Google search results hijacked.

[megarich]

Hi,

The problem:

When I do a search using Google the results show but when I click on one of he results I takes me to a different page to the search result.

Firstly in the address bar is an IP address of 89.149.227 .......

then it usually goes to a www.daily-search.com....page

I have been through the 5 steps and the only step that doesnt preform is the Panda online scan. It shuts down 1.2 way throught the scan and closes all open explorer windows.

I am using Avast but closed it prior to scanning.

DSS results are below

Thanks

[megarich]

Deckard's System Scanner v20071014.68
Run by richard on 2007-12-29 15:24:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as richard.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:27 p.m., on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\richard\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\richard.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flightbookings.airnewzealand.co.nz/vgrabview/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6DBF2EDA-FD4C-4454-8868-6BF39EA405C3} - C:\WINDOWS\system32\commdl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ads_optimizer - {9C8A568E-4201-478a-8536-526CF371D2E2} - C:\WINDOWS\system32\nsd1A4.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [wixard] C:\WINDOWS\ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/.../GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171065830437
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540001} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB052D82-5706-46DD-9F73-E61F77E59CA0}: NameServer = 202.180.64.9,202.180.64.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

--
End of file - 8680 bytes

-- Files created between 2007-11-29 and 2007-12-29 -----------------------------

2007-12-28 15:19:44 8576 --a------ C:\WINDOWS\system32\drivers\iwthbsgxhyyl.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-12-28 14:58:27 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2007-12-28 14:57:21 8576 --a------ C:\WINDOWS\system32\drivers\ejpbiurxoyaq.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-12-28 14:24:47 0 d-------- C:\Program Files\Lavasoft
2007-12-28 14:24:47 0 d-------- C:\Program Files\jv16 PowerTools 2007
2007-12-28 13:08:55 0 d-------- C:\WINDOWS\pss
2007-12-28 13:03:27 0 d-------- C:\Program Files\Trend Micro
2007-12-28 12:18:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft(2)
2007-12-28 12:00:31 0 d-------- C:\Program Files\SpywareBlaster
2007-12-28 10:27:17 0 d-------- C:\ie-spyad_zo
2007-12-28 10:08:23 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-25 16:24:28 0 d-------- C:\Program Files\MOBILedit!
2007-12-25 16:08:01 0 d-------- C:\Program Files\Common Files\Download Manager
2007-12-25 12:21:24 19456 --a------ C:\WINDOWS\system32\drivers\kvtwanvb.dat
2007-12-25 10:15:57 84992 --a------ C:\WINDOWS\system32\commdl.dll
2007-12-23 11:59:04 0 d-------- C:\Program Files\Bluetooth Remote Control
2007-12-22 15:52:39 0 d-------- C:\Program Files\pocketConvert
2007-12-17 16:41:43 0 d-------- C:\WINDOWS\SWImport Xtra Cache
2007-12-13 19:39:37 0 d-------- C:\Program Files\GPLGS
2007-12-13 19:38:30 0 d-------- C:\Program Files\Acro Software
2007-12-13 10:54:42 0 d-------- C:\Program Files\Pocket e-Sword
2007-12-12 22:37:20 0 d-------- C:\Program Files\BitPim
2007-12-12 18:25:06 0 d-------- C:\Program Files\Windows Mobile Device Handbook
2007-12-10 12:25:59 0 d-------- C:\Program Files\Shockwave.com
2007-12-09 16:20:41 0 d-------- C:\Documents and Settings\richard\Application Data\IDMComp
2007-12-09 16:20:15 0 d-------- C:\Program Files\IDM Computer Solutions


