CPU usage @ 100%

[Molmeister]

*** REDIRECTED FROM WINXP SUPPORT INDICATING MALWARE ISSUE***

Hi -

Theres plenty to be said about CPU usage at 100% but it all seems pretty specific to the user and mine is no exception - by the way its taken a good 15 mins and a few IE crashes to get this far!

Some background
OS XP - SP3
3.4GHZ P4
1GB RAM
200GB HDD

No apps open apart from IE

CPU Usage 100% PF Usage 502MB (not sure what this is)

Top 3 processess eatting CPU usage (give or take)

ULCDRSvr.exe. - 45% (I do have Ulead installed & have had for a year or so)
WKUFind.exe. - 35% (Seems MS related- so not sure if I should kill it)
CSRSS.exe - 21% (Most sites indicate MS related but a few indicate a virus!)

I've bought and run a registry cleaner, which took over 24 hours to run and a further 12 to clean, I use Kaspersky Internet Security v8 - all up to date and run Ad-Aware 08

Any thoughts - coz I'm at my wits end (albeit glad this post didn't crash my PC!)

Many thanks in advance

The GMER text is pasted below as I can't attach it. Info is attached

Can't thank anyone enough 4 any assistance

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-31 18:02:33
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA60481A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xAA604DC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xAA60682A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xAA6061E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xAA603F90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA60818C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xAA604BC2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xAA6043D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xAA6045D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xAA6064EC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xAA608698]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xAA6046E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xAA604750]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xAA6063A2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xAA607C50]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xAA60603C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xAA6040F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xAA6049E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xAA6081B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xAA60493E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xAA6047B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA6044BC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xAA60429A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xAA607EB8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xAA603C12]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA6070B4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xAA603D74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xAA608568]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xAA603A10]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xAA6066CC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xAA604CC0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xAA607D4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xAA6081E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xAA604148]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xAA6082C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xAA6083F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xAA607B7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xAA604A92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xAA604B04]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CA4 12 Bytes [ C4, 82, 60, AA, F0, 83, 60, ... ]
.text ntoskrnl.exe!IoIsOperationSynchronous 804EAFAE 5 Bytes JMP AA61B3D6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804F4593 5 Bytes JMP AA61B01C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)

---- User code sections - GMER 1.0.14 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[964] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[964] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [ 70, 11, 41, 6D ]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1828] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1828] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [ 70, 11, 41, 6D ]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[2672] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[2672] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [ 70, 11, 41, 6D ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6DDEDF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6DDEDF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\ws2ifsl.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\usbccgp.sys[NTOSKRNL.EXE!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\point32.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\kbdhid.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238
IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3
IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1
IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC
IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405238
IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004051D3
IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 004051A1
IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 004055AD
IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 004055AD
IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 007A52EC
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 007A52EC
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 007A5238
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 007A51D3
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 007A51A1
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 007A5877
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 007A52EC
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 007A55AD
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 007A5877
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 007A5877
IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 007A55AD
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00FD52EC
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00FD5238
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00FD51D3
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00FD51A1
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00FD5238
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00FD52EC
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00FD5238
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00FD51D3
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00FD55AD
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00FD5877
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00FD5877
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00FD55AD
IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00FD5877
IAT C:\WINDOWS\system32\svchost.exe[1440] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00F951A1
IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00BD52EC
IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00BD5238
IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00BD51D3
IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00BD51A1
IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00BD55AD
IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00BD5877
IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00BD5877
IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00BD55AD
IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00BD5877
IAT C:\WINDOWS\system32\svchost.exe[1508] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00BD52EC
IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 03C852EC
IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 03C85238
IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 03C851D3
IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 03C851A1
IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 03C855AD
IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 03C85877
IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 03C85877
IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 03C855AD
IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 03C85877
IAT C:\WINDOWS\System32\svchost.exe[1620] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 03C852EC
IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 006852EC
IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00685238
IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 006851D3
IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 006851A1
IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 006855AD
IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00685877
IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00685877
IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 006855AD
IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00685877
IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 006852EC
IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238
IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3
IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1
IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B852EC
IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B85238
IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B851D3
IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B851A1
IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B855AD
IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00B85877
IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B852EC
IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00B85877
IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B855AD
IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00B85877
IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC
IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405238
IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004051D3
IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 004051A1
IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 004055AD
IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 004055AD
IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC
IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238
IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3
IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1
IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC
IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405238
IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004051D3
IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 004051A1
IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC
IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 004055AD
IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 004055AD
IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238
IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3
IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1
IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238
IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3
IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1
IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238
IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3
IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1
IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\Explorer.EXE [USER32.dll!TranslateMessage] 00D85877
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00D852EC
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00D85238
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00D851D3
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00D851A1
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00D855AD
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00D85877
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00D85877
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00D85877
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00D855AD
IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00D852EC
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405238
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004051D3
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 004051A1
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 004055AD
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 004055AD
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405877
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.14 ----

