possible Backdoor.PcClient.jhu infection

[#coin-op#]

Hello,

I'm using a combination of Avast/Spybot/AVG/Spyware Blaster/Peerguardian and Sygate Personal Firewall, on a Windows Xp SP3 pc.


Everything has been fine until earlier today, when AVG found an infection (Backdoor.PcClient.jhu) in a file. the file in question has been on the PC for about 6 months (in which time i must've scanned it with AVG at least 30 times without it ever reporting the infection) I deleted the file as advised by AVG.

After finding this, I decided to run an online Panda Active scan, and it found traces of a Generic Trojan (ID:03862754) in another file. Again I deleted the offending file but am a little bit worried in case either of these trojans have done anything nasty to my setup.

Since this, I've been getting a dreaded blue screen of death when shutting the PC down.

Any help from someone more experienced than myself would be greatly appreciated.

Many thanks



DDS (Version 1.0) - NTFSx86
Run by ANT at 17:54:42.68 on 04/12/2008

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.myspace.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [NvMixerTray] c:\program files\nvidia corporation\nvmixer\NvMixerTray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [Name of App] c:\program files\samsung\fw liveupdate\FWManager.exe r
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: Convert To Image
IE: Download all with iGetter
IE: Download with iGetter
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {3F5168E6-379A-4F8A-8A1F-C5493F27BE69} = 192.168.1.1
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: wbsys.dll
SEH: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-04 17:32 250 a------- c:\windows\gmer.ini
2008-11-30 09:34 <DIR> --d----- c:\program files\Panda Security
2008-11-26 20:22 <DIR> --d----- c:\docume~1\ant\applic~1\REAPER
2008-11-26 20:22 <DIR> --d----- c:\program files\REAPER
2008-11-23 19:59 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-22 15:26 81 a------- c:\windows\WB.ini
2008-11-22 15:13 42,672 a------- c:\windows\system32\wbsys.dll
2008-11-22 15:13 <DIR> --d----- c:\program files\Stardock
2008-11-12 17:42 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-12 17:37 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys

==================== Find3M ====================

2008-12-04 17:29 <DIR> --d----- c:\program files\PeerGuardian2
2008-12-04 17:29 <DIR> --d----- c:\docume~1\ant\applic~1\uTorrent
2008-12-03 18:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-03 18:51 <DIR> --d----- c:\docume~1\ant\applic~1\foobar2000
2008-12-03 17:22 <DIR> --d----- c:\program files\Mozilla Sunbird
2008-11-29 17:54 <DIR> --d----- c:\program files\SpywareBlaster
2008-11-18 16:56 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-01 15:43 <DIR> --d----- c:\program files\AlbumArtDownloader
2008-10-29 21:03 <DIR> --d----- c:\docume~1\ant\applic~1\Mp3tag
2008-10-29 19:02 <DIR> --d----- c:\program files\Mp3tag
2008-10-25 19:17 <DIR> --d----- c:\docume~1\ant\applic~1\SharePod
2008-10-25 18:21 <DIR> --d----- c:\program files\iPod
2008-10-20 16:13 <DIR> --d----- c:\program files\Messenger
2008-10-19 15:38 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-19 15:32 <DIR> --d----- c:\program files\Windows NT
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-08-21 10:18 <DIR> --d----- c:\docume~1\ant\applic~1\Songbird2
2008-05-24 14:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Seagate
2008-04-17 14:21 <DIR> --d----- c:\docume~1\ant\applic~1\Propellerhead Software
2008-04-17 14:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Propellerhead Software
2008-04-15 09:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SongbirdVLC
2008-04-15 09:37 <DIR> --d----- c:\docume~1\ant\applic~1\Songbird1
2007-10-31 20:08 <DIR> --d----- c:\docume~1\ant\applic~1\Microsoft Games
2007-10-31 20:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Microsoft Games
2007-09-21 12:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Last.fm
2007-06-29 10:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2007-04-15 12:25 <DIR> --d----- c:\docume~1\ant\applic~1\Ableton
2006-05-10 19:48 <DIR> --d----- c:\docume~1\ant\applic~1\Elaborate Bytes
2006-04-08 08:52 <DIR> --d----- c:\docume~1\ant\applic~1\Symantec

============= FINISH: 17:55:11.70 ===============

P.S. neither dds or gmer has allowed me to create an 'attach' file as mentioned when following the 'First Steps' section. Hence it is not included.