-- Find3M Report ---------------------------------------------------------------

2007-12-29 14:39:40 0 d-------- C:\Program Files\Windows Defender
2007-12-29 14:38:51 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-12-28 14:31:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-25 16:08:01 0 d-------- C:\Program Files\Common Files
2007-12-25 1041 0 d-------- C:\Program Files\Infogrames Interactive
2007-12-12 18:26:47 2528 --a------ C:\Documents and Settings\richard\Application Data\$_hpcst$.hpc
2007-12-10 09:22:10 0 d-------- C:\Documents and Settings\richard\Application Data\Macromedia
2007-12-08 17:47:38 0 d-------- C:\Program Files\Winamp
2007-12-08 10:41:24 0 d-------- C:\Program Files\BitLord
2007-11-29 14:52:57 0 d-------- C:\Program Files\SpeedFan
2007-11-19 19:47:58 0 d-------- C:\Program Files\SanDisk
2007-11-19 19:47:34 0 d-------- C:\Program Files\Common Files\Apple
2007-11-19 19:47:23 0 d-------- C:\Program Files\Memeo
2007-11-19 19:47:20 0 d-------- C:\Program Files\LanSpeed2
2007-11-19 19:47:20 0 d-------- C:\Program Files\HTML Password Lock
2007-11-19 19:19:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-15 09:24:07 0 d-------- C:\Program Files\FTP Commander
2007-11-12 0922 0 d-------- C:\Program Files\Google
2007-11-06 19:34:50 23 --ahs---- C:\WINDOWS\system32\ceeaa3_r.dll
2007-11-06 19:32:30 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-11-06 19:22:36 0 d-------- C:\Program Files\Real
2007-11-01 09:39:23 0 d-------- C:\Program Files\LimeWire
2007-10-31 12:55:24 0 d-------- C:\Program Files\VirtualDJ
2007-10-31 07:15:42 139264 --a------ C:\WINDOWS\system32\dont think need this one nsd1A4.dll
2007-10-28 08:33:20 8 --a------ C:\WINDOWS\system32\nvModes.dat
2007-10-27 16:29:52 8456 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-13 11:08:30 73728 --a------ C:\WINDOWS\ALCFDRTM.EXE <Not Verified; Realtek Semiconductor Corp.; Realtek ALCFDRTM>
2007-10-05 09:17:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DBF2EDA-FD4C-4454-8868-6BF39EA405C3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C8A568E-4201-478a-8536-526CF371D2E2}]
C:\WINDOWS\system32\nsd1A4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/09/2007 01:07 a.m.]
"nwiz"="nwiz.exe" [17/09/2007 01:07 a.m. C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/09/2007 01:07 a.m.]
"Avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/12/2007 02:00 a.m.]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:56 a.m. C:\WINDOWS\system32\bthprops.cpl]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wixard"="C:\WINDOWS\ALCWZRD.EXE" [15/09/2004 11:20 a.m.]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 02:00 p.m.]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [13/11/2006 01:39 p.m.]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 1:01:04 a.m.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a6c77db-b7ea-11db-bcc8-806d6172696f}]
AutoRun\command- D:\autorun.exe




-- End of Deckard's System Scanner: finished at 2007-12-29 15:25:49 ------------

[tetonbob]

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disconnect from the internet....pull the plug!
   
3. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
4. Double click on combofix.exe & follow the prompts. Type 1, then press Enter to start the fix.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
8. Re-establish an internet connection.
   
9. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
   
   ---------------------------------------------------------------------------------------------

[megarich]

Hi,

Google search now working fine.

my commdl.dll virus problem is also now gone (http://www.techsupportforum.com/secu...-new-post.html)

Thaks for your help. Here are the logs

_____________________________________________________________________


ComboFix 08-01-02.1 - richard 2008-01-02 16:42:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1076 [GMT 13:00]
Running from: C:\Documents and Settings\richard\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\richard\Application Data\macromedia\Flash Player\#SharedObjects\25NXQLFE\iforex.com
C:\Documents and Settings\richard\Application Data\macromedia\Flash Player\#SharedObjects\25NXQLFE\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\richard\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\richard\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\system32\commdl.dll
C:\WINDOWS\system32\drivers\kvtwanvb.dat
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_INZZZMLP
-------\inzzzmlp