Thread 532:3864 00365125
Thread 532:3084 003A5125
Thread 532:2384 00525125
Thread 2364:3560 00405125
Thread 2364:2956 002A5125

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\twain_32 0 bytes
File C:\WINDOWS\system32\twain_32\local.ds 22803 bytes
File C:\WINDOWS\system32\twain_32\user.ds 0 bytes
File C:\WINDOWS\system32\twext.exe 52224 bytes executable

---- EOF - GMER 1.0.14 ----

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that

[Molmeister]

sUBs -

Here's the log...I've uninstalled ULead as it seemed to be hogging CPU usage plus another symptom of my troubles is...
I am unable to access other users spaces from the initial screen - whoever I click on first icon I can see their desktop but going back to the initial screen, when I click on another users icon it just goes to a blue screen and then reverts back to the screen with the icons. If I log out and go to that user I can enter their desktop but again on switching user on dice.
There are no error messages.


Log Dump is as follows - Many thanks 4 taking the time to review

ComboFix 08-11-03.06 - Tim 2008-11-04 18:11:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.536 [GMT 0:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tim\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\program files\FunWebProducts
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
L:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.

2008-11-04 15:05 . 2008-11-04 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-11-04 15:03 . 2008-11-04 15:03 <DIR> d-------- c:\program files\Common Files\iS3
2008-11-04 15:03 . 2008-11-04 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-02 13:51 . 2008-11-02 13:51 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-02 13:47 . 2008-11-02 19:34 <DIR> d-------- c:\program files\NOS
2008-11-02 13:47 . 2008-11-02 19:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-10-31 22:40 . 2008-11-02 13:59 1,750 --a------ c:\windows\system32\%LocalXml%
2008-10-31 19:47 . 2008-10-31 19:47 <DIR> d-------- c:\program files\Lavasoft
2008-10-31 17:25 . 2008-10-31 17:25 250 --a------ c:\windows\gmer.ini
2008-10-31 17:21 . 2008-10-31 17:21 <DIR> d-------- C:\rsit
2008-10-31 17:21 . 2008-10-31 17:21 <DIR> d-------- c:\program files\trend micro
2008-10-31 11:30 . 2008-10-31 11:30 <DIR> d-------- c:\documents and settings\Tim\Application Data\System Tweaker
2008-10-31 11:17 . 2008-10-31 11:19 <DIR> d-------- c:\documents and settings\Sammy
2008-10-29 10:52 . 2008-11-04 17:52 <DIR> d-------- c:\program files\Uniblue
2008-10-27 21:12 . 2004-08-03 22:41 404,990 --a------ c:\windows\system32\drivers\slntamr.sys
2008-10-27 21:12 . 2004-08-03 22:41 404,990 --a--c--- c:\windows\system32\dllcache\slntamr.sys
2008-10-27 21:12 . 2004-08-03 22:41 95,424 --a------ c:\windows\system32\drivers\slnthal.sys
2008-10-27 21:12 . 2004-08-03 22:41 95,424 --a--c--- c:\windows\system32\dllcache\slnthal.sys
2008-10-27 21:12 . 2008-04-14 01:12 73,796 --a------ c:\windows\system32\slserv.exe
2008-10-27 21:12 . 2008-04-14 01:12 73,796 --a--c--- c:\windows\system32\dllcache\slserv.exe
2008-10-27 21:12 . 2008-04-14 01:12 32,866 --a--c--- c:\windows\system32\dllcache\slrundll.exe
2008-10-27 21:12 . 2008-04-14 01:12 32,866 --a------ c:\windows\slrundll.exe
2008-10-24 16:21 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-16 13:52 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 13:52 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 13:52 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 13:52 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-16 13:52 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 13:52 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-04 18:30 950,304 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-11-04 18:30 4,594,720 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-04 18:30 4,328 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-11-04 18:30 36,976 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-02 13:49 --------- d-----w c:\program files\Common Files\Adobe
2008-11-02 13:28 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-11-01 07:51 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-10-31 19:50 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-31 19:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-27 21:54 --------- d-----w c:\program files\Google
2008-10-27 21:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-27 21:05 --------- d-----w c:\program files\Abacast
2008-10-20 17:56 9,548 ----a-w c:\documents and settings\Toy\Application Data\wklnhst.dat
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-05 10:17 --------- d-----w c:\documents and settings\All Users\Application Data\Acronis
2008-09-05 10:13 --------- d-----w c:\documents and settings\Toy\Application Data\Nokia Multimedia Player
2008-04-14 00:11 178,688 ----a-r c:\documents and settings\Sam\Application Data\twext.exe
2008-03-24 10:36 0 ----a-w c:\documents and settings\Charlotte\Application Data\wklnhst.dat
2008-03-16 09:14 19,622 ----a-w c:\documents and settings\Tim\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 2658304]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-09 2595792]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-09 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-09 136472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-12-30 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]

[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^Sky Alerts.lnk]
path=c:\documents and settings\Tim\Start Menu\Programs\Startup\Sky Alerts.lnk
backup=c:\windows\pss\Sky Alerts.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--------- 2003-06-09 23:11 50688 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-28 11:51 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]
--a------ 2007-04-10 21:46 709992 c:\windows\vVX1000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-09-16 18:39 69632 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Streamload\\MediaMax XL\\MediaMax XL.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R0 tdrpman;Acronis Try&Decide and Restore Points filter;c:\windows\system32\DRIVERS\tdrpman.sys [2008-07-21 368480]
R2 TryAndDecideService;Acronis Try And Decide Service;c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2008-04-09 492896]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 VX1000;VX-1000;c:\windows\system32\DRIVERS\VX1000.sys [2007-04-10 1966312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{541241c9-e1ec-11dc-9bef-0016e6949159}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-02 c:\windows\Tasks\AdwareAlert Scheduled Scan.job
- c:\program files\AdwareAlert\AdwareAlert.exe []

2008-11-02 c:\windows\Tasks\AdwareAlert Scheduled Scan.job
- c:\program files\AdwareAlert []

2008-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-03 c:\windows\Tasks\User_Feed_Synchronization-{00AF2119-2240-4640-90C9-E2566154122A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\29atcpyr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 19:18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Streamload\MediaMax XL\StreamloadService.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-04 19:26:54 - machine was rebooted [Tim]
ComboFix-quarantined-files.txt 2008-11-04 19:26:48

Pre-Run: 149,888,507,904 bytes free
Post-Run: 151,337,107,456 bytes free

195 --- E O F --- 2008-10-24 16:35:07

[sUBs]

High cpu usage is from the zbot infection as indicated by the GMER scan.

Quote:

File C:\WINDOWS\system32\twain_32 0 bytes
File C:\WINDOWS\system32\twain_32\local.ds 22803 bytes
File C:\WINDOWS\system32\twain_32\user.ds 0 bytes
File C:\WINDOWS\system32\twext.exe 52224 bytes executable

Quote:

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds

ComboFix took out the infection but there's only straggler remaining.

c:\documents and settings\Sam\Application Data\twext.exe

Let's clear loose ends.

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"c:\windows\Tasks\AdwareAlert Scheduled Scan.job"
"c:\documents and settings\Sam\Application Data\twext.exe"
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[sUBs]

Quote:

I've bought and run a registry cleaner, which took over 24 hours to run and a further 12 to clean, I use

The above statement worries me more than the malware. Please be advised that ALL Registry Cleaners are prone to causing massive damage/corruption to the Registry. The Registry is the single most important component in your Operating System. Once corrupted, the best recourse is to perform a wipe of the machine. Unfortunately, the corruption is seldom evident immediately. They manifest themselves as inexplicable issues further down the road. If the tool has an undo function, exercise it now

[Molmeister]

re fix.bat ...."deleted successfully!!"

re registry cleaner, lesson learned...no undo as I've uninstalled it after reading reg cleaner articles...hum...I feel I'm digging a big hole for myself!

[sUBs]

Would you like to undo the changes it made? If so, we can invoke System Restore to a point before running the Reg cleaner. That also means we need to re-do the ComboFix run.

[Molmeister]

sUBs

V/Good advice - I can run that from the utility within XP and then re-run your Combo fix. I'll re-post the log when I have. Sounds like a plan??

I am not able to do it now but will do when I finish work...Thanks again - your time is appreciated.

[Molmeister]

sUBs - slight delay as been stuck at work for a day or two (big probs!) -

Question - I've backed everything up (external HDD), do you think I might as well format and reinstall the OS (etc).

[sUBs]

Well, there's no malware present. We sorted that part out. So reinstalling may seem a bit of a waste.

Then again, a freshly formatted machine really does perform better.
But you probably need at least a week to re-install all your other apps & get the machine back to the way you like.

Ball is in your court