HJT Log, MSServer and dodgey dll's

Uppy

Hey there, I believe this is Vundo but nortons removal tool says my system isnt infected so i'll leave it to you guys. I am also aware that sweetim is probably dodgey but this is my dads laptop and it was his choice to download it. lol. any help would be GREATLY appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:40:56, on 07/05/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Tooltip\VisualToolTip.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\igfxext.exe
C:\Users\GRAHAM\AppData\Local\Temp\RtkBtMnt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eread7.0\IEeREAD.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eread7.0\WebHook.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9F80E441-6946-483E-814C-59EA1F4BBB62} - C:\Windows\system32\efcaBTMe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\Windows Tooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\yayXOETj.dll,#1
O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\fhsslhao.dll",s
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11602 bytes

Thomas

A belated hello uppy,

Infections is showing here. If you have not yet resolved the problems let's take a more detailed look.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Options, place a check next to the following:

Backup Registry Hives

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

You can use extra posts here if needed for that.

Uppy

here you go Main.txt:-

Deckard's System Scanner v20071014.68
Run by GRAHAM on 2008-05-20 02:33:11
Computer is in Normal Mode.

---

Backed up registry hives.

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as GRAHAM.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:35:01, on 20/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Windows Tooltip\VisualToolTip.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Users\GRAHAM\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Users\GRAHAM\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\GRAHAM.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eread7.0\IEeREAD.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eread7.0\WebHook.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\Windows Tooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b
O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\fhsslhao.dll",s
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\pMdcbayV.dll,#1
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9457 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

---

backup-20080327-162909-199 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\kpffrbkj.dll",b
backup-20080327-162909-372 O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvuvu.dll,#1
backup-20080327-162909-804 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\shwpghud.dll",s
backup-20080327-224256-328 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\rtkdujdv.dll",s
backup-20080507-124818-445 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b

-- File Associations

---

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - \??\c:\windows\system32\drivers\nsdriver.sys
R3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - \??\c:\windows\system32\drivers\awrtpd.sys
R3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - \??\c:\windows\system32\drivers\awrtrd.sys
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S3 SASENUM - \??\c:\program files\superantispyware\sasenum.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 eLockService (eLock Service) - c:\acer\empowering technology\elock\service\elockserv.exe <Not Verified; Acer Inc.; Acer eLock Management>
R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>
R2 MobilityService - c:\acer\mobility center\mobilityservice.exe -p

S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>


-- Device Manager: Disabled

---

No disabled devices found.


-- Scheduled Tasks

---

2008-05-20 02:30:41 420 --ah

---

C:\Windows\Tasks\User_Feed_Synchronization-{03177A81-9EA3-4093-8624-B9421D1A4CA2}.job
2008-05-16 20:00:00 490 --a

---

C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - GRAHAM.job
2008-05-07 02:24:26 272 --a

---

C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-04-08 16:59:50 388 --a

---

C:\Windows\Tasks\Uniblue SpyEraser.job
2008-03-27 19:56:48 266 --a

---

C:\Windows\Tasks\Uniblue SpyEraser Nag.job
2008-03-18 03:23:13 394 --a

---

C:\Windows\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-04-20 and 2008-05-20

---

2008-05-11 17:07:43 0 d

---

C:\Users\All Users\SpecialBit Games
2008-05-08 21:31:22 96645 --a

---

C:\Windows\system32\drivers\klin.dat
2008-05-08 21:31:22 87941 --a

---

C:\Windows\system32\drivers\klick.dat
2008-05-08 21:30:02 29487392 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2008-05-08 21:30:02 0 d

---

C:\Program Files\Kaspersky Lab
2008-05-08 21:28:41 0 d

---

C:\kav
2008-05-08 18:52:59 0 d

---

C:\Users\All Users\WindowsSearch
2008-05-08 18:21:11 0 d

---

C:\GRAHAM
2008-05-08 17:36:03 0 d

---

C:\Program Files\TrojanHunter 5.0
2008-05-08 15:46:13 0 d

---

C:\Users\All Users\Kaspersky Lab
2008-05-08 15:46:08 0 d

---

C:\Windows\system32\Kaspersky Lab
2008-05-08 15:44:29 6339 --ahs---- C:\Windows\system32\oqXadJlm.ini2
2008-05-08 15:05:24 0 d

---

C:\Program Files\Hawaiian Explorer Pearl Harbor
2008-05-08 10:48:48 0 d

---

C:\Program Files\Alwil Software
2008-05-07 18:15:05 0 d

---

C:\PerfLogs
2008-05-07 14:52:39 0 d

---

C:\Program Files\SpywareBlaster
2008-05-07 13:13:46 0 d

---

C:\escwsa
2008-05-07 13:03:43 270977 --ahs---- C:\Windows\system32\eMTBacfe.ini2
2008-05-07 03:11:31 2112 --a

---

C:\Windows\system32\cessenhn.exe
2008-05-07 03:05:29 270970 --ahs---- C:\Windows\system32\VyJlStwa.ini2
2008-05-07 02:24:19 271209 --ahs---- C:\Windows\system32\PWEdcMoq.ini2
2008-05-07 00:27:16 77312 --a

---

C:\Windows\system32\ztvunace26.dll
2008-05-07 00:27:15 162304 --a

---

C:\Windows\system32\ztvunrar36.dll
2008-05-07 00:27:15 69632 --a

---

C:\Windows\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-05-07 00:27:15 153088 --a

---

C:\Windows\system32\UNRAR3.dll
2008-05-07 00:27:15 75264 --a

---

C:\Windows\system32\unacev2.dll
2008-05-07 00:27:12 0 d

---

C:\Users\All Users\Simply Super Software
2008-05-07 00:24:22 0 d

---

C:\Kontiki
2008-05-06 23:51:51 0 d

---

C:\Program Files\Trojan Killer
2008-05-01 10:50:33 0 d

---

C:\Program Files\Auslogics
2008-04-29 11:07:14 0 d

---

C:\Windows\Dream Chronicles 2 - The Eternal Maze
2008-04-29 11:07:14 0 d

---

C:\Program Files\Dream Chronicles 2 - The Eternal Maze
2008-04-29 11:03:18 0 d

---

C:\Program Files\Sprill The Mystery of The Bermuda Triangle
2008-04-29 10:35:39 0 d

---

C:\Program Files\Curse of the Pharaoh
2008-04-29 10:32:42 0 d

---

C:\Program Files\Escape
2008-04-29 10:30:44 0 d

---

C:\Program Files\Agatha Christie-Death On The Nile
2008-04-29 10:29:27 0 d

---

C:\Program Files\Agatha Christie Peril At End House
2008-04-29 09:44:24 0 d

---

C:\Windows\Haunted Hotel
2008-04-29 09:44:23 0 d

---

C:\Program Files\Haunted Hotel
2008-04-29 09:42:38 0 d

---

C:\Program Files\Cooking Quest
2008-04-28 15:12:22 0 d

---

C:\Program Files\Common Files\Stardock
2008-04-28 15:05:58 0 d

---

C:\Program Files\RocketDock
2008-04-28 14:24:28 0 d

---

C:\Program Files\Microsoft Silverlight


-- Find3M Report

---

2008-05-20 02:38:17 0 d

---

C:\Program Files\Mozilla Firefox 3 Beta 4
2008-05-17 10:37:01 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SpinTop
2008-05-17 10:22:19 0 d

---

C:\Program Files\Windows Mail
2008-05-08 22:57:42 0 d

---

C:\Users\GRAHAM\AppData\Roaming\uTorrent
2008-05-08 22:44:54 0 d

---

C:\Program Files\Trojan Remover
2008-05-08 21:18:07 0 d

---

C:\Users\GRAHAM\AppData\Roaming\MahJong Suite
2008-05-08 20:54:43 0 d

---

C:\Program Files\Common Files\Symantec Shared
2008-05-08 20:16:38 0 d

---

C:\Users\GRAHAM\AppData\Roaming\TrojanHunter
2008-05-08 19:14:48 0 d

---

C:\Program Files\Anti Trojan Elite
2008-05-07 19:11:16 0 d

---

C:\Program Files\Space Taxi 2
2008-05-07 18:50:19 0 d

---

C:\Program Files\Common Files
2008-05-07 18:38:13 174 --ahs---- C:\Program Files\desktop.ini
2008-05-07 18:20:46 0 d

---

C:\Program Files\Windows Calendar
2008-05-07 18:20:44 0 d

---

C:\Program Files\Windows Sidebar
2008-05-07 18:20:44 0 d

---

C:\Program Files\Movie Maker
2008-05-07 18:20:40 0 d

---

C:\Program Files\Windows Photo Gallery
2008-05-07 18:20:40 0 d

---

C:\Program Files\Windows Collaboration
2008-05-07 18:20:32 0 d

---

C:\Program Files\Windows Defender
2008-05-07 01:42:50 262144 --a

---

C:\ntuser.dat
2008-05-07 00:27:12 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Simply Super Software
2008-05-04 16:47:14 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SprillBermudeEng
2008-05-01 10:50:47 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Auslogics
2008-05-01 10:48:22 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-04-28 15:12:22 0 d

---

C:\Program Files\Stardock
2008-04-28 13:50:50 0 d

---

C:\Program Files\Windows Flip3D
2008-04-16 19:08:56 0 d

---

C:\Program Files\Kontiki
2008-04-16 18:29:31 0 d

---

C:\Program Files\Channel4
2008-04-13 18:16:00 0 d

---

C:\Program Files\SweetIM
2008-04-10 13:02:36 0 d

---

C:\Program Files\Maxis
2008-04-09 20:19:09 0 d

---

C:\Program Files\Common Files\Nero
2008-04-09 16:44:09 0 d

---

C:\Program Files\LEGO Media
2008-04-09 16:08:27 0 d

---

C:\Program Files\Unity
2008-04-09 15:27:23 0 d

---

C:\Program Files\SuperTuxKart
2008-04-09 13:44:59 0 d

---

C:\Program Files\Kasparov Chessmate
2008-04-09 12:58:47 0 d

---

C:\Program Files\Hexacto
2008-04-09 12:50:43 0 d

---

C:\Program Files\Hidden Expedition Everest
2008-04-09 12:48:15 0 d

---

C:\Program Files\BeJeweled 2 Deluxe
2008-04-09 12:47:59 16 --a

---

C:\Windows\popcinfo.dat
2008-04-09 12:44:08 0 d

---

C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-08 18:11:30 0 d

---

C:\Program Files\NeroInstall.bak
2008-04-08 18:07:50 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Nero
2008-04-08 18:00:24 0 d