((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-02 16:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 23:43 . 2008-01-01 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-01 22:55 . 2008-01-01 22:55 12,296,456 --------- C:\AVG7QT.DAT
2008-01-01 22:52 . 2008-01-01 23:30 <DIR> d-------- C:\Documents and Settings\richard\Application Data\AVG7
2008-01-01 22:51 . 2008-01-01 22:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-01 22:51 . 2008-01-01 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-01 22:51 . 2008-01-02 14:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-29 14:59 . 2007-12-29 14:59 <DIR> d-------- C:\Deckard
2007-12-28 15:19 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\iwthbsgxhyyl.sys
2007-12-28 14:58 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-28 14:57 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\ejpbiurxoyaq.sys
2007-12-28 14:44 . 2007-12-29 14:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-28 14:44 . 2007-12-29 14:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-28 14:44 . 2007-12-29 14:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-28 14:24 . 2007-12-28 14:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-28 14:24 . 2007-12-28 14:24 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2007-12-28 13:03 . 2007-12-28 13:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 12:18 . 2007-12-28 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft(2)
2007-12-28 12:00 . 2007-12-29 15:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-28 10:27 . 2007-12-28 10:27 <DIR> d-------- C:\ie-spyad_zo
2007-12-28 10:08 . 2007-12-29 14:38 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-25 16:24 . 2007-12-25 16:26 <DIR> d-------- C:\Program Files\MOBILedit!
2007-12-25 16:08 . 2007-12-25 16:08 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-12-24 08:15 . 2004-08-03 23:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2007-12-24 08:15 . 2004-08-03 23:10 38,016 --a------ C:\WINDOWS\system32\dllcache\bthmodem.sys
2007-12-24 08:09 . 2004-08-03 23:10 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2007-12-24 08:09 . 2004-08-03 23:10 274,304 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2007-12-24 08:09 . 2004-08-03 23:10 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2007-12-24 08:09 . 2004-08-03 23:10 18,944 --a------ C:\WINDOWS\system32\dllcache\bthusb.sys
2007-12-23 11:59 . 2007-12-25 20:11 <DIR> d-------- C:\Program Files\Bluetooth Remote Control
2007-12-22 15:52 . 2007-12-22 15:55 <DIR> d-------- C:\Program Files\pocketConvert
2007-12-17 16:41 . 2007-12-17 16:41 <DIR> d-------- C:\WINDOWS\SWImport Xtra Cache
2007-12-17 16:41 . 2007-12-17 16:41 24 --a------ C:\WINDOWS\SWImport Xtra.PRF
2007-12-13 19:39 . 2007-12-13 19:39 <DIR> d-------- C:\Program Files\GPLGS
2007-12-13 19:38 . 2007-12-13 19:38 <DIR> d-------- C:\Program Files\Acro Software
2007-12-13 19:38 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2007-12-13 10:54 . 2007-12-13 10:55 <DIR> d-------- C:\Program Files\Pocket e-Sword
2007-12-12 22:55 . 2007-12-12 22:55 24,904 --a------ C:\bitpim.vcf
2007-12-12 22:37 . 2007-12-12 22:37 <DIR> d-------- C:\Program Files\BitPim
2007-12-12 18:25 . 2007-12-12 18:25 <DIR> d-------- C:\Program Files\Windows Mobile Device Handbook
2007-12-12 18:25 . 2005-10-21 14:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-12-12 18:25 . 2005-10-21 14:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2007-12-11 18:31 . 2001-08-17 22:36 93,696 --a------ C:\WINDOWS\system32\hpgt42.dll
2007-12-11 18:31 . 2001-08-17 22:36 93,696 --a------ C:\WINDOWS\system32\dllcache\hpgt42.dll
2007-12-11 18:31 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-12-11 18:31 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-12-11 18:31 . 2001-08-17 22:36 32,768 --a------ C:\WINDOWS\system32\hpgtmcro.dll
2007-12-11 18:31 . 2001-08-17 22:36 32,768 --a------ C:\WINDOWS\system32\dllcache\hpgtmcro.dll
