

C:\Program Files\Investintech.com Inc
2008-04-23 20:08:25 0 d

---

C:\Program Files\Mozilla Thunderbird
2008-04-23 20:08:25 0 d

---

C:\Program Files\COED11
2008-04-23 03:00:45 0 d

---

C:\Program Files\BitComet
2008-04-20 13:07:45 0 d

---

C:\Program Files\DivX
2008-04-15 16:08:14 3154 --a

---

C:\Documents and Settings\Colm Sharkey\Application Data\SAS7_000.DAT
2008-04-12 16:51:35 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-04-02 22:17:07 0 d

---

C:\Program Files\AviSynth 2.5
2008-04-02 22:15:24 0 d

---

C:\Program Files\Gabest
2008-04-02 21:08:16 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\iolo
2008-04-02 21:07:04 0 d

---

C:\Program Files\Avery Wizard 3.1
2008-04-02 21:01:43 540 --a

---

C:\Documents and Settings\Colm Sharkey\Application Data\AutoGK.ini
2008-03-21 21:30:08 3596288 --a

---

C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 21:28:54 196608 --a

---

C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 21:28:54 81920 --a

---

C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 21:28:20 12288 --a

---

C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-15 21:06:39 0 d

---

C:\Program Files\MediaMonkey
2008-03-15 21:06:29 0 d

---

C:\Program Files\Ares Destiny
2008-03-13 16:44:04 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\U3
2008-02-29 20:57:36 43698 --a

---

C:\WINDOWS\system32\xvid-uninstall.exe
2008-02-29 20:44:47 0 d

---

C:\Program Files\Intertech DVD Converter
2008-02-06 12:56:08 1080 --a

---

C:\WINDOWS\AUTOLNCH.REG


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{391C0909-C026-3B63-FFDB-93FFF4E81675}]
30/12/2007 21:48 1019904 --a

---

C:\Program Files\NavigationEnhancer\NavigationEnhancer-2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 09:06 C:\WINDOWS\AGRSMMSG.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [10/06/2003 00:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [16/10/2006 21:12]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [16/10/2006 21:17]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [16/10/2006 21:13]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [16/02/2005 16:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [16/02/2005 16:15]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [27/04/2008 01:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TV Remote Control.lnk]
backup=C:\WINDOWS\pss\TV Remote Control.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Colm Sharkey^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Colm Sharkey\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Colm Sharkey^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Photo Service]
"C:\Program Files\ALDI Photo Service\ALDI_Photo_Service\FotoSuite.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"C:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR Agent]
C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"EPSON Stylus Photo R240 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63f361f4-ac90-11db-919b-00112fa6711c}]
AutoRun\command- D:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-04-29 10:17:14

---

Thanks

Coll

Thomas

Improved, and some more to go, then we'll check after.


Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.serial99.com/?a
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: NavigationEnhancer - {391C0909-C026-3B63-FFDB-93FFF4E81675} - C:\Program Files\NavigationEnhancer\NavigationEnhancer-2.dll
O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

---

Download OTMoveIt2 by OldTimer to your desktop.

Then click OTMoveIt2.exe to run it (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator").

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):

C:\WINDOWS\system32\khfFYPIy.dll
C:\WINDOWS\system32\cbXRhFxy.dll
C:\Program Files\NavigationEnhancer

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

---

Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

---

Then Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the OTMoveIt log and the Kaspersky log please.

coll

Thomas,

Here is the logs you asked for

LoadLibrary failed for C:\WINDOWS\system32\khfFYPIy.dll
C:\WINDOWS\system32\khfFYPIy.dll NOT unregistered.
C:\WINDOWS\system32\khfFYPIy.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\cbXRhFxy.dll
C:\WINDOWS\system32\cbXRhFxy.dll NOT unregistered.
C:\WINDOWS\system32\cbXRhFxy.dll moved successfully.
C:\Program Files\NavigationEnhancer moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04292008_172416

====================

---

KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 7:30:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 729027

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\
P:\

Scan Statistics:
Total number of scanned objects: 78437
Number of viruses found: 22
Number of infected objects: 87
Number of suspicious objects: 0
Duration of the scan process: 01:28:45