[amateur]

Hello and welcome to TSF.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

=======================

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

========================

In your next reply, please include

Combofix.txt
Add-Remove Programs.txt.

[#coin-op#]

Firstly, massive thanks for your help. It's really appreciated.

I've followed the guide and attached the two files as requested.

[amateur]

Hi,

You're welcome. I'll copy the logs here and will get back to you when I've reviewed them. Please do not attach the logs unless specifically asked to do so. It makes it harder for us to review them.

ComboFix 08-12-07.04 - ANT 2008-12-08 23:32:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.238 [GMT 0:00]
Running from: c:\documents and settings\ANT\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ANT\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\setup.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 21:07 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-04 17:32 . 2008-12-04 17:32 250 --a------ c:\windows\gmer.ini
2008-12-03 18:51 . 2008-12-03 18:51 <DIR> d-------- c:\program files\Common Files\Java
2008-11-30 09:34 . 2008-11-30 09:34 <DIR> d-------- c:\program files\Panda Security
2008-11-26 20:22 . 2008-12-02 14:38 <DIR> d-------- c:\program files\REAPER
2008-11-26 20:22 . 2008-12-03 18:51 <DIR> d-------- c:\documents and settings\ANT\Application Data\REAPER
2008-11-23 19:59 . 2008-11-23 19:59 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-22 15:26 . 2008-11-22 15:41 81 --a------ c:\windows\WB.ini
2008-11-22 15:13 . 2008-11-22 15:13 <DIR> d-------- c:\program files\Stardock
2008-11-22 15:13 . 2007-07-11 15:06 42,672 --a------ c:\windows\system32\wbsys.dll
2008-11-12 17:42 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 17:37 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 23:31 --------- d-----w c:\program files\PeerGuardian2
2008-12-08 23:15 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-08 18:15 --------- d-----w c:\program files\Mozilla Sunbird
2008-12-07 20:54 --------- d-----w c:\documents and settings\ANT\Application Data\uTorrent
2008-12-07 20:52 --------- d-----w c:\documents and settings\ANT\Application Data\foobar2000
2008-12-03 18:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 13:25 --------- d-----w c:\program files\Java
2008-11-29 17:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 17:54 --------- d-----w c:\program files\SpywareBlaster
2008-11-18 16:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-01 15:43 --------- d-----w c:\program files\AlbumArtDownloader
2008-10-29 21:03 --------- d-----w c:\documents and settings\ANT\Application Data\Mp3tag
2008-10-29 19:02 --------- d-----w c:\program files\Mp3tag
2008-10-25 19:17 --------- d-----w c:\documents and settings\ANT\Application Data\SharePod
2008-10-25 18:23 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-25 18:21 --------- d-----w c:\program files\iPod
2008-10-25 18:10 --------- d-----w c:\documents and settings\ANT\Application Data\Apple Computer
2008-10-25 17:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 131072]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-06-30 2376928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-30 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-11-22 15:15 229376 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTHelper"=CTHELPER.EXE
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"RTBatteryMeter"=c:\program files\VibrateGameDeviceDriver\RFPIcon.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.8.4-enGB-downloader.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2234:TCP"= 2234:TCP:Soulseek
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-07 28544]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2004-08-18 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-08-18 19240]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-09 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-09 20560]
R3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
S2 Upsagent;Upsagent - UPS Monitor;c:\progra~1\Upsmon\Upsag_nt.exe []
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys []
S3 FNETNI2K;FNETNI2K Protocol Driver;\??\c:\windows\system32\FNETNI2K.SYS []
S3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2004-12-16 814464]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd4b38f8-6d49-11d9-8339-806d6172696f}]
\shell\play\command - "c:\program files\iTunes\iTunes.exe" /playCD "%L"

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2006-04-08 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Name of App - c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe
Notify-AtiExtEvent - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Convert To Image
IE: Download all with iGetter
IE: Download with iGetter
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {3F5168E6-379A-4F8A-8A1F-C5493F27BE69} = 192.168.1.1

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\ANT\Application Data\Mozilla\Firefox\Profiles\1ghrhp4a.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\nptnt.dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(2).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(3).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(4).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(5).dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 23:35:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pgfilter]
"ImagePath"="\??\c:\program files\PeerGuardian2\pgfilter.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2008-12-08 23:36:41
ComboFix-quarantined-files.txt 2008-12-08 23:36:28