2007-12-11 18:31 . 2001-08-17 22:36 31,232 --a------ C:\WINDOWS\system32\hpgt42tk.dll
2007-12-11 18:31 . 2001-08-17 22:36 31,232 --a------ C:\WINDOWS\system32\dllcache\hpgt42tk.dll
2007-12-10 12:25 . 2007-12-22 08:45 <DIR> d-------- C:\Program Files\Shockwave.com
2007-12-09 16:20 . 2007-12-28 09:59 <DIR> d-------- C:\Program Files\IDM Computer Solutions
2007-12-09 16:20 . 2007-12-09 16:20 <DIR> d-------- C:\Documents and Settings\richard\Application Data\IDMComp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 10:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 10:13 --------- d-----w C:\Program Files\SpeedFan
2008-01-01 05:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-30 21:25 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-29 01:39 --------- d-----w C:\Program Files\Windows Defender
2007-12-24 21:06 --------- d-----w C:\Program Files\Infogrames Interactive
2007-12-08 04:47 --------- d-----w C:\Program Files\Winamp
2007-12-07 21:41 --------- d-----w C:\Program Files\BitLord
2007-11-19 06:47 --------- d-----w C:\Program Files\SanDisk
2007-11-19 06:47 --------- d-----w C:\Program Files\Memeo
2007-11-19 06:47 --------- d-----w C:\Program Files\LanSpeed2
2007-11-19 06:47 --------- d-----w C:\Program Files\HTML Password Lock
2007-11-19 06:47 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-19 06:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tanagra
2007-11-19 06:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 20:24 --------- d-----w C:\Program Files\FTP Commander
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 20:06 --------- d-----w C:\Program Files\Google
2007-11-06 06:32 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2007-11-06 06:22 --------- d-----w C:\Program Files\Real
2007-10-12 22:08 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-03-16 23:48 905 ----a-w C:\Program Files\uninstal.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C8A568E-4201-478a-8536-526CF371D2E2}]
C:\WINDOWS\system32\nsd1A4.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wixard"="C:\WINDOWS\ALCWZRD.EXE" [2004-09-15 11:20 2557952]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-01 22:58 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 14:45 36040]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2008-01-01 22:58 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R1 vcsmpdrv;vcsmpdrv;C:\WINDOWS\system32\DRIVERS\vcsmpdrv.sys [2003-06-16 16:07]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe [2002-05-16 11:17]
R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys [2004-08-03 22:32]
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys []
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys []
S3 athr;Atheros Extensible Wireless LAN device driver;C:\WINDOWS\system32\DRIVERS\athr.sys [2007-01-23 17:25]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-26 06:31]
S3 softctrl;Software Flow Control Driver;C:\WINDOWS\system32\DRIVERS\softctrl.sys [2005-12-12 14:36]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 19:20:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-02 03:03:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-01 20:00:00 C:\WINDOWS\Tasks\{2AF927E6-0609-487D-904D-5A11BE87A3D8}_MEGARICH_richard.job"
- C:\WINDOWS\system32\mobsync.exeE /Schedule=
"2008-01-01 03:00:01 C:\WINDOWS\Tasks\{313DBD2B-1F2C-4640-9D65-C45B0A0A274B}_MEGARICH_richard.job"
- C:\WINDOWS\system32\mobsync.exeE /Schedule=
"2007-12-28 03:00:02 C:\WINDOWS\Tasks\{6ABBC779-4B9D-4068-85FA-92AAA28FA3FB}_MEGARICH_richard.job"
- C:\WINDOWS\system32\mobsync.exeE /Schedule=
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 16:47:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
wixard = C:\WINDOWS\ALCWZRD.EXE??????????????5???\???W?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-02 16:49:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-02 03:49:36
.
2007-12-28 01:31:20 --- E O F ---