Infected Object Name / Virus Name / Last Action
C:\D2\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12eb7ad9fa32b65e65afa36b23e411b4_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1dfc3ab224b53f6aed64c5428d703ace_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2b4de064124d264dc2f45db124933848_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2f2d56e85b320e653cd490d59534e2a2_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\348a34b31822cc68afbb0af3ade1f806_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\36f922a045d8f27c80e803e006b7a26b_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\37d685697359925adf40f2924392f0b5_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3cf0d53722df2b78e3bca153a236d71c_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\464a0e7233b77d10fb8b5390cc549677_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\46bc100066384d2527482e157d9607be_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\566214c40f9d1abe070d4898386373f8_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\57ce3c0e4d817dc55c6211f01163b270_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\59cd672f0ae1d7ff67b0d44f91657bfb_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5dcaf1aae8d36016579fab19839c2641_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ddc77b2eb18e1143f6c54b1bf56e852_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f6e29493e06a7706cc82e43d1b20013_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\71e698e3000e0c16b1f667d1a0659506_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7fc1e4dadae2288bf4908ed74301fc19_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b21b2dae7e62d121cda842eb0133cfca_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b2617c3f3473febaa06df89a92a7a11f_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b6ceb26a6e29d8753e026bb1caa86ffc_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c305656cfa8dcda9d03f266ead4d14c1_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d9e20d7e58fc71a43707a0b2c26b40c6_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f17b5162db2952ba4b07abd9280867ad_c45aee67-82f2-49af-831d-e17e050dc968 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03042007-122116.log Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{1EF34E6D-22B7-470A-B641-C5136C3D7C81}/{1EF34E6D-22B7-470A-B641-C5136C3D7C81} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{1EF34E6D-22B7-470A-B641-C5136C3D7C81} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{4B93427D-5E37-4CB5-8B27-725AC4EB037B}/{4B93427D-5E37-4CB5-8B27-725AC4EB037B} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{4B93427D-5E37-4CB5-8B27-725AC4EB037B} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{4CB16144-3EB3-4770-A5FB-5838A5537969}/{4CB16144-3EB3-4770-A5FB-5838A5537969} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{4CB16144-3EB3-4770-A5FB-5838A5537969} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{4FDC98EE-0500-4DF1-85E2-FB082251F32C}/{4FDC98EE-0500-4DF1-85E2-FB082251F32C} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{4FDC98EE-0500-4DF1-85E2-FB082251F32C} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{5DB31357-D925-4E0A-8FB6-EFFDC93F0EF1}/{5DB31357-D925-4E0A-8FB6-EFFDC93F0EF1} Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{5DB31357-D925-4E0A-8FB6-EFFDC93F0EF1} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{7B12D55B-A034-4EB5-8E0D-0DDA6A943373}/{7B12D55B-A034-4EB5-8E0D-0DDA6A943373} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{7B12D55B-A034-4EB5-8E0D-0DDA6A943373} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{7B9CFB5D-0084-48E6-A24B-B827E4368740}/{7B9CFB5D-0084-48E6-A24B-B827E4368740} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{7B9CFB5D-0084-48E6-A24B-B827E4368740} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{8480C6C4-5926-4272-A82B-3EB317FD8E38}/{8480C6C4-5926-4272-A82B-3EB317FD8E38} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{8480C6C4-5926-4272-A82B-3EB317FD8E38} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{8BAB829F-FF5C-4DDA-A4B3-42CD4C4F44FE}/{8BAB829F-FF5C-4DDA-A4B3-42CD4C4F44FE} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{8BAB829F-FF5C-4DDA-A4B3-42CD4C4F44FE} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{8F17713E-E298-44D3-B188-A22CC621678F}/{8F17713E-E298-44D3-B188-A22CC621678F} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{8F17713E-E298-44D3-B188-A22CC621678F} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{9FB1934A-E5AC-432C-B0EC-A6D7F15F8322}/{9FB1934A-E5AC-432C-B0EC-A6D7F15F8322} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{9FB1934A-E5AC-432C-B0EC-A6D7F15F8322} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{BC69FB8F-8A50-40A9-B1C4-C43B3B03417C}/{BC69FB8F-8A50-40A9-B1C4-C43B3B03417C} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{BC69FB8F-8A50-40A9-B1C4-C43B3B03417C} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{CA3CB0A0-BFBF-4369-8C93-4080D6041B17}/{CA3CB0A0-BFBF-4369-8C93-4080D6041B17} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{CA3CB0A0-BFBF-4369-8C93-4080D6041B17} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{CB4AD3C4-BD94-42C4-88AE-5B2EDCB483DE}/{CB4AD3C4-BD94-42C4-88AE-5B2EDCB483DE} Infected: not-a-virus:AdWare.Win32.Virtumonde.qrd skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{CB4AD3C4-BD94-42C4-88AE-5B2EDCB483DE} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{E86B0D34-0C34-45EE-98DD-93889FCE1F3E}/{E86B0D34-0C34-45EE-98DD-93889FCE1F3E} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{E86B0D34-0C34-45EE-98DD-93889FCE1F3E} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{FE4C6114-379C-4DCC-8706-BC7127CE9023}/{FE4C6114-379C-4DCC-8706-BC7127CE9023} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{FE4C6114-379C-4DCC-8706-BC7127CE9023} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{FF533B74-1B3B-44C0-B2C7-E7303C11FC52}/{FF533B74-1B3B-44C0-B2C7-E7303C11FC52} Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Colm Sharkey\Application Data\iolo\SafetyNet\Manual\{347BD4D7-16CF-4AE6-8879-904DA47EF83E}\{FF533B74-1B3B-44C0-B2C7-E7303C11FC52} ZIP: infected - 1 skipped
C:\Documents and Settings\Colm Sharkey\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Application Data\Microsoft\Word\AutoRecovery save of Document1.asd Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Application Data\Microsoft\Word\AutoRecovery save of Normal.as$ Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Temp\~DF253C.tmp Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Temp\~DF4C0F.tmp Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Temp\~DF5B67.tmp Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Temp\~DFDF14.tmp Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Temp\~DFE030.tmp Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Temp\~WRD0003.doc Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Temporary Internet Files\Content.Word\~WRF0002.tmp Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Local Settings\Temporary Internet Files\Content.Word\~WRS0001.tmp Object is locked skipped
C:\Documents and Settings\Colm Sharkey\ntuser.dat Object is locked skipped
C:\Documents and Settings\Colm Sharkey\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Colm Sharkey\Shared\insomia.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\Nero 7 Premium Reloaded 7.7.5.1 (full) + Portable Nero 7.5.9.0\Nero-7.7.5.1_eng\Nero-7.7.5.1_eng.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Downloads\Nero 7 Premium Reloaded 7.7.5.1 (full) + Portable Nero 7.5.9.0\Nero-7.7.5.1_eng\Nero-7.7.5.1_eng.exe RAR: infected - 1 skipped
C:\Program Files\Microsoft Office\OFFICE11\STARTUP\azwzrd10.dot Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018901.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018902.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018904.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018906.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018907.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018908.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018909.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018910.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018911.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018912.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018913.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018914.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018915.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018916.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018917.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018919.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018920.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018921.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018922.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018923.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018924.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018925.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018926.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018927.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018928.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018929.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018930.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018931.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018933.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018934.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018936.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018938.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018939.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018940.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018942.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018943.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018944.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018945.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP214\A0018946.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP218\A0019092.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP218\A0019093.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP218\A0019094.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP230\A0021565.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP230\A0021565.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP264\A0028718.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped
C:\System Volume Information\_restore{83767DCC-0C7A-4321-808C-10CE6692115E}\RP268\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ngenrootstorelock.dat Object is locked skipped
C:\WINDOWS\Microsoft.NET\ngenservice_pri3_lock.dat Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{713E3099-53D9-4456-B113-28C8049756C3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TempFile Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
P:\RECYCLER\S-1-5-21-73586283-725345543-839522115-1003\Dp1.rar/PFConfig v1.0.163 working serial/PFCSetup1.0.163.exe/data0000.cab/is151840.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
P:\RECYCLER\S-1-5-21-73586283-725345543-839522115-1003\Dp1.rar/PFConfig v1.0.163 working serial/PFCSetup1.0.163.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
P:\RECYCLER\S-1-5-21-73586283-725345543-839522115-1003\Dp1.rar/PFConfig v1.0.163 working serial/PFCSetup1.0.163.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
P:\RECYCLER\S-1-5-21-73586283-725345543-839522115-1003\Dp1.rar RAR: infected - 3 skipped
P:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

===================================

Deckard's System Scanner v20071014.68
Run by Colm Sharkey on 2008-04-29 19:31:55
Computer is in Normal Mode.

---

Performed disk cleanup.



-- HijackThis (run as Colm Sharkey.exe)

---

Logfile of HijackThis v1.99.1
Scan saved at 19:32:06, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Documents and Settings\Colm Sharkey\desktop\dss.exe
C:\PROGRA~1\HJACKT~1\COLMSH~1.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bitcomet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0A5EC01-1625-4F65-8CB7-7FD9F101995C}: NameServer = 192.168.10.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HJACKT~1\backups\)

---

backup-20070502-165833-420 O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20070704-201700-773 O2 - BHO: (no name) - {E6280729-9251-41D7-BC1C-572C9548C962} - C:\WINDOWS\system32\HPI4.dll (file missing)
backup-20070705-202844-728 O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\iehelper3.dll
backup-20080429-172116-132 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.serial99.com/?a
backup-20080429-172116-225 O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - (no file)
backup-20080429-172116-236 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080429-172116-314 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20080429-172116-411 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080429-172116-516 O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

-- File Associations

---

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R0 PzWDM - c:\windows\system32\drivers\pzwdm.sys <Not Verified; Prassi Technology; PzWDM>
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R3 Cap7134 (Philips Cap7134 Capture) - c:\windows\system32\drivers\cap7134.sys <Not Verified; Philips Semiconductors; Philips cap7134>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 PhTVTune (Philips WDM TVTuner) - c:\windows\system32\drivers\phtvtune.sys <Not Verified; Philips Semiconductors; Philips TVTuner WDM Driver>

S3 BOCDRIVE (BOClean Kernel Monitor.) - c:\program files\comodo\cboclean\bocdrive.sys (file missing)
S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; BVRP Software; BVRPNDIS Rawether for Windows>
S3 catchme - c:\docume~1\colmsh~1\locals~1\temp\catchme.sys (file missing)
S3 usbsermptxp (Motorola USB Modem Driver for MPT XP) - c:\windows\system32\drivers\usbsermptxp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

S2 KService - "c:\program files\kservice\kservice.exe" <Not Verified; Kontiki Inc.; Delivery Manager>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>


-- Device Manager: Disabled

---

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\A54B99E01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\A54B99E01800
Service: NIC1394


-- Scheduled Tasks

---

2008-04-29 10:34:53 330 --ah

---

C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-03-29 and 2008-04-29

---

2008-04-29 17:31:58 0 d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 17:31:57 0 d

---

C:\WINDOWS\system32\Kaspersky Lab
2008-04-29 17:31:56 0 d

---

C:\WINDOWS\LastGood
2008-04-29 10:05:58 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\Malwarebytes
2008-04-29 10:05:43 0 d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 10:05:43 0 d

---

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-29 09:41:32 0 d

---

C:\WINDOWS\ERUNT
2008-04-27 01:04:03 0 d--hs---- C:\INCINERATE
2008-04-25 09:42:00 0 d

---

C:\Program Files\PFConfig
2008-04-24 18:58:15 0 d

---

C:\WINDOWS\vbSkinner
2008-04-18 18:11:08 7864320 --a

---

C:\Documents and Settings\Colm Sharkey\ntuser.dat
2008-04-12 16:50:27 2048

---

n--- C:\WINDOWS\system32\drivers\rt73.bin
2008-04-05 01:00:07 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\Mp3tag
2008-04-05 00:59:44 0 d

---

C:\Program Files\Mp3tag
2008-04-05 00:52:49 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\gtk-2.0
2008-04-04 18:19:39 0 d

---

C:\GTK
2008-04-04 14:17:07 2560 --a

---

C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-04-04 00:04:34 0 d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-02 22:18:17 0 d

---

C:\Program Files\VirtualDJ
2008-03-31 22:25:48 823296 --a

---

C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:48 823296 --a

---

C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:46 802816 --a

---

C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 22:25:46 831488 --a

---

C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 22:25:46 682496 --a

---

C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 21:47:47 0 d

---

C:\Program Files\AtomixMP3


-- Find3M Report

---

2008-04-29 19:32:06 0 d

---

C:\Program Files\Hjack This
2008-04-29 17:46:00 39464 --a

---

C:\Documents and Settings\Colm Sharkey\Application Data\wklnhst.dat
2008-04-29 10:14:29 8405015 --a