---

C:\Program Files\Nero
2008-04-08 16:52:17 0 d

---

C:\Program Files\eread7.0
2008-04-08 16:52:11 0 d

---

C:\Program Files\real
2008-04-08 15:19:50 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Opera
2008-04-08 15:19:32 0 d

---

C:\Program Files\Opera 9
2008-04-07 18:53:54 0 d

---

C:\Program Files\Devastation Zone Troopers
2008-04-07 17:09:33 0 d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 17:06:16 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Malwarebytes
2008-04-07 15:38:32 0 d

---

C:\Program Files\Hyperspace Invader
2008-04-07 15:38:05 0 d

---

C:\Users\GRAHAM\AppData\Roaming\GetRightToGo
2008-03-28 01:46:22 0 d

---

C:\Program Files\Mystery Case Files - Madame Fate
2008-03-28 01:45:00 0 d

---

C:\Program Files\Bricks Of Atlantis
2008-03-28 01:43:04 0 d

---

C:\Program Files\Bricks Of Egypt
2008-03-27 17:48:59 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Uniblue
2008-03-27 17:48:22 0 d

---

C:\Program Files\Uniblue
2008-03-27 16:56:41 24576 --a

---

C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-03-27 13:24:38 0 d

---

C:\Program Files\Trend Micro
2008-03-26 17:45:34 2639 --a

---

C:\Windows\system32\efeby.dll
2008-03-26 15:52:40 0 d

---

C:\Program Files\PC-home
2008-03-26 12:40:01 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Adobe
2008-03-25 14:47:22 0 d

---

C:\Program Files\Acer GameZone
2008-03-25 14:40:17 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 14:18:30 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Chessmaster Challenge
2008-03-24 18:04:59 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Wormux
2008-03-24 17:44:27 0 d

---

C:\Program Files\Wormux
2008-03-23 03:11:50 0 d

---

C:\Program Files\Lavasoft
2008-03-23 02:40:43 2560 --a

---

C:\Windows\_MSRSTRT.EXE
2008-03-21 19:43:08 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Big Fish Games
2008-03-19 13:11:57 0 --a

---

C:\Windows\nsreg.dat
2008-03-18 02:41:51 65536 --a

---

C:\Windows\IFinst27.exe
2008-03-17 20:57:41 0 -rahs---- C:\MSDOS.SYS
2008-03-17 20:57:41 0 -rahs---- C:\IO.SYS
2008-03-17 19:53:32 122880 --a

---

C:\Windows\system32\DreamScene.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
28/06/2007 17:25 57344 --a

---

C:\Program Files\eread7.0\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
10/03/2008 12:08 81920 --a

---

C:\Program Files\eread7.0\WebHook.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
27/03/2008 14:12 1164600 --a

---

C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [27/03/2008 14:12 1164600]

[-HKEY_CLASSES_ROOT\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21/03/2007 21:00]
"RtHDVCpl"="RtHDVCpl.exe" [06/07/2007 20:06 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/05/2007 22:09]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [22/06/2007 02:25]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [12/07/2007 03:52]
"VisualTooltip"="C:\Program Files\Windows Tooltip\VisualToolTip.exe" [17/03/2008 13:53]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [05/11/2006 22:48]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [24/01/2008 10:22]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11/02/2008 20:13]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11/02/2008 20:13]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11/02/2008 20:13]
"f02085f7"="C:\Windows\system32\fwwaovmq.dll" []
"BMf313b66b"="C:\Windows\system32\fhsslhao.dll" []
"MSServer"="C:\Windows\system32\pMdcbayV.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]
"{B3102264-D09D-4322-B625-503FBF18DD7E}"= C:\Windows\system32\pMdcbayV.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\Windows\\system32\\mlJdaXqo

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=&quot;Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@=&quot;IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@=&quot;SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@=&quot;SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
backup=C:\Windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^GRAHAM^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Registration Silent Hunter III.LNK]
backup=C:\Windows\pss\Registration Silent Hunter III.LNK.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf313b66b]
Rundll32.exe "C:\Windows\system32\fhsslhao.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f02085f7]
rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Windows\system32\pMdcbayV.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts

---

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8300 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-20 02:39:47

---

Uppy

and extra.txt:-

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

---

-- System Information

---

Microsoft® Windows Vista™ Home Basic (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 530 @ 1.73GHz
Percentage of Memory in Use: 82%
Physical Memory (total/avail): 1013.68 MiB / 179.26 MiB
Pagefile Memory (total/avail): 2289.71 MiB / 1209.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.21 MiB

C: is Fixed (NTFS) - 32.38 GiB total, 6.1 GiB free.
D: is Fixed (NTFS) - 32.38 GiB total, 31.94 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK8037GSX - 74.53 GiB - 3 partitions
\PARTITION0 - Unknown - 9.77 GiB
\PARTITION1 (bootable) - Installable File System - 32.38 GiB - C:
\PARTITION2 - Installable File System - 32.38 GiB - D:



-- Security Center

---

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab)
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled Outdated
AS: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab)
AS: SUPERAntiSpyware v4, 0, 0, 1154 (SUPERAntiSpyware.com) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables

---

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\GRAHAM\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GRAHAM-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\GRAHAM
LOCALAPPDATA=C:\Users\GRAHAM\AppData\Local
LOGONSERVER=\\GRAHAM-PC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 22 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1601
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\GRAHAM\AppData\Local\Temp
TMP=C:\Users\GRAHAM\AppData\Local\Temp
USERDOMAIN=GRAHAM-PC
USERNAME=GRAHAM
USERPROFILE=C:\Users\GRAHAM
windir=C:\Windows


-- User Profiles

---

GRAHAM (admin)


-- Add/Remove Programs

---

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA4BF92B-2AAF-11DA-9D78-000129760D75}\setup.exe" -uninstall
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
4oD --> MsiExec.exe /I {8B7443F5-E141-42A0-AB61-ED2331AAD606}
Acer Arcade --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Acer eLock Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x9 -removeonly
Acer Empowering Technology --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer GridVista --> C:\Windows\UnInst32.exe GridV.UNI
Acer Mobility Center Plug-In --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11316260-6666-467B-AC34-183FCB5D4335}\setup.exe" -l0x9 -removeonly
Acer ScreenSaver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AusLogics Disk Defrag --> "C:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"
Big Kahuna Reef 2 --> "C:\Program Files\Acer GameZone\Big Kahuna Reef 2\Uninstall.exe" "C:\Program Files\Acer GameZone\Big Kahuna Reef 2\install.log"
Bricks of Egypt --> "C:\Program Files\Acer GameZone\Bricks of Egypt\Uninstall.exe" "C:\Program Files\Acer GameZone\Bricks of Egypt\install.log"
Clean Disk Security 7.74 --> C:\Program Files\Clean Disk Security\uninst.exe
Cooking Quest --> MsiExec.exe /X{677BFA25-997E-461A-B782-178254ADCC1D}
Curse of the Pharaoh --> MsiExec.exe /X{A469C37A-1213-4DCC-8CF7-9A709449E8B2}
CursorFX --> "C:\ProgramData\{A850D4D9-871B-4234-908D-21C457767270}\CursorFX_public.exe" REMOVE=TRUE MODIFY=FALSE
CursorFX --> C:\ProgramData\{A850D4D9-871B-4234-908D-21C457767270}\CursorFX_public.exe
CyberScrub® Privacy Suite™ 5.0 --> "C:\Program Files\CyberScrub Privacy Suite\unins000.exe"
Devastation Zone Troopers --> "C:\Program Files\Devastation Zone Troopers\ReflexiveArcade\unins000.exe"
Dream Chronicles 2 - The Eternal Maze --> "C:\Windows\Dream Chronicles 2 - The Eternal Maze\uninstall.exe" "/U:C:\Program Files\Dream Chronicles 2 - The Eternal Maze\Uninstall\uninstall.xml"
DreamMaker --> C:\PROGRA~1\Stardock\OBJECT~1\DREAMM~1\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\DREAMM~1\INSTALL.LOG
Duke Nukem 3D HRP 27-04-2007 (137) --> D:\Program Files\duke3d\uninst.exe
Dynasty --> "C:\Program Files\Acer GameZone\Dynasty\Uninstall.exe" "C:\Program Files\Acer GameZone\Dynasty\install.log"
Galapago --> "C:\Program Files\Acer GameZone\Galapago\Uninstall.exe" "C:\Program Files\Acer GameZone\Galapago\install.log"
GameShadow --> MsiExec.exe /I{D98C9637-93DA-44DB-B73A-B11A1192AB26}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Haunted Hotel --> "C:\Windows\Haunted Hotel\uninstall.exe" "/U:C:\Program Files\Haunted Hotel\Uninstall\uninstall.xml"
Hawaiian Explorer Pearl Harbor --> "C:\Program Files\Hawaiian Explorer Pearl Harbor\ReflexiveArcade\unins000.exe"
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\UIU32m.exe -U -Ic:\Release\Foxconn\51338\AcrZUn32z.inf
Hidden Expedition Everest --> "C:\Program Files\Hidden Expedition Everest\ReflexiveArcade\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
Intel(R) Matrix Storage Manager --> C:\Windows\System32\Imsmudlg.exe
Kasparov Chessmate --> "C:\Program Files\Kasparov Chessmate\unins000.exe"
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Launch Manager --> C:\Windows\UnInst32.exe LManager.UNI
Luxor 2 --> "C:\Program Files\Acer GameZone\Luxor 2\Uninstall.exe" "C:\Program Files\Acer GameZone\Luxor 2\install.log"
MahJong Suite 2007 v4.1 --> "C:\Program Files\MahJong Suite\unins000.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (3.0b5) --> C:\Program Files\Mozilla Firefox 3 Beta 4\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Mystery Case Files - Prime Suspects --> "C:\Program Files\Acer GameZone\Mystery Case Files - Prime Suspects\Uninstall.exe" "C:\Program Files\Acer GameZone\Mystery Case Files - Prime Suspects\install.log"
Mystery Case Files Ravenhearst --> "C:\Program Files\Acer GameZone\Mystery Case Files Ravenhearst\Uninstall.exe" "C:\Program Files\Acer GameZone\Mystery Case Files Ravenhearst\install.log"
Mystery in London --> C:\Program Files\Mystery in London\Uninstal.exe
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NTI Backup NOW! 4.7 --> "C:\Program Files\InstallShield Installation Information\{1598034D-7147-432C-8CA8-888E0632D124}\setup.exe" -removeonly
NTI Backup NOW! 4.7 --> C:\Program Files\InstallShield Installation Information\{1598034D-7147-432C-8CA8-888E0632D124}\setup.exe -runfromtemp -l0x0409
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
ObjectDock --> C:\PROGRA~1\Stardock\OBJECT~2\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~2\INSTALL.LOG
Opera 9 --> C:\PROGRA~1\OPERA9~1\uninst\unwise.exe C:\PROGRA~1\OPERA9~1\uninst\install.log
Pacific Heroes --> "C:\Program Files\Oberon Media\Pacific Heroes\Uninstall.exe" "C:\Program Files\Oberon Media\Pacific Heroes\install.log"
Pacific Heroes 2 --> "C:\Program Files\Acer GameZone\Pacific Heroes 2\Uninstall.exe" "C:\Program Files\Acer GameZone\Pacific Heroes 2\install.log"
PowerProducer 3.72 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
RocketDock 1.3.5 --> "C:\Program Files\RocketDock\unins000.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Shock Aero 3D v0.91 --> "C:\Windows\IFinst27.exe" -UC:\Program Files\Shock Utility\ShockAero3D\IFU5598.inf
Shockwave --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\INSTALL.LOG
Silent Hunter III --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9720C029-0C2C-4D1E-9DE0-E89971C4C8C7} /l1033
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SweetIM for Messenger 2.5 --> MsiExec.exe /X{EC6BD2CC-2DCF-4AD8-A8DD-DF89D29EEF3F}
SweetIM Toolbar for Internet Explorer 3.1 --> MsiExec.exe /X{59971D79-8111-42C2-9E40-883A0C277E78}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TopDesk 1.5.4 --> C:\Program Files\TopDesk\uninst.exe
Treasures of the Deep --> "C:\Program Files\Acer GameZone\Treasures of the Deep\Uninstall.exe" "C:\Program Files\Acer GameZone\Treasures of the Deep\install.log"
Trojan Remover 6.6.9 --> "C:\Program Files\Trojan Remover\unins000.exe"
TrojanHunter 5.0 --> "C:\Program Files\TrojanHunter 5.0\unins000.exe"
Uniblue PowerSuite --> "C:\Program Files\Uniblue\unins000.exe"
Uniblue SpeedUpMyPC 3 --> "C:\Program Files\Uniblue\SpeedUpMyPC 3\unins000.exe"
Uniblue SpyEraser --> "C:\Program Files\Uniblue\SpyEraser\unins000.exe"
Unity Web Player --> C:\Program Files\Unity\WebPlayer\Uninstall.exe
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wormux (remove only) --> "C:\Program Files\Wormux\uninstall.exe"
Xpand Rally 1.1.0.0 --> C:\Program Files\PC-home\Xpand Rally\Uninstall.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\common\unyt.exe
Zuma Deluxe --> "C:\Program Files\Acer GameZone\Zuma Deluxe\Uninstall.exe" "C:\Program Files\Acer GameZone\Zuma Deluxe\install.log"


-- Application Event Log

---

Event Record #/Type15715 / Success
Event Submitted/Written: 05/19/2008 05:53:41 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type15712 / Success
Event Submitted/Written: 05/19/2008 05:53:38 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type15707 / Success
Event Submitted/Written: 05/19/2008 05:53:24 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type15695 / Warning
Event Submitted/Written: 05/18/2008 10:18:25 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
15 user registry handles leaked from \Registry\User\S-1-5-21-3485879433-1326564539-6839977-1000:
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Microsoft\SystemCertificates\Root
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Microsoft\SystemCertificates\trust
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Microsoft\SystemCertificates\My
Process 1160 (\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3485879433-1326564539-6839977-1000\Software\Microsoft\SystemCertificates\CA

Event Record #/Type15675 / Success
Event Submitted/Written: 05/18/2008 04:07:20 PM
Event ID/Source: 5617 / WinMgmt
Event Description:




-- Security Event Log

---

No Errors/Warnings found.


-- System Event Log

---

Event Record #/Type41073 / Error
Event Submitted/Written: 05/20/2008 02:28:37 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.2.11 for the Network Card with network address 0017C408017B has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type41072 / Warning
Event Submitted/Written: 05/20/2008 02:28:37 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017C408017B. The following error occurred:
%%2163146757. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Event Record #/Type41062 / Warning
Event Submitted/Written: 05/19/2008 06:13:51 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017C408017B. The following error occurred:
%%1223. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Event Record #/Type41059 / Warning
Event Submitted/Written: 05/19/2008 06:13:24 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0017C408017B. The following error occurred:
%%1223. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Event Record #/Type41043 / Error
Event Submitted/Written: 05/19/2008 05:53:58 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
SABKUTIL



-- End of Deckard's System Scanner: finished at 2008-05-20 02:39:47

---

Thomas

Careful with just adding scanning software there - 2 different types of Trojan removing software, SUPERAntiSpyware, Malwarebytes and a few others. Each overlaps the other and overall this will cause conflicts and issues on the system.

The logs do show you have SweetIM's toolbar installed - listed here as questionable, it really is not considered software to use or have installed, due to likely search redirecting activity and possible monitoring functions done.

Since you have already started your own repairs I am not sure right now the level of active malware installed there.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Open Malwarebytes, and update it.

* Once that is done, select "Perform Complete Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

Then in the Logs area of Malwwarebytes, locate the last scan log you did prior to posting here, and post that here along with the one you just did. This way I have current info and can then start some manual removal steps there.

Uppy

ok here is the NEW log:

Malwarebytes' Anti-Malware 1.12
Database version: 768

Scan type: Full Scan (C:\|)
Objects scanned: 160074
Time elapsed: 37 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b3102264-d09d-4322-b625-503fbf18dd7e} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b3102264-d09d-4322-b625-503fbf18dd7e} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMf313b66b (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\qoMcdEWP.dll.vir (Trojan.Vundo) -> No action taken.
C:\Windows\System32\qoMGYpMF.dll.vir (Trojan.Vundo) -> No action taken.

Uppy

and i think this is the log before I posted here.

Malwarebytes' Anti-Malware 1.10
Database version: 598

Scan type: Quick Scan
Objects scanned: 26783
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\qoMdETME.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b3102264-d09d-4322-b625-503fbf18dd7e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b3102264-d09d-4322-b625-503fbf18dd7e} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System\aux (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\ddawu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\urqqq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\qoMdETME.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\qomJayyX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\qomJdAQh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Thomas

No action taken.

By all means go ahead and take action - allow Malwarebytes to delete the things it finds, and then reboot after.


After the reboot, still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the newest Malwarebytes log please.

Uppy

here is the new dss log:

Deckard's System Scanner v20071014.68
Run by GRAHAM on 2008-05-20 18:28:08
Computer is in Normal Mode.

---

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as GRAHAM.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:28:44, on 20/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Windows Tooltip\VisualToolTip.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Users\GRAHAM\Desktop\dss.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Users\GRAHAM\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\GRAHAM.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eread7.0\IEeREAD.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eread7.0\WebHook.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\Windows Tooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\pMdcbayV.dll,#1
O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\fhsslhao.dll",s
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9481 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

---

backup-20080327-162909-199 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\kpffrbkj.dll",b
backup-20080327-162909-372 O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvuvu.dll,#1
backup-20080327-162909-804 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\shwpghud.dll",s
backup-20080327-224256-328 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\rtkdujdv.dll",s
backup-20080507-124818-445 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b

-- File Associations

---

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - \??\c:\windows\system32\drivers\nsdriver.sys
R3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - \??\c:\windows\system32\drivers\awrtpd.sys
R3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - \??\c:\windows\system32\drivers\awrtrd.sys
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 eLockService (eLock Service) - c:\acer\empowering technology\elock\service\elockserv.exe <Not Verified; Acer Inc.; Acer eLock Management>
R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>
R2 MobilityService - c:\acer\mobility center\mobilityservice.exe -p

S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>


-- Device Manager: Disabled

---

No disabled devices found.


-- Scheduled Tasks

---

2008-05-20 18:14:30 420 --ah

---

C:\Windows\Tasks\User_Feed_Synchronization-{03177A81-9EA3-4093-8624-B9421D1A4CA2}.job
2008-05-16 20:00:00 490 --a

---

C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - GRAHAM.job
2008-05-07 02:24:26 272 --a

---

C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-04-08 16:59:50 388 --a

---

C:\Windows\Tasks\Uniblue SpyEraser.job
2008-03-27 19:56:48 266 --a

---

C:\Windows\Tasks\Uniblue SpyEraser Nag.job
2008-03-18 03:23:13 394 --a

---

C:\Windows\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-04-20 and 2008-05-20

---

2008-05-11 17:07:43 0 d

---

C:\Users\All Users\SpecialBit Games
2008-05-08 21:31:22 96645 --a

---

C:\Windows\system32\drivers\klin.dat
2008-05-08 21:31:22 87941 --a

---

C:\Windows\system32\drivers\klick.dat
2008-05-08 21:30:02 30972960 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2008-05-08 21:30:02 0 d

---

C:\Program Files\Kaspersky Lab
2008-05-08 21:28:41 0 d

---

C:\kav
2008-05-08 18:52:59 0 d

---

C:\Users\All Users\WindowsSearch
2008-05-08 18:21:11 0 d

---

C:\GRAHAM
2008-05-08 17:36:03 0 d

---

C:\Program Files\TrojanHunter 5.0
2008-05-08 15:46:13 0 d

---

C:\Users\All Users\Kaspersky Lab
2008-05-08 15:46:08 0 d

---

C:\Windows\system32\Kaspersky Lab
2008-05-08 15:44:29 6339 --ahs---- C:\Windows\system32\oqXadJlm.ini2
2008-05-08 15:05:24 0 d

---

C:\Program Files\Hawaiian Explorer Pearl Harbor
2008-05-08 10:48:48 0 d

---

C:\Program Files\Alwil Software
2008-05-07 18:15:05 0 d

---

C:\PerfLogs
2008-05-07 14:52:39 0 d

---

C:\Program Files\SpywareBlaster
2008-05-07 13:13:46 0 d

---

C:\escwsa
2008-05-07 13:03:43 270977 --ahs---- C:\Windows\system32\eMTBacfe.ini2
2008-05-07 03:11:31 2112 --a

---

C:\Windows\system32\cessenhn.exe
2008-05-07 03:05:29 270970 --ahs---- C:\Windows\system32\VyJlStwa.ini2
2008-05-07 02:24:19 271209 --ahs---- C:\Windows\system32\PWEdcMoq.ini2
2008-05-07 00:24:22 0 d

---

C:\Kontiki
2008-05-06 23:51:51 0 d

---

C:\Program Files\Trojan Killer
2008-05-01 10:50:33 0 d

---

C:\Program Files\Auslogics
2008-04-29 11:07:14 0 d

---

C:\Windows\Dream Chronicles 2 - The Eternal Maze
2008-04-29 11:07:14 0 d

---

C:\Program Files\Dream Chronicles 2 - The Eternal Maze
2008-04-29 11:03:18 0 d

---

C:\Program Files\Sprill The Mystery of The Bermuda Triangle
2008-04-29 10:35:39 0 d

---

C:\Program Files\Curse of the Pharaoh
2008-04-29 10:32:42 0 d

---

C:\Program Files\Escape
2008-04-29 10:30:44 0 d

---

C:\Program Files\Agatha Christie-Death On The Nile
2008-04-29 10:29:27 0 d

---

C:\Program Files\Agatha Christie Peril At End House
2008-04-29 09:44:24 0 d

---

C:\Windows\Haunted Hotel
2008-04-29 09:44:23 0 d

---

C:\Program Files\Haunted Hotel
2008-04-29 09:42:38 0 d

---

C:\Program Files\Cooking Quest
2008-04-28 15:12:22 0 d

---

C:\Program Files\Common Files\Stardock
2008-04-28 15:05:58 0 d

---

C:\Program Files\RocketDock
2008-04-28 14:24:28 0 d

---

C:\Program Files\Microsoft Silverlight


-- Find3M Report

---

2008-05-20 18:26:26 0 d

---

C:\Program Files\Mozilla Firefox 3 Beta 4
2008-05-20 12:38:11 0 d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-05-20 12:35:38 0 d

---

C:\Program Files\Trojan Remover
2008-05-20 12:34:27 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SUPERAntiSpyware.com
2008-05-20 12:34:27 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 12:34:25 0 d

---

C:\Program Files\SUPERAntiSpyware
2008-05-17 10:37:01 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SpinTop
2008-05-17 10:22:19 0 d

---

C:\Program Files\Windows Mail
2008-05-08 22:57:42 0 d

---

C:\Users\GRAHAM\AppData\Roaming\uTorrent
2008-05-08 21:18:07 0 d

---

C:\Users\GRAHAM\AppData\Roaming\MahJong Suite
2008-05-08 20:54:43 0 d

---

C:\Program Files\Common Files\Symantec Shared
2008-05-08 20:16:38 0 d

---

C:\Users\GRAHAM\AppData\Roaming\TrojanHunter
2008-05-08 19:14:48 0 d

---

C:\Program Files\Anti Trojan Elite
2008-05-07 19:11:16 0 d

---

C:\Program Files\Space Taxi 2
2008-05-07 18:50:19 0 d

---

C:\Program Files\Common Files
2008-05-07 18:38:13 174 --ahs---- C:\Program Files\desktop.ini
2008-05-07 18:20:46 0 d

---

C:\Program Files\Windows Calendar
2008-05-07 18:20:44 0 d

---

C:\Program Files\Windows Sidebar
2008-05-07 18:20:44 0 d

---

C:\Program Files\Movie Maker
2008-05-07 18:20:40 0 d

---

C:\Program Files\Windows Photo Gallery
2008-05-07 18:20:40 0 d

---

C:\Program Files\Windows Collaboration
2008-05-07 18:20:32 0 d

---

C:\Program Files\Windows Defender
2008-05-07 01:42:50 262144 --a

---

C:\ntuser.dat
2008-05-04 16:47:14 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SprillBermudeEng
2008-05-01 10:50:47 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Auslogics
2008-05-01 10:48:22 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-04-28 15:12:22 0 d

---

C:\Program Files\Stardock
2008-04-28 13:50:50 0 d

---

C:\Program Files\Windows Flip3D
2008-04-16 19:08:56 0 d

---

C:\Program Files\Kontiki
2008-04-16 18:29:31 0 d

---

C:\Program Files\Channel4
2008-04-13 18:16:00 0 d

---

C:\Program Files\SweetIM
2008-04-10 13:02:36 0 d

---

C:\Program Files\Maxis
2008-04-09 20:19:09 0 d

---

C:\Program Files\Common Files\Nero
2008-04-09 16:44:09 0 d

---

C:\Program Files\LEGO Media
2008-04-09 16:08:27 0 d

---

C:\Program Files\Unity
2008-04-09 15:27:23 0 d

---

C:\Program Files\SuperTuxKart
2008-04-09 13:44:59 0 d

---

C:\Program Files\Kasparov Chessmate
2008-04-09 12:58:47 0 d

---

C:\Program Files\Hexacto
2008-04-09 12:50:43 0 d

---

C:\Program Files\Hidden Expedition Everest
2008-04-09 12:48:15 0 d

---

C:\Program Files\BeJeweled 2 Deluxe
2008-04-09 12:47:59 16 --a

---

C:\Windows\popcinfo.dat
2008-04-09 12:44:08 0 d

---

C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-08 18:11:30 0 d

---

C:\Program Files\NeroInstall.bak
2008-04-08 18:07:50 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Nero
2008-04-08 18:00:24 0 d

---

C:\Program Files\Nero
2008-04-08 16:52:17 0 d

---

C:\Program Files\eread7.0
2008-04-08 16:52:11 0 d

---

C:\Program Files\real
2008-04-08 15:19:50 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Opera
2008-04-08 15:19:32 0 d

---

C:\Program Files\Opera 9
2008-04-07 18:53:54 0 d

---

C:\Program Files\Devastation Zone Troopers
2008-04-07 17:06:16 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Malwarebytes
2008-04-07 15:38:32 0 d

---

C:\Program Files\Hyperspace Invader
2008-04-07 15:38:05 0 d

---

C:\Users\GRAHAM\AppData\Roaming\GetRightToGo
2008-03-28 01:46:22 0 d

---

C:\Program Files\Mystery Case Files - Madame Fate
2008-03-28 01:45:00 0 d

---

C:\Program Files\Bricks Of Atlantis
2008-03-28 01:43:04 0 d

---

C:\Program Files\Bricks Of Egypt
2008-03-27 17:48:59 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Uniblue
2008-03-27 17:48:22 0 d

---

C:\Program Files\Uniblue
2008-03-27 16:56:41 24576 --a

---

C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-03-27 13:24:38 0 d

---

C:\Program Files\Trend Micro
2008-03-26 17:45:34 2639 --a

---

C:\Windows\system32\efeby.dll
2008-03-26 15:52:40 0 d

---

C:\Program Files\PC-home
2008-03-26 12:40:01 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Adobe
2008-03-25 14:47:22 0 d

---

C:\Program Files\Acer GameZone
2008-03-25 14:18:30 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Chessmaster Challenge
2008-03-24 18:04:59 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Wormux
2008-03-24 17:44:27 0 d

---

C:\Program Files\Wormux
2008-03-23 03:11:50 0 d

---

C:\Program Files\Lavasoft
2008-03-23 02:40:43 2560 --a

---

C:\Windows\_MSRSTRT.EXE
2008-03-21 19:43:08 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Big Fish Games
2008-03-19 13:11:57 0 --a

---

C:\Windows\nsreg.dat
2008-03-18 02:41:51 65536 --a

---

C:\Windows\IFinst27.exe
2008-03-17 20:57:41 0 -rahs---- C:\MSDOS.SYS
2008-03-17 20:57:41 0 -rahs---- C:\IO.SYS
2008-03-17 19:53:32 122880 --a

---

C:\Windows\system32\DreamScene.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
28/06/2007 17:25 57344 --a

---

C:\Program Files\eread7.0\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
10/03/2008 12:08 81920 --a

---

C:\Program Files\eread7.0\WebHook.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
27/03/2008 14:12 1164600 --a

---

C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [27/03/2008 14:12 1164600]

[-HKEY_CLASSES_ROOT\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21/03/2007 21:00]
"RtHDVCpl"="RtHDVCpl.exe" [06/07/2007 20:06 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/05/2007 22:09]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [22/06/2007 02:25]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [12/07/2007 03:52]
"VisualTooltip"="C:\Program Files\Windows Tooltip\VisualToolTip.exe" [17/03/2008 13:53]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [05/11/2006 22:48]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [24/01/2008 10:22]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11/02/2008 20:13]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11/02/2008 20:13]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11/02/2008 20:13]
"f02085f7"="C:\Windows\system32\fwwaovmq.dll" []
"MSServer"="C:\Windows\system32\pMdcbayV.dll" []
"BMf313b66b"="C:\Windows\system32\fhsslhao.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\Windows\\system32\\mlJdaXqo

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=&quot;Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@=&quot;IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@=&quot;SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@=&quot;SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
backup=C:\Windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^GRAHAM^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Registration Silent Hunter III.LNK]
backup=C:\Windows\pss\Registration Silent Hunter III.LNK.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf313b66b]
Rundll32.exe "C:\Windows\system32\fhsslhao.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f02085f7]
rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Windows\system32\pMdcbayV.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts

---

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8300 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-20 18:32:43

---

Uppy

and the extra bit as well:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

---

-- Security Center

---

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab)
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled Outdated
AS: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- End of Deckard's System Scanner: finished at 2008-05-20 18:32:43

---

Thomas

Not sure you and I are quite in tune with requests and logs here, but infection is getting removed. The system truly has anti-infection tool overkill there. I see now I missed Ad-Aware's Ad-Watch, since not so many folks purchase that. I am not sure it was meant to be run along with Kaspersky fully enabled there, since it is a function blocker that will likely cause conflicts and issues. And the full SpyBot install with it's services. And all the trojan this-and-that removing softwares. But for use now you need to completely disable Ad-Watch, and leave it disabled until all these repairs are completed.


Then To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf313b66b]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f02085f7]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it badfix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

---

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\pMdcbayV.dll,#1
O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\fhsslhao.dll",s

---

Download OTMoveIt2 by OldTimer to your desktop.

Then click OTMoveIt2.exe to run it (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator").

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):

C:\Windows\system32\oqXadJlm.ini2
C:\escwsa
C:\Windows\system32\eMTBacfe.ini2
C:\Windows\system32\cessenhn.exe
C:\Windows\system32\VyJlStwa.ini2
C:\Windows\system32\PWEdcMoq.ini2
C:\Windows\system32\efeby.dll
C:\Windows\system32\mlJdaXqo
C:\Windows\system32\mlJdaXqo.dll

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

---

If OTMoveIt did not require a reboot go ahead and reboot at this time.

Then open Malwarebytes again, and update that. Run a Complete Scan, being sure to post that log in your next reply. If it suggests a reboot then be sure to reboot to complete the repairs.


Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the Malwarebytes log and the OTMoveIt log please.

Uppy

Sorry for the crossed wire mate

C:\Windows\system32\oqXadJlm.ini2 moved successfully.
C:\escwsa\scf\winlh moved successfully.
C:\escwsa\scf\win2k moved successfully.
C:\escwsa\scf\system moved successfully.
C:\escwsa\scf\program files\sophos\sophos client firewall moved successfully.
C:\escwsa\scf\program files\sophos moved successfully.
C:\escwsa\scf\program files moved successfully.
C:\escwsa\scf\commonappdata\sophos\sophos client firewall moved successfully.
C:\escwsa\scf\commonappdata\sophos moved successfully.
C:\escwsa\scf\commonappdata moved successfully.
C:\escwsa\scf\common files folder\sophos\sophos client firewall moved successfully.
C:\escwsa\scf\common files folder\sophos moved successfully.
C:\escwsa\scf\common files folder moved successfully.
C:\escwsa\scf moved successfully.
C:\escwsa\savxp\winxp_ia64 moved successfully.
C:\escwsa\savxp\winxp_i386 moved successfully.
C:\escwsa\savxp\winxp_amd64 moved successfully.
C:\escwsa\savxp\winlh_ia64 moved successfully.
C:\escwsa\savxp\winlh_i386 moved successfully.
C:\escwsa\savxp\winlh_amd64 moved successfully.
C:\escwsa\savxp\win2k moved successfully.
C:\escwsa\savxp\system moved successfully.
C:\escwsa\savxp\sxs moved successfully.
C:\escwsa\savxp\program files\sophos\sophos anti-virus\module retargetable folder moved successfully.
C:\escwsa\savxp\program files\sophos\sophos anti-virus moved successfully.
C:\escwsa\savxp\program files\sophos moved successfully.
C:\escwsa\savxp\program files moved successfully.
C:\escwsa\savxp\commonappdata\sophos\sophos anti-virus\config moved successfully.
C:\escwsa\savxp\commonappdata\sophos\sophos anti-virus moved successfully.
C:\escwsa\savxp\commonappdata\sophos moved successfully.
C:\escwsa\savxp\commonappdata moved successfully.
C:\escwsa\savxp\common\cisco systems\ciscotrustagent\plugins\install moved successfully.
C:\escwsa\savxp\common\cisco systems\ciscotrustagent\plugins moved successfully.
C:\escwsa\savxp\common\cisco systems\ciscotrustagent moved successfully.
C:\escwsa\savxp\common\cisco systems moved successfully.
C:\escwsa\savxp\common moved successfully.
C:\escwsa\savxp moved successfully.
C:\escwsa\sau\program files\sophos\autoupdate\zh_tw moved successfully.
C:\escwsa\sau\program files\sophos\autoupdate\zh_cn moved successfully.
C:\escwsa\sau\program files\sophos\autoupdate\ja moved successfully.
C:\escwsa\sau\program files\sophos\autoupdate\it moved successfully.
C:\escwsa\sau\program files\sophos\autoupdate\fr moved successfully.
C:\escwsa\sau\program files\sophos\autoupdate\es moved successfully.
C:\escwsa\sau\program files\sophos\autoupdate\en moved successfully.
C:\escwsa\sau\program files\sophos\autoupdate\de moved successfully.
C:\escwsa\sau\program files\sophos\autoupdate moved successfully.
C:\escwsa\sau\program files\sophos moved successfully.
C:\escwsa\sau\program files moved successfully.
C:\escwsa\sau\commonappdata\sophos\autoupdate\defaultconfig moved successfully.
C:\escwsa\sau\commonappdata\sophos\autoupdate moved successfully.
C:\escwsa\sau\commonappdata\sophos moved successfully.
C:\escwsa\sau\commonappdata moved successfully.
C:\escwsa\sau moved successfully.
C:\escwsa\crt moved successfully.
C:\escwsa moved successfully.
C:\Windows\system32\eMTBacfe.ini2 moved successfully.
C:\Windows\system32\cessenhn.exe moved successfully.
C:\Windows\system32\VyJlStwa.ini2 moved successfully.
C:\Windows\system32\PWEdcMoq.ini2 moved successfully.
LoadLibrary failed for C:\Windows\system32\efeby.dll
C:\Windows\system32\efeby.dll NOT unregistered.
C:\Windows\system32\efeby.dll moved successfully.
File/Folder C:\Windows\system32\mlJdaXqo not found.
File/Folder C:\Windows\system32\mlJdaXqo.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05212008_112325

Uppy

Malwarebytes' Anti-Malware 1.12
Database version: 768

Scan type: Full Scan (C:\|)
Objects scanned: 160558
Time elapsed: 31 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Uppy

Deckard's System Scanner v20071014.68
Run by GRAHAM on 2008-05-21 12:40:53
Computer is in Normal Mode.

---

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as GRAHAM.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:06, on 21/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Windows Tooltip\VisualToolTip.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\GRAHAM\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\GRAHAM.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eread7.0\IEeREAD.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eread7.0\WebHook.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\Windows Tooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9141 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

---

backup-20080327-162909-199 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\kpffrbkj.dll",b
backup-20080327-162909-372 O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvuvu.dll,#1
backup-20080327-162909-804 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\shwpghud.dll",s
backup-20080327-224256-328 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\rtkdujdv.dll",s
backup-20080507-124818-445 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b
backup-20080521-112255-633 O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
backup-20080521-112255-638 O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\pMdcbayV.dll,#1
backup-20080521-112255-799 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b
backup-20080521-112255-910 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\fhsslhao.dll",s

-- File Associations

---

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - \??\c:\windows\system32\drivers\nsdriver.sys
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 eLockService (eLock Service) - c:\acer\empowering technology\elock\service\elockserv.exe <Not Verified; Acer Inc.; Acer eLock Management>
R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>
R2 MobilityService - c:\acer\mobility center\mobilityservice.exe -p

S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>


-- Device Manager: Disabled

---

No disabled devices found.


-- Scheduled Tasks

---

2008-05-21 12:00:39 420 --ah

---

C:\Windows\Tasks\User_Feed_Synchronization-{03177A81-9EA3-4093-8624-B9421D1A4CA2}.job
2008-05-16 20:00:00 490 --a

---

C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - GRAHAM.job
2008-05-07 02:24:26 272 --a

---

C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-04-08 16:59:50 388 --a

---

C:\Windows\Tasks\Uniblue SpyEraser.job
2008-03-27 19:56:48 266 --a

---

C:\Windows\Tasks\Uniblue SpyEraser Nag.job
2008-03-18 03:23:13 394 --a

---

C:\Windows\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-04-21 and 2008-05-21

---

2008-05-11 17:07:43 0 d

---

C:\Users\All Users\SpecialBit Games
2008-05-08 21:31:22 96645 --a

---

C:\Windows\system32\drivers\klin.dat
2008-05-08 21:31:22 87941 --a

---

C:\Windows\system32\drivers\klick.dat
2008-05-08 21:30:02 32128800 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2008-05-08 21:30:02 0 d

---

C:\Program Files\Kaspersky Lab
2008-05-08 21:28:41 0 d

---

C:\kav
2008-05-08 18:52:59 0 d

---

C:\Users\All Users\WindowsSearch
2008-05-08 18:21:11 0 d

---

C:\GRAHAM
2008-05-08 17:36:03 0 d

---

C:\Program Files\TrojanHunter 5.0
2008-05-08 15:46:13 0 d

---

C:\Users\All Users\Kaspersky Lab
2008-05-08 15:46:08 0 d

---

C:\Windows\system32\Kaspersky Lab
2008-05-08 15:05:24 0 d

---

C:\Program Files\Hawaiian Explorer Pearl Harbor
2008-05-08 10:48:48 0 d

---

C:\Program Files\Alwil Software
2008-05-07 18:15:05 0 d

---

C:\PerfLogs
2008-05-07 14:52:39 0 d

---

C:\Program Files\SpywareBlaster
2008-05-07 00:24:22 0 d

---

C:\Kontiki
2008-05-06 23:51:51 0 d

---

C:\Program Files\Trojan Killer
2008-05-01 10:50:33 0 d

---

C:\Program Files\Auslogics
2008-04-29 11:07:14 0 d

---

C:\Windows\Dream Chronicles 2 - The Eternal Maze
2008-04-29 11:07:14 0 d

---

C:\Program Files\Dream Chronicles 2 - The Eternal Maze
2008-04-29 11:03:18 0 d

---

C:\Program Files\Sprill The Mystery of The Bermuda Triangle
2008-04-29 10:35:39 0 d

---

C:\Program Files\Curse of the Pharaoh
2008-04-29 10:32:42 0 d

---

C:\Program Files\Escape
2008-04-29 10:30:44 0 d

---

C:\Program Files\Agatha Christie-Death On The Nile
2008-04-29 10:29:27 0 d

---

C:\Program Files\Agatha Christie Peril At End House
2008-04-29 09:44:24 0 d

---

C:\Windows\Haunted Hotel
2008-04-29 09:44:23 0 d

---

C:\Program Files\Haunted Hotel
2008-04-29 09:42:38 0 d

---

C:\Program Files\Cooking Quest
2008-04-28 15:12:22 0 d

---

C:\Program Files\Common Files\Stardock
2008-04-28 15:05:58 0 d

---

C:\Program Files\RocketDock
2008-04-28 14:24:28 0 d

---

C:\Program Files\Microsoft Silverlight


-- Find3M Report

---

2008-05-21 11:36:29 0 d

---

C:\Program Files\Mozilla Firefox 3 Beta 4
2008-05-20 12:38:11 0 d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-05-20 12:35:38 0 d

---

C:\Program Files\Trojan Remover
2008-05-20 12:34:27 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SUPERAntiSpyware.com
2008-05-20 12:34:27 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 12:34:25 0 d

---

C:\Program Files\SUPERAntiSpyware
2008-05-17 10:37:01 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SpinTop
2008-05-17 10:22:19 0 d

---

C:\Program Files\Windows Mail
2008-05-08 22:57:42 0 d

---

C:\Users\GRAHAM\AppData\Roaming\uTorrent
2008-05-08 21:18:07 0 d

---

C:\Users\GRAHAM\AppData\Roaming\MahJong Suite
2008-05-08 20:54:43 0 d

---

C:\Program Files\Common Files\Symantec Shared
2008-05-08 20:16:38 0 d

---

C:\Users\GRAHAM\AppData\Roaming\TrojanHunter
2008-05-08 19:14:48 0 d

---

C:\Program Files\Anti Trojan Elite
2008-05-07 19:11:16 0 d

---

C:\Program Files\Space Taxi 2
2008-05-07 18:50:19 0 d

---

C:\Program Files\Common Files
2008-05-07 18:38:13 174 --ahs---- C:\Program Files\desktop.ini
2008-05-07 18:20:46 0 d

---

C:\Program Files\Windows Calendar
2008-05-07 18:20:44 0 d

---

C:\Program Files\Windows Sidebar
2008-05-07 18:20:44 0 d

---

C:\Program Files\Movie Maker
2008-05-07 18:20:40 0 d

---

C:\Program Files\Windows Photo Gallery
2008-05-07 18:20:40 0 d

---

C:\Program Files\Windows Collaboration
2008-05-07 18:20:32 0 d

---

C:\Program Files\Windows Defender
2008-05-07 01:42:50 262144 --a

---

C:\ntuser.dat
2008-05-04 16:47:14 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SprillBermudeEng
2008-05-01 10:50:47 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Auslogics
2008-05-01 10:48:22 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-04-28 15:12:22 0 d

---

C:\Program Files\Stardock
2008-04-28 13:50:50 0 d

---

C:\Program Files\Windows Flip3D
2008-04-16 19:08:56 0 d

---

C:\Program Files\Kontiki
2008-04-16 18:29:31 0 d

---

C:\Program Files\Channel4
2008-04-13 18:16:00 0 d

---

C:\Program Files\SweetIM
2008-04-10 13:02:36 0 d

---

C:\Program Files\Maxis
2008-04-09 20:19:09 0 d

---

C:\Program Files\Common Files\Nero
2008-04-09 16:44:09 0 d

---

C:\Program Files\LEGO Media
2008-04-09 16:08:27 0 d

---

C:\Program Files\Unity
2008-04-09 15:27:23 0 d

---

C:\Program Files\SuperTuxKart
2008-04-09 13:44:59 0 d

---

C:\Program Files\Kasparov Chessmate
2008-04-09 12:58:47 0 d

---

C:\Program Files\Hexacto
2008-04-09 12:50:43 0 d

---

C:\Program Files\Hidden Expedition Everest
2008-04-09 12:48:15 0 d

---

C:\Program Files\BeJeweled 2 Deluxe
2008-04-09 12:47:59 16 --a

---

C:\Windows\popcinfo.dat
2008-04-09 12:44:08 0 d

---

C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-08 18:11:30 0 d

---

C:\Program Files\NeroInstall.bak
2008-04-08 18:07:50 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Nero
2008-04-08 18:00:24 0 d

---

C:\Program Files\Nero
2008-04-08 16:52:17 0 d

---

C:\Program Files\eread7.0
2008-04-08 16:52:11 0 d

---

C:\Program Files\real
2008-04-08 15:19:50 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Opera
2008-04-08 15:19:32 0 d

---

C:\Program Files\Opera 9
2008-04-07 18:53:54 0 d

---

C:\Program Files\Devastation Zone Troopers
2008-04-07 17:06:16 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Malwarebytes
2008-04-07 15:38:32 0 d

---

C:\Program Files\Hyperspace Invader
2008-04-07 15:38:05 0 d

---

C:\Users\GRAHAM\AppData\Roaming\GetRightToGo
2008-03-28 01:46:22 0 d

---

C:\Program Files\Mystery Case Files - Madame Fate
2008-03-28 01:45:00 0 d

---

C:\Program Files\Bricks Of Atlantis
2008-03-28 01:43:04 0 d

---

C:\Program Files\Bricks Of Egypt
2008-03-27 17:48:59 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Uniblue
2008-03-27 17:48:22 0 d

---

C:\Program Files\Uniblue
2008-03-27 16:56:41 24576 --a

---

C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-03-27 13:24:38 0 d

---

C:\Program Files\Trend Micro
2008-03-26 15:52:40 0 d

---

C:\Program Files\PC-home
2008-03-26 12:40:01 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Adobe
2008-03-25 14:47:22 0 d

---

C:\Program Files\Acer GameZone
2008-03-25 14:18:30 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Chessmaster Challenge
2008-03-24 18:04:59 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Wormux
2008-03-24 17:44:27 0 d

---

C:\Program Files\Wormux
2008-03-23 03:11:50 0 d

---

C:\Program Files\Lavasoft
2008-03-23 02:40:43 2560 --a

---

C:\Windows\_MSRSTRT.EXE
2008-03-21 19:43:08 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Big Fish Games
2008-03-19 13:11:57 0 --a

---

C:\Windows\nsreg.dat
2008-03-18 02:41:51 65536 --a

---

C:\Windows\IFinst27.exe
2008-03-17 20:57:41 0 -rahs---- C:\MSDOS.SYS
2008-03-17 20:57:41 0 -rahs---- C:\IO.SYS
2008-03-17 19:53:32 122880 --a

---

C:\Windows\system32\DreamScene.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
28/06/2007 17:25 57344 --a

---

C:\Program Files\eread7.0\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
10/03/2008 12:08 81920 --a

---

C:\Program Files\eread7.0\WebHook.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
27/03/2008 14:12 1164600 --a

---

C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [27/03/2008 14:12 1164600]

[-HKEY_CLASSES_ROOT\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21/03/2007 21:00]
"RtHDVCpl"="RtHDVCpl.exe" [06/07/2007 20:06 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/05/2007 22:09]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [22/06/2007 02:25]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [12/07/2007 03:52]
"VisualTooltip"="C:\Program Files\Windows Tooltip\VisualToolTip.exe" [17/03/2008 13:53]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [05/11/2006 22:48]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [24/01/2008 10:22]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11/02/2008 20:13]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11/02/2008 20:13]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11/02/2008 20:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=&quot;Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@=&quot;IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@=&quot;SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@=&quot;SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
backup=C:\Windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^GRAHAM^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Registration Silent Hunter III.LNK]
backup=C:\Windows\pss\Registration Silent Hunter III.LNK.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts

---

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8300 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-21 12:43:12

---

Uppy

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

---

-- Security Center

---

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab) Disabled
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled Outdated
AS: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- End of Deckard's System Scanner: finished at 2008-05-21 12:43:12

---

Uppy

and finally a HJThis log file. Thanks for your help Thomas.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:23, on 21/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Windows Tooltip\VisualToolTip.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eread7.0\IEeREAD.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eread7.0\WebHook.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\Windows Tooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9089 bytes

Thomas

Looks good. Not really sure about the removal of that C:\escwsa folder just now. If you look through the OTMoveIt log list, do you recognize the use (like Sophos mentioned) of that folder?

Let's do a follow up scan to be sure, but no undesirables/malware showing at this point except that IM toolbar.


Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

Post back that log please.

Uppy

I will thanks thomas, the laptop seems to be 99% back to its old self now but I can no longer change backgrounds, screensavers or even look at the security center because "rundll32.exe cannot be found" is this serious? I want to sort this before I try to scan again.

Thomas

One of the files we removed very likely has an unseen registry setting redirecting the rundll32.exe "image", so without that malware file the error shows. If you check C:\Windows\System32, you will I assume still be able to locate the file itself, which is a necessary Windows system file (if not be sure to let me know).


Click here to download Bobbi Flekman's Regsearch.zip to your desktop. Then unzip that, and click on the regsearch.exe to run the tool. In the display panel, copy and paste the following into the upper box:

rundll32.exe

Then click Okay. Once the scan completes a textbox will open - copy/paste those contents back here please (the RegSearch.txt log can also be found in the same location as the regearch.exe file you clicked).

If the log results in one too large for posting here just zip a copy of it, and send it to [noparse]jintan@cfl.rr.com[/noparse] as an attachment. Please place "Submitted Files - Uppy" as the email Subject.

Uppy

thats sorted, i'll post a kaspersky log in a minute, the msserver is still there (btw sorry for the late reply)

Uppy

here is the scan, this seemed to go away then I had to leave for two weeks and when I come back this has returned, it's doing my head in thomas mate.

---

KASPERSKY ONLINE SCANNER REPORT
Monday, June 02, 2008 4:00:11 PM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 821940

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 124995
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 02:10:35

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\ProgramData\Kontiki\error.log Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.9.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.9.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy5.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfF131.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfF151.tmp Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
C:\ProgramData\Symantec\LiveUpdate\2008-06-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\ProgramData\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\07D1ECA9.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\280EC727.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\D2F0E6A2.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\ProgramData\Symantec\SubEng\submissions.idx Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDALRT.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDCON.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDDBG.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDFW.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDIDS.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDSYS.log Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Acer Arcade\Log\Trace20080602.log Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8OWDBTO\kb456456[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat{43f6fa88-f312-11dc-a5a1-0016d3ed3510}.TM.blf Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat{43f6fa88-f312-11dc-a5a1-0016d3ed3510}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat{43f6fa88-f312-11dc-a5a1-0016d3ed3510}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\GRAHAM\NTUSER.DAT Object is locked skipped
C:\Users\GRAHAM\ntuser.dat.LOG1 Object is locked skipped
C:\Users\GRAHAM\ntuser.dat.LOG2 Object is locked skipped
C:\Users\GRAHAM\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Users\GRAHAM\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\GRAHAM\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\buanyyex.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\cfamrytr.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\hjybyfmt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\Temp\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Windows\Temp\sqlite_ByteTdlwl8kABJ4 Object is locked skipped

Scan process completed.

Thomas

Mostly normally locked system functions, but a few bad files remaining. But overall pretty good at this point as far as active infection.


Click OTMoveIt2.exe to run it again.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):

C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8OWDBTO
C:\Windows\System32\buanyyex.dll
C:\Windows\System32\cfamrytr.dll
C:\Windows\System32\hjybyfmt.dll

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

---

Then run a new Kaspersky scan, and post that along with the OTMoveIt log please.

Uppy

thanks mate here is the log:
Folder move failed. C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8OWDBTO scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Windows\System32\buanyyex.dll
C:\Windows\System32\buanyyex.dll NOT unregistered.
C:\Windows\System32\buanyyex.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\cfamrytr.dll
C:\Windows\System32\cfamrytr.dll NOT unregistered.
C:\Windows\System32\cfamrytr.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\hjybyfmt.dll
C:\Windows\System32\hjybyfmt.dll NOT unregistered.
C:\Windows\System32\hjybyfmt.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06022008_204855

Files moved on Reboot...
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8OWDBTO moved successfully.


the msserver and its weird dlls (f020blahblah and BMfblah) seem to be back here though.

Uppy

here is a new hjthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:58:10, on 02/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Windows Tooltip\VisualToolTip.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\GRAHAM\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {1EC2458E-31DE-4EE1-B95B-0AEE93598ABC} - C:\Windows\system32\jkkKBqOG.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eread7.0\IEeREAD.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\Windows\system32\leaotrcq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eread7.0\WebHook.dll
O2 - BHO: {11c16fd9-17f8-feda-79e4-62c54b98eb97} - {79be89b4-5c26-4e97-adef-8f719df61c11} - C:\Windows\system32\ccmdjchh.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\Windows Tooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\nnnlLdBT.dll,#1
O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\rbilfcxx.dll",b
O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\ftubvuej.dll",s
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\UTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Windows\
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11095 bytes

Thomas

Post the Kaspersky scan when done please.

Uppy

oops sorry mis-read that about the kaspersky log, thought you said hjthis, dunno why.

---

KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 03, 2008 2:55:01 AM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 821972

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 125112
Number of viruses found: 3
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 01:24:05

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\ProgramData\Kontiki\error.log Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.9.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.9.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy5.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfFB6E.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfFB9D.tmp Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
C:\ProgramData\Symantec\LiveUpdate\2008-06-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\ProgramData\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\12642325.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\2CDA552C.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\ProgramData\Symantec\SubEng\submissions.idx Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDALRT.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDCON.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDDBG.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDFW.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDIDS.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDSYS.log Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Acer Arcade\Log\Trace20080602.log Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat{43f6fa88-f312-11dc-a5a1-0016d3ed3510}.TM.blf Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat{43f6fa88-f312-11dc-a5a1-0016d3ed3510}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Microsoft\Windows\UsrClass.dat{43f6fa88-f312-11dc-a5a1-0016d3ed3510}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Mozilla\Firefox\Profiles\7wonu4y4.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Mozilla\Firefox\Profiles\7wonu4y4.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Mozilla\Firefox\Profiles\7wonu4y4.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Mozilla\Firefox\Profiles\7wonu4y4.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\GRAHAM\AppData\Local\Mozilla\Firefox\Profiles\7wonu4y4.default\urlclassifier3.sqlite Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\cert8.db Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\content-prefs.sqlite Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\cookies.sqlite Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\downloads.sqlite Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\formhistory.sqlite Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\key3.db Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\parent.lock Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\permissions.sqlite Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\places.sqlite Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\places.sqlite-journal Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\places.sqlite-stmtjrnl Object is locked skipped
C:\Users\GRAHAM\AppData\Roaming\Mozilla\Firefox\Profiles\7wonu4y4.default\search.sqlite Object is locked skipped
C:\Users\GRAHAM\NTUSER.DAT Object is locked skipped
C:\Users\GRAHAM\ntuser.dat.LOG1 Object is locked skipped
C:\Users\GRAHAM\ntuser.dat.LOG2 Object is locked skipped
C:\Users\GRAHAM\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Users\GRAHAM\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\GRAHAM\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\ctpafrqe.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\eoqjrtqw.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\Windows\System32\guroaalg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\Windows\System32\leaotrcq.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\pbehdclt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\svenvdyu.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\Windows\System32\tgqpuogn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\Temp\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Windows\Temp\sqlite_vIbPEgG1rNPEDHE Object is locked skipped
C:\_OTMoveIt\MovedFiles\06022008_204855\Users\GRAHAM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8OWDBTO\kb635111[1] Infected: Trojan.Win32.Obfuscated.auw skipped
C:\_OTMoveIt\MovedFiles\06022008_204855\Windows\System32\buanyyex.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\_OTMoveIt\MovedFiles\06022008_204855\Windows\System32\cfamrytr.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\_OTMoveIt\MovedFiles\06022008_204855\Windows\System32\hjybyfmt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped

Scan process completed.

Thomas

Looks more like perhaps HijackThis is corrupted than return of malware, but we'll check. Kaspersky located mostly normally locked system files, but additional malware to remove. Not likely active files though.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Open OTMoveIt again.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):

C:\Windows\System32\ctpafrqe.dll
C:\Windows\System32\eoqjrtqw.dll
C:\Windows\System32\guroaalg.dll
C:\Windows\System32\leaotrcq.dll
C:\Windows\System32\pbehdclt.dll
C:\Windows\System32\svenvdyu.dll
C:\Windows\System32\tgqpuogn.dll

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

---

Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the OTMoveIt log please.

Uppy

ot log:

DllUnregisterServer procedure not found in C:\Windows\System32\ctpafrqe.dll
C:\Windows\System32\ctpafrqe.dll NOT unregistered.
C:\Windows\System32\ctpafrqe.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\eoqjrtqw.dll
C:\Windows\System32\eoqjrtqw.dll NOT unregistered.
C:\Windows\System32\eoqjrtqw.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\guroaalg.dll
C:\Windows\System32\guroaalg.dll NOT unregistered.
C:\Windows\System32\guroaalg.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\leaotrcq.dll
C:\Windows\System32\leaotrcq.dll NOT unregistered.
C:\Windows\System32\leaotrcq.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\pbehdclt.dll
C:\Windows\System32\pbehdclt.dll NOT unregistered.
C:\Windows\System32\pbehdclt.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\svenvdyu.dll
C:\Windows\System32\svenvdyu.dll NOT unregistered.
C:\Windows\System32\svenvdyu.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\tgqpuogn.dll
C:\Windows\System32\tgqpuogn.dll NOT unregistered.
C:\Windows\System32\tgqpuogn.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06032008_175448

Uppy

dss log:

Deckard's System Scanner v20071014.68
Run by GRAHAM on 2008-06-03 18:00:56
Computer is in Normal Mode.

---

Percentage of Memory in Use: 85% (more than 75%).
Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as GRAHAM.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:21, on 03/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Windows Tooltip\VisualToolTip.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\rundll32.exe
C:\Windows\explorer.exe
C:\Users\GRAHAM\Desktop\OTMoveIt2.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exe
C:\Users\GRAHAM\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\GRAHAM.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eread7.0\IEeREAD.dll
O2 - BHO: {6a47797a-c7d1-fae9-c064-83eafdf1d684} - {486d1fdf-ae38-460c-9eaf-1d7ca79774a6} - C:\Windows\system32\bgugfxbj.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\Windows\system32\leaotrcq.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eread7.0\WebHook.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {E35CFC02-0F9A-4780-BDC7-7B76B1BF92E8} - C:\Windows\system32\jkkKBqOG.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\Windows Tooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ljJATMGa.dll,#1
O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\rbilfcxx.dll",b
O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\ftubvuej.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Windows\
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11219 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

---

backup-20080327-162909-199 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\kpffrbkj.dll",b
backup-20080327-162909-372 O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvuvu.dll,#1
backup-20080327-162909-804 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\shwpghud.dll",s
backup-20080327-224256-328 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\rtkdujdv.dll",s
backup-20080507-124818-445 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b
backup-20080521-112255-633 O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
backup-20080521-112255-638 O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\pMdcbayV.dll,#1
backup-20080521-112255-799 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\fwwaovmq.dll",b
backup-20080521-112255-910 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\fhsslhao.dll",s
backup-20080602-132808-189 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\buanyyex.dll",s
backup-20080602-132808-584 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\hjybyfmt.dll",b
backup-20080602-132808-737 O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\urQGyvwv.dll,#1
backup-20080602-163616-164 O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\byXPGXPG.dll,#1
backup-20080602-163616-736 O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\tgqpuogn.dll",b
backup-20080602-163616-894 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\guroaalg.dll",s
backup-20080602-203818-650 O4 - HKLM\..\Run: [BMf313b66b] Rundll32.exe "C:\Windows\system32\invketbt.dll",s
backup-20080602-203818-733 O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\hGVpNeeF.dll,#1

-- File Associations

---

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - \??\c:\windows\system32\drivers\nsdriver.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 eLockService (eLock Service) - c:\acer\empowering technology\elock\service\elockserv.exe <Not Verified; Acer Inc.; Acer eLock Management>
R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>
R2 MobilityService - c:\acer\mobility center\mobilityservice.exe -p

S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>


-- Device Manager: Disabled

---

No disabled devices found.


-- Scheduled Tasks

---

2008-06-03 17:49:48 420 --ah

---

C:\Windows\Tasks\User_Feed_Synchronization-{03177A81-9EA3-4093-8624-B9421D1A4CA2}.job
2008-06-02 22:06:26 490 --a

---

C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - GRAHAM.job
2008-05-26 18:35:40 266 --a

---

C:\Windows\Tasks\Uniblue SpyEraser Nag.job
2008-05-07 02:24:26 272 --a

---

C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-04-08 16:59:50 388 --a

---

C:\Windows\Tasks\Uniblue SpyEraser.job
2008-03-18 03:23:13 394 --a

---

C:\Windows\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-05-03 and 2008-06-03

---

2008-06-03 17:48:20 59904 --a

---

C:\Windows\system32\ljJATMGa.dll
2008-06-02 21:12:47 133120 --a

---

C:\Windows\system32\bgugfxbj.dll
2008-06-02 20:43:38 115200 --a

---

C:\Windows\system32\rbilfcxx.dll
2008-06-02 20:40:37 125952 --a

---

C:\Windows\system32\ftubvuej.dll
2008-06-02 20:34:14 125952 --a

---

C:\Windows\system32\invketbt.dll
2008-06-02 14:00:09 0 d

---

C:\Program Files\Duke Nukem - Manhattan Project
2008-06-02 13:18:16 0 d

---

C:\Users\All Users\Kaspersky Lab
2008-06-02 13:18:14 0 d

---

C:\Windows\system32\Kaspersky Lab
2008-06-02 13:06:05 132096 --a

---

C:\Windows\system32\ccmdjchh.dll
2008-06-02 13:04:04 0 d

---

C:\Program Files\Wellgames.com
2008-06-02 13:02:08 499049 --ahs---- C:\Windows\system32\GOqBKkkj.ini2
2008-06-02 13:02:04 373248 --a

---

C:\Windows\system32\jkkKBqOG.dll
2008-06-01 11:10:12 0 d

---

C:\Program Files\Huawei technologies
2008-05-22 15:25:30 415504 --a

---

C:\Windows\system32\MSREPL35.DLL <Not Verified; Microsoft Corporation; Microsoft® Access>
2008-05-22 15:25:30 252176 --a

---

C:\Windows\system32\MSRD2X35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-22 15:25:30 24848 --a

---

C:\Windows\system32\MSJTER35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-22 15:25:30 123664 --a

---

C:\Windows\system32\MSJINT35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-22 15:25:30 1046288 --a

---

C:\Windows\system32\MSJET35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-22 15:25:29 441856 --a

---

C:\Windows\system32\VCFIWZ5.dll <Not Verified; Sybase, Visual Components; First Impression® Chart Wizard>
2008-05-22 15:25:28 803680 --a

---

C:\Windows\system32\AXDIST.EXE <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-05-22 15:25:09 0 d

---

C:\Program Files\QFIT
2008-05-22 14:14:26 0 d

---

C:\Program Files\Poker Superstars III
2008-05-22 13:42:11 0 d

---

C:\Program Files\Sultan of Persia
2008-05-22 11:33:10 0 d

---

C:\Windows\Sherlock Holmes - The Mystery of the Persian Carpet
2008-05-22 11:33:10 0 d

---

C:\Program Files\Sherlock Holmes - The Mystery of the Persian Carpet
2008-05-21 22:18:53 1863280 --a

---

C:\Windows\system32\SWAquarium.scr <Not Verified; nufsoft.com; Nature Illusion Screensaver>
2008-05-21 20:13:48 0 d

---

C:\Program Files\Norton Internet Security
2008-05-21 20:10:08 0 d

---

C:\Program Files\Symantec
2008-05-21 19:15:54 0 d

---

C:\Program Files\Brutal Chess
2008-05-21 18:22:08 286720 --a

---

C:\Windows\iun506.exe <Not Verified; Indigo Rose Corporation; Setup Factory 5.0 Uninstaller>
2008-05-21 13:20:36 0 d

---

C:\Program Files\Kasparov Chessmate
2008-05-11 17:07:43 0 d

---

C:\Users\All Users\SpecialBit Games
2008-05-08 21:28:41 0 d

---

C:\kav
2008-05-08 18:52:59 0 d

---

C:\Users\All Users\WindowsSearch
2008-05-08 18:21:11 0 d

---

C:\GRAHAM
2008-05-08 17:36:03 0 d

---

C:\Program Files\TrojanHunter 5.0
2008-05-08 15:05:24 0 d

---

C:\Program Files\Hawaiian Explorer Pearl Harbor
2008-05-08 10:48:48 0 d

---

C:\Program Files\Alwil Software
2008-05-07 18:15:05 0 d

---

C:\PerfLogs
2008-05-07 14:52:39 0 d

---

C:\Program Files\SpywareBlaster
2008-05-07 00:24:22 0 d

---

C:\Kontiki
2008-05-06 23:51:51 0 d

---

C:\Program Files\Trojan Killer


-- Find3M Report

---

2008-06-02 20:55:26 0 d

---

C:\Users\GRAHAM\AppData\Roaming\uTorrent
2008-06-02 14:01:46 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-05-26 15:20:58 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Games
2008-05-22 14:17:17 0 d

---

C:\Users\GRAHAM\AppData\Roaming\funkitron
2008-05-21 21:32:35 0 d

---

C:\Program Files\Common Files\Symantec Shared
2008-05-21 20:41:21 0 d

---

C:\Program Files\Common Files
2008-05-21 20:02:38 0 d

---

C:\Program Files\Opera 9
2008-05-21 18:14:07 0 d

---

C:\Program Files\Microsoft Silverlight
2008-05-21 13:02:38 0 d

---

C:\Program Files\Mozilla Firefox 3 Beta 4
2008-05-20 12:38:11 0 d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-05-20 12:35:38 0 d

---

C:\Program Files\Trojan Remover
2008-05-20 12:34:27 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SUPERAntiSpyware.com
2008-05-20 12:34:27 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 12:34:25 0 d

---

C:\Program Files\SUPERAntiSpyware
2008-05-17 10:37:01 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SpinTop
2008-05-17 10:22:19 0 d

---

C:\Program Files\Windows Mail
2008-05-11 17:32:05 0 d

---

C:\Program Files\Haunted Hotel
2008-05-08 21:18:07 0 d

---

C:\Users\GRAHAM\AppData\Roaming\MahJong Suite
2008-05-08 20:16:38 0 d

---

C:\Users\GRAHAM\AppData\Roaming\TrojanHunter
2008-05-08 20:16:22 0 d

---

C:\Program Files\Cooking Quest
2008-05-08 19:14:48 0 d

---

C:\Program Files\Anti Trojan Elite
2008-05-07 19:11:16 0 d

---

C:\Program Files\Space Taxi 2
2008-05-07 18:38:13 174 --ahs---- C:\Program Files\desktop.ini
2008-05-07 18:20:46 0 d

---

C:\Program Files\Windows Calendar
2008-05-07 18:20:44 0 d

---

C:\Program Files\Windows Sidebar
2008-05-07 18:20:44 0 d

---

C:\Program Files\Movie Maker
2008-05-07 18:20:40 0 d

---

C:\Program Files\Windows Photo Gallery
2008-05-07 18:20:40 0 d

---

C:\Program Files\Windows Collaboration
2008-05-07 18:20:32 0 d

---

C:\Program Files\Windows Defender
2008-05-07 01:42:50 262144 --a

---

C:\ntuser.dat
2008-05-04 16:47:14 0 d

---

C:\Users\GRAHAM\AppData\Roaming\SprillBermudeEng
2008-05-01 10:50:47 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Auslogics
2008-05-01 10:50:33 0 d

---

C:\Program Files\Auslogics
2008-04-29 11:10:54 0 d

---

C:\Program Files\Agatha Christie Peril At End House
2008-04-29 11:07:15 0 d

---

C:\Program Files\Dream Chronicles 2 - The Eternal Maze
2008-04-29 11:06:33 0 d

---

C:\Program Files\Sprill The Mystery of The Bermuda Triangle
2008-04-29 10:36:42 0 d

---

C:\Program Files\Curse of the Pharaoh
2008-04-29 10:34:03 0 d

---

C:\Program Files\Escape
2008-04-29 10:32:03 0 d

---

C:\Program Files\Agatha Christie-Death On The Nile
2008-04-28 15:12:22 0 d

---

C:\Program Files\Stardock
2008-04-28 15:12:22 0 d

---

C:\Program Files\Common Files\Stardock
2008-04-28 15:06:10 0 d

---

C:\Program Files\RocketDock
2008-04-28 13:50:50 0 d

---

C:\Program Files\Windows Flip3D
2008-04-16 19:08:56 0 d

---

C:\Program Files\Kontiki
2008-04-16 18:29:31 0 d

---

C:\Program Files\Channel4
2008-04-13 18:16:00 0 d

---

C:\Program Files\SweetIM
2008-04-10 13:02:36 0 d

---

C:\Program Files\Maxis
2008-04-09 20:19:09 0 d

---

C:\Program Files\Common Files\Nero
2008-04-09 16:44:09 0 d

---

C:\Program Files\LEGO Media
2008-04-09 16:08:27 0 d

---

C:\Program Files\Unity
2008-04-09 15:27:23 0 d

---

C:\Program Files\SuperTuxKart
2008-04-09 12:58:47 0 d

---

C:\Program Files\Hexacto
2008-04-09 12:50:43 0 d

---

C:\Program Files\Hidden Expedition Everest
2008-04-09 12:48:15 0 d

---

C:\Program Files\BeJeweled 2 Deluxe
2008-04-09 12:47:59 16 --a

---

C:\Windows\popcinfo.dat
2008-04-09 12:44:08 0 d

---

C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-08 18:11:30 0 d

---

C:\Program Files\NeroInstall.bak
2008-04-08 18:07:50 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Nero
2008-04-08 18:00:24 0 d

---

C:\Program Files\Nero
2008-04-08 16:52:17 0 d

---

C:\Program Files\eread7.0
2008-04-08 16:52:11 0 d

---

C:\Program Files\real
2008-04-08 15:19:50 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Opera
2008-04-07 18:53:54 0 d

---

C:\Program Files\Devastation Zone Troopers
2008-04-07 17:06:16 0 d

---

C:\Users\GRAHAM\AppData\Roaming\Malwarebytes
2008-04-07 15:38:32 0 d

---

C:\Program Files\Hyperspace Invader
2008-04-07 15:38:05 0 d

---

C:\Users\GRAHAM\AppData\Roaming\GetRightToGo
2008-03-27 16:56:41 24576 --a

---

C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-03-23 02:40:43 2560 --a

---

C:\Windows\_MSRSTRT.EXE
2008-03-19 13:11:57 0 --a

---

C:\Windows\nsreg.dat
2008-03-18 02:41:51 65536 --a

---

C:\Windows\IFinst27.exe
2008-03-17 20:57:41 0 -rahs---- C:\MSDOS.SYS
2008-03-17 20:57:41 0 -rahs---- C:\IO.SYS
2008-03-17 19:53:32 122880 --a

---

C:\Windows\system32\DreamScene.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
28/06/2007 17:25 57344 --a

---

C:\Program Files\eread7.0\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{486d1fdf-ae38-460c-9eaf-1d7ca79774a6}]
02/06/2008 21:12 133120 --a

---

C:\Windows\system32\bgugfxbj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
C:\Windows\system32\leaotrcq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
10/03/2008 12:08 81920 --a

---

C:\Program Files\eread7.0\WebHook.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E35CFC02-0F9A-4780-BDC7-7B76B1BF92E8}]
02/06/2008 13:02 373248 --a

---

C:\Windows\system32\jkkKBqOG.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [27/03/2008 14:12 1164600]

[-HKEY_CLASSES_ROOT\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21/03/2007 21:00]
"RtHDVCpl"="RtHDVCpl.exe" [06/07/2007 20:06 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/05/2007 22:09]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [22/06/2007 02:25]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [12/07/2007 03:52]
"VisualTooltip"="C:\Program Files\Windows Tooltip\VisualToolTip.exe" [17/03/2008 13:53]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [05/11/2006 22:48]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11/02/2008 20:13]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11/02/2008 20:13]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11/02/2008 20:13]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/01/2007 20:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [29/01/2008 17:38]
"MSServer"="C:\Windows\system32\ljJATMGa.dll" [02/06/2008 12:56]
"f02085f7"="C:\Windows\system32\rbilfcxx.dll" [02/06/2008 20:43]
"BMf313b66b"="C:\Windows\system32\ftubvuej.dll" [02/06/2008 20:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}"= C:\Windows\system32\ljJATMGa.dll [02/06/2008 12:56 59904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\jkkKBqOG

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=&quot;Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@=&quot;IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@=&quot;SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@=&quot;SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
backup=C:\Windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^GRAHAM^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Registration Silent Hunter III.LNK]
backup=C:\Windows\pss\Registration Silent Hunter III.LNK.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
"C:\Program Files\UTorrent\utorrent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41dc7d19-f425-11dc-bc5b-0016d3ed3510}]
AutoRun\command- F:\CDSTART.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f83215cb-2fc1-11dd-b3c0-0016d3ed3510}]
AutoRun\command- G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f83215f6-2fc1-11dd-b3c0-0016d3ed3510}]
AutoRun\command- G:\AutoRun.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts

---

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8300 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-03 18:09:18

---

Thomas

You are downloading and installing torrents there, on an infected system during repairs?

2008-06-02 20:55:26 0 d

---

C:\Users\GRAHAM\AppData\Roaming\uTorrent

2008-06-02 14:00:09 0 d

---

C:\Program Files\Duke Nukem - Manhattan Project

Y'know, every single log posted so far has showed more and more changes you have added or made, and infection is not getting removed. Gotta be square with you - it is not looking like we are heading for success right now.

Uppy

oh, well I didnt know I couldnt do other things. right what should we do? give up? reformat? sorry