____________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:31 p.m., on 2/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flightbookings.airnewzealand.co.nz/vgrabview/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ads_optimizer - {9C8A568E-4201-478a-8536-526CF371D2E2} - C:\WINDOWS\system32\nsd1A4.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [wixard] C:\WINDOWS\ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/.../GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171065830437
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540001} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB052D82-5706-46DD-9F73-E61F77E59CA0}: NameServer = 202.180.64.9,202.180.64.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

--
End of file - 8629 bytes

[tetonbob]

Hi, good to hear. I could see what the problem was, and ComboFix has neutralized it. We do have some more work to do.

P2P - I see you have P2P software ( Limewire, BitLord ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 u3 and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u3-windowsi586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

[megarich]

Result of Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 03, 2008 12:02:36 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/01/2008
Kaspersky Anti-Virus database records: 501366
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 92668
Number of viruses found: 6
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 01:19:56

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\NeroDemo12550\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp10.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp10.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp10.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp12D.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp12D.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp12D.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp20.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp20.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp20.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp28.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp28.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp28.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp5.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp5.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp5.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp7.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp7.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmp7.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmpC.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmpC.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.zm skipped
C:\Deckard\System Scanner\20071229152431\backup\DOCUME~1\richard\LOCALS~1\Temp\tmpC.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02122007-003709.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\richard\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\richard\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\richard\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\richard\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\richard\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\richard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\richard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\richard\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\richard\Local Settings\History\History.IE5\MSHist012008010220080103\index.dat Object is locked skipped
C:\Documents and Settings\richard\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\richard\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\richard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\richard\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\richard\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BitLord\Downloads\Nero 7.8.5.0 Ultra\Nero 7.8.5.0 Ultra.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Program Files\BitLord\Downloads\Nero 7.8.5.0 Ultra\Nero 7.8.5.0 Ultra.exe RAR: infected - 1 skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\master.mdf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\model.mdf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\modellog.ldf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\templog.ldf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\LOG\ERRORLOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\kvtwanvb.dat.vir Object is locked skipped
C:\QooBox\Quarantine\catchme2008-01-02_164733.82.zip/kvtwanvb.dat Infected: Rootkit.Win32.Agent.ql skipped
C:\QooBox\Quarantine\catchme2008-01-02_164733.82.zip/commdl.dll Infected: Trojan.Win32.BHO.agz skipped
C:\QooBox\Quarantine\catchme2008-01-02_164733.82.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP23\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_328.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\Our stuff\Downloads\limewire\spbwm 6pluginszip.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
F:\Our stuff\Downloads\limewire\spbwm 6pluginszip.zip ZIP: infected - 1 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP23\change.log Object is locked skipped
F:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0000531.exe/data0001.bin/file77 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
F:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0000531.exe/data0001.bin Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
F:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP8\A0000531.exe EmbeddedEXE: infected - 2 skipped

Scan process completed.

[megarich]

HijackThis result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:18 a.m., on 3/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flightbookings.airnewzealand.co.nz/vgrabview/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ads_optimizer - {9C8A568E-4201-478a-8536-526CF371D2E2} - C:\WINDOWS\system32\nsd1A4.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [wixard] C:\WINDOWS\ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/.../GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171065830437
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540001} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB052D82-5706-46DD-9F73-E61F77E59CA0}: NameServer = 202.180.64.9,202.180.64.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

--
End of file - 7640 bytes

[tetonbob]

This limewire download is infected with adware:

F:\Our stuff\Downloads\limewire\spbwm 6pluginszip.zip

Recommend you delete it.

This item shows as adware (AdTool.Win32.MyWebSearch.bm), but I believe it has an opt-out upon install. Your choice whether you delete it or not:

"C:\Program Files\BitLord\Downloads\Nero 7.8.5.0 Ultra\Nero 7.8.5.0 Ultra.exe"



The other finds by Kaspersky will be addressed by uninstalling ComboFix using the method proscribed below.

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• FIREWALL
  If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here
  
  Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[megarich]

Thank you very much for your assistance.

I thought i was quite safe as I always updated my Av and ran anti spyware regu;ary but it just go to how you.

Thanks again for your help

[tetonbob]

You're welcome for the help.

From testing infections, I know that this infection typically comes from sites that dish up serials (cracks). I'm not saying you did, but...if you do, this will often be the result.

As I stated earlier, P2P programs are another great way to invite the wolf in through the door. If he's invited in past the lock and key (firewall and AV), he will eat.

Surf Safely, and enjoy the New Year with a clean machine.

[megarich]

I have encountered a problem

I cannot now sync my wm5 based pda using active sync


I have not synced it since going through the steps listed above and now i cant.

It connects ok but then just sits there saying it is syncing.

I run the trouble shooter and it says that outlook is not my default mail handler.

I have reinstalled it and made it default but still the same problem

I have uninstalled Mozilla Thunderbird and Firefox, reinstalled outlook again but still no go

I have set up a new partnership between pc and device, still no go.

The troubleshooter for ActiveSync just keeps telling me that Outlook is not my default mail handler

Any ideas?

Cheers

[megarich]

Is there any chance that from doing the above to fix my problems i now no longer have Exchange server on my computer

[tetonbob]

Nothing we've done would account for those issues. I'm afraid I can't offer you any guidance, as I have no experience with PDAs.

You might try Other Hardware Support.

[megarich]

Hi,
sorry havent replied earlier, have just got back from holiday.

I managed to fix it at 2am in the morning.

Reloaded Activesync and away it went.

I'll try putting moxilla back on and see how it goes.

Thanks again for your help.

Richard