Pre-Run: 75,867,987,968 bytes free
Post-Run: 75,995,865,088 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

186 --- E O F --- 2008-11-12 18:00:48



Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Advanced Diary v1.1 (Build 28)
Album Art Downloader XUI 0.19
AnyDVD
AsusUpdate
ATI Control Panel
ATI Display Driver
Audio Recorder for FREE v5.6
avast! Antivirus
AVG Anti-Spyware 7.5
CloneCD
CrossLoop 2.20
Dawn Of War
Dawn Of War - Winter Assault
Drive Manager
EasyCleaner
EVEREST Home Edition v1.10
Exact Audio Copy 0.95b3
foobar2000 v0.9.5.3
Hotfix for Windows XP (KB952287)
InFlac 1.1.1
iPod for Windows 2006-01-10
Ipswitch WS_FTP Professional 2006
Java(TM) 6 Update 10
Java(TM) 6 Update 7
Last.fm 1.5.1.29527
LG USB Modem driver
Marvell Miniport Driver
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Mozilla Firefox (3.0.4)
Mozilla Sunbird (0.8)
Mozilla Thunderbird (2.0.0.18)
Mp3tag v2.42
MSXML 6.0 Parser (KB933579)
NVIDIA System Utility
NvMixer
Panda ActiveScan 2.0
PeerGuardian 2.0
Power Tab Editor 1.7
PowerDVD
REAPER
Reason 4.0
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy
SpywareBlaster 4.1
Sygate Personal Firewall Pro
The Sims 2
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VirtualCloneDrive
WebFldrs XP
WebReg
Winamp (remove only)
WindowBlinds
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Media Encoder 9 Series
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
XML Paper Specification Shared Components Pack 1.0
Zoo Tycoon 2 - Marine Mania

[amateur]

Hi,

In case you don't know, AVG Anti-Spyware 7.5 is an outdated, unsupported program. Thus, it has no value. I would recommend that you remove it via Add/Remove Programs in Control Panel.

=============================

Download ResetTeaTimer

• Save it to your Desktop.
• Double-click ResetTeaTimer.zip
• Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

==============================

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

Extra::

File::
c:\windows\Tasks\Symantec NetDetect.job

Folder::
c:\documents and settings\ANT\Application Data\uTorrent
c:\docume~1\ant\applic~1\Symantec

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\utorrent\\utorrent.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2234:TCP"=-

DDS::
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===============================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

================================

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

===============================

Please post back the combofix.txt and the Kaspersky report. Also, let me know how the computer is running now.

[#coin-op#]

Computer seems to running ok. A little slow, but no blue screen of death on shutdown anymore : )

ComboFix 08-12-07.04 - ANT 2008-12-09 17:34:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.224 [GMT 0:00]
Running from: c:\documents and settings\ANT\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ANT\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Tasks\Symantec NetDetect.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ant\applic~1\Symantec
c:\docume~1\ant\applic~1\Symantec\Shared\MyProfile.UserProfile
c:\docume~1\ant\applic~1\Symantec\Shared\Sessions\20060408085244671.liveReg
c:\documents and settings\ANT\Application Data\uTorrent
c:\documents and settings\ANT\Application Data\uTorrent\apalmer2006-08-02.dpa4061.flac16.torrent
c:\documents and settings\ANT\Application Data\uTorrent\Ben Gibbard - Live Acoustic On KEXP 06.06.2003 -=mininova.org=-.torrent
c:\documents and settings\ANT\Application Data\uTorrent\Ben Gibbard - Live at A Very Milky Christmas _-mininova.org-_.torrent
c:\documents and settings\ANT\Application Data\uTorrent\Bloc Party Live (09.24.05).torrent
c:\documents and settings\ANT\Application Data\uTorrent\devotchka2006-06-28.flac16.torrent
c:\documents and settings\ANT\Application Data\uTorrent\Live The Boardwalk, Sacramento 10-12-05.torrent
c:\documents and settings\ANT\Application Data\uTorrent\ween+2006-05-28.mbho.flac16.torrent
c:\windows\Tasks\Symantec NetDetect.job

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-07 21:07 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-04 17:32 . 2008-12-04 17:32 250 --a------ c:\windows\gmer.ini
2008-12-03 18:51 . 2008-12-03 18:51 <DIR> d-------- c:\program files\Common Files\Java
2008-11-30 09:34 . 2008-11-30 09:34 <DIR> d-------- c:\program files\Panda Security
2008-11-26 20:22 . 2008-12-02 14:38 <DIR> d-------- c:\program files\REAPER
2008-11-26 20:22 . 2008-12-03 18:51 <DIR> d-------- c:\documents and settings\ANT\Application Data\REAPER
2008-11-23 19:59 . 2008-11-23 19:59 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-22 15:26 . 2008-11-22 15:41 81 --a------ c:\windows\WB.ini
2008-11-22 15:13 . 2008-11-22 15:13 <DIR> d-------- c:\program files\Stardock
2008-11-22 15:13 . 2007-07-11 15:06 42,672 --a------ c:\windows\system32\wbsys.dll
2008-11-12 17:42 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 17:37 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 17:29 --------- d-----w c:\program files\PeerGuardian2
2008-12-09 17:01 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-08 18:15 --------- d-----w c:\program files\Mozilla Sunbird
2008-12-07 20:52 --------- d-----w c:\documents and settings\ANT\Application Data\foobar2000
2008-12-03 18:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 13:25 --------- d-----w c:\program files\Java
2008-11-29 17:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 17:54 --------- d-----w c:\program files\SpywareBlaster
2008-11-18 16:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-01 15:43 --------- d-----w c:\program files\AlbumArtDownloader
2008-10-29 21:03 --------- d-----w c:\documents and settings\ANT\Application Data\Mp3tag
2008-10-29 19:02 --------- d-----w c:\program files\Mp3tag
2008-10-25 19:17 --------- d-----w c:\documents and settings\ANT\Application Data\SharePod
2008-10-25 18:23 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-25 18:21 --------- d-----w c:\program files\iPod
2008-10-25 18:10 --------- d-----w c:\documents and settings\ANT\Application Data\Apple Computer
2008-10-25 17:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-08_23.35.51.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-09 17:12:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_484.dat
+ 2008-12-09 16:42:43 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6e4.dat
+ 2008-12-09 17:12:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_78c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 131072]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-06-30 2376928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-30 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-11-22 15:15 229376 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTHelper"=CTHELPER.EXE
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"RTBatteryMeter"=c:\program files\VibrateGameDeviceDriver\RFPIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.8.4-enGB-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-07 28544]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2004-08-18 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-08-18 19240]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-09 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-09 20560]
R3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
S2 Upsagent;Upsagent - UPS Monitor;c:\progra~1\Upsmon\Upsag_nt.exe []
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys []
S3 FNETNI2K;FNETNI2K Protocol Driver;\??\c:\windows\system32\FNETNI2K.SYS []
S3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2004-12-16 814464]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd4b38f8-6d49-11d9-8339-806d6172696f}]
\shell\play\command - "c:\program files\iTunes\iTunes.exe" /playCD "%L"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Convert To Image
IE: Download all with iGetter
IE: Download with iGetter
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {3F5168E6-379A-4F8A-8A1F-C5493F27BE69} = 192.168.1.1

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\ANT\Application Data\Mozilla\Firefox\Profiles\1ghrhp4a.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\nptnt.dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(2).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(3).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(4).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(5).dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 17:38:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2008-12-09 17:39:55
ComboFix-quarantined-files.txt 2008-12-09 17:39:44

Pre-Run: 76,062,744,576 bytes free
Post-Run: 76,041,650,176 bytes free

610 --- E O F --- 2008-11-12 18:00:48

-------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 09, 2008 21:19:47
Records in database: 1448136
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 73819
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:50:25


File name / Threat name / Threats count
C:\Program Files\CrossLoop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\CrossLoop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

The selected area was scanned.

------------------------------------------------------------

The Crossloop software listed as infected (in the kaspersky log) i have researched before and seems to only show up as it enables remote access. I'm going to uninstall it anyway i think when i get the all clear as i no longer have use for it.

[amateur]

Hi,

Quote:

The Crossloop software listed as infected (in the kaspersky log) i have researched before and seems to only show up as it enables remote access. I'm going to uninstall it anyway i think when i get the all clear as i no longer have use for it.

OK. That's good.

Quote:

Computer seems to running ok. A little slow, but no blue screen of death on shutdown anymore

That's good to hear. However, something didn't seem to work. Let's try it again.