---

C:\WINDOWS\TempFile
2008-04-29 10:05:23 0 d

---

C:\Program Files\Common Files\Download Manager
2008-04-28 10:51:58 0 d

---

C:\Program Files\iolo
2008-04-27 12:30:01 0 d

---

C:\Program Files\SpywareBlaster
2008-04-27 01:16:10 0 d

---

C:\Program Files\Comodo
2008-04-23 21:50:24 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 21:47:07 0 d

---

C:\Program Files\ALDI Photo Service
2008-04-23 21:45:23 0 d

---

C:\Program Files\Investintech.com Inc
2008-04-23 20:08:25 0 d

---

C:\Program Files\Mozilla Thunderbird
2008-04-23 20:08:25 0 d

---

C:\Program Files\COED11
2008-04-23 03:00:45 0 d

---

C:\Program Files\BitComet
2008-04-20 13:07:45 0 d

---

C:\Program Files\DivX
2008-04-15 16:08:14 3154 --a

---

C:\Documents and Settings\Colm Sharkey\Application Data\SAS7_000.DAT
2008-04-12 16:51:35 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-04-02 22:17:07 0 d

---

C:\Program Files\AviSynth 2.5
2008-04-02 22:15:24 0 d

---

C:\Program Files\Gabest
2008-04-02 21:08:16 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\iolo
2008-04-02 21:07:04 0 d

---

C:\Program Files\Avery Wizard 3.1
2008-04-02 21:01:43 540 --a

---

C:\Documents and Settings\Colm Sharkey\Application Data\AutoGK.ini
2008-03-21 21:30:08 3596288 --a

---

C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 21:28:54 196608 --a

---

C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 21:28:54 81920 --a

---

C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 21:28:20 12288 --a

---

C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-15 21:06:39 0 d

---

C:\Program Files\MediaMonkey
2008-03-15 21:06:29 0 d

---

C:\Program Files\Ares Destiny
2008-03-13 16:44:04 0 d

---

C:\Documents and Settings\Colm Sharkey\Application Data\U3
2008-02-29 20:57:36 43698 --a

---

C:\WINDOWS\system32\xvid-uninstall.exe
2008-02-29 20:44:47 0 d

---

C:\Program Files\Intertech DVD Converter
2008-02-06 12:56:08 1080 --a

---

C:\WINDOWS\AUTOLNCH.REG


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 09:06 C:\WINDOWS\AGRSMMSG.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [10/06/2003 00:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [16/10/2006 21:12]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [16/10/2006 21:17]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [16/10/2006 21:13]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [16/02/2005 16:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [16/02/2005 16:15]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [27/04/2008 01:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TV Remote Control.lnk]
backup=C:\WINDOWS\pss\TV Remote Control.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Colm Sharkey^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Colm Sharkey\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Colm Sharkey^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Photo Service]
"C:\Program Files\ALDI Photo Service\ALDI_Photo_Service\FotoSuite.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"C:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR Agent]
C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"EPSON Stylus Photo R240 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63f361f4-ac90-11db-919b-00112fa6711c}]
AutoRun\command- D:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-04-29 19:32:56

---

Thanks Coll

Thomas

Darn, coll:

C:\Downloads\Nero 7 Premium Reloaded 7.7.5.1 (full) + Portable Nero 7.5.9.0\Nero-7.7.5.1_eng\Nero-7.7.5.1_eng.exe/Toolbar.exe

---

> AdTool.Win32.MyWebSearch.bm skipped
C:\Downloads\Nero 7 Premium Reloaded 7.7.5.1 (full) + Portable Nero 7.5.9.0\Nero-7.7.5.1_eng\Nero-7.7.5.1_eng.exe RAR: infected - 1

A crack copy of Nero, and the other infections indicate installed as well. And this means I cannot assist you any longer with repairs here - Icrontic forums do not assist those who steal or use illegally obtained software. Your system still has a complex and hidden infection remaining, and at this time I strongly suggest you reinstall and reformat the computer to remove all infection. I am ending assistance here now.