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

Extra::

DDS::
mSearch Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

[#coin-op#]

Ok I've run the CFScript again, here's the new log : )

ComboFix 08-12-07.04 - ANT 2008-12-11 21:45:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.215 [GMT 0:00]
Running from: c:\documents and settings\ANT\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ANT\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-09 23:49 . 2008-12-09 23:49 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-07 21:07 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-04 17:32 . 2008-12-04 17:32 250 --a------ c:\windows\gmer.ini
2008-11-30 09:34 . 2008-11-30 09:34 <DIR> d-------- c:\program files\Panda Security
2008-11-26 20:22 . 2008-12-02 14:38 <DIR> d-------- c:\program files\REAPER
2008-11-26 20:22 . 2008-12-03 18:51 <DIR> d-------- c:\documents and settings\ANT\Application Data\REAPER
2008-11-23 19:59 . 2008-12-09 23:49 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-22 15:26 . 2008-11-22 15:41 81 --a------ c:\windows\WB.ini
2008-11-22 15:13 . 2008-11-22 15:13 <DIR> d-------- c:\program files\Stardock
2008-11-22 15:13 . 2007-07-11 15:06 42,672 --a------ c:\windows\system32\wbsys.dll
2008-11-12 17:42 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 17:37 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 21:42 --------- d-----w c:\program files\PeerGuardian2
2008-12-11 21:39 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-10 17:23 --------- d-----w c:\program files\Mozilla Sunbird
2008-12-10 07:44 --------- d-----w c:\documents and settings\ANT\Application Data\foobar2000
2008-12-09 23:49 --------- d-----w c:\program files\Java
2008-12-03 18:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 17:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 17:54 --------- d-----w c:\program files\SpywareBlaster
2008-11-18 16:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-01 15:43 --------- d-----w c:\program files\AlbumArtDownloader
2008-10-29 21:03 --------- d-----w c:\documents and settings\ANT\Application Data\Mp3tag
2008-10-29 19:02 --------- d-----w c:\program files\Mp3tag
2008-10-25 19:17 --------- d-----w c:\documents and settings\ANT\Application Data\SharePod
2008-10-25 18:23 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-25 18:21 --------- d-----w c:\program files\iPod
2008-10-25 18:10 --------- d-----w c:\documents and settings\ANT\Application Data\Apple Computer
2008-10-25 17:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-08_23.35.51.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-23 19:59:41 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-09 23:49:17 144,792 ----a-w c:\windows\system32\java.exe
- 2008-11-23 19:59:42 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-09 23:49:18 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-11-23 19:59:42 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-09 23:49:18 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-11 17:21:05 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_698.dat
+ 2008-12-11 17:20:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6d4.dat
+ 2008-12-11 17:21:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_8e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 131072]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-06-30 2376928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-30 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-11-22 15:15 229376 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTHelper"=CTHELPER.EXE
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"RTBatteryMeter"=c:\program files\VibrateGameDeviceDriver\RFPIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.8.4-enGB-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-07 28544]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2004-08-18 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-08-18 19240]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-09 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-09 20560]
R3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
S2 Upsagent;Upsagent - UPS Monitor;c:\progra~1\Upsmon\Upsag_nt.exe []
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys []
S3 FNETNI2K;FNETNI2K Protocol Driver;\??\c:\windows\system32\FNETNI2K.SYS []
S3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2004-12-16 814464]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd4b38f8-6d49-11d9-8339-806d6172696f}]
\shell\play\command - "c:\program files\iTunes\iTunes.exe" /playCD "%L"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Convert To Image
IE: Download all with iGetter
IE: Download with iGetter
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {3F5168E6-379A-4F8A-8A1F-C5493F27BE69} = 192.168.1.1

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\ANT\Application Data\Mozilla\Firefox\Profiles\1ghrhp4a.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\nptnt.dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(2).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(3).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(4).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(5).dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 21:48:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2008-12-11 21:49:30
ComboFix-quarantined-files.txt 2008-12-11 21:49:26
ComboFix2.txt 2008-12-09 17:39:56

Pre-Run: 75,920,621,568 bytes free
Post-Run: 75,953,057,792 bytes free

175 --- E O F --- 2008-11-12 18:00:48

[amateur]

Hi,

I am still not getting the desired result. Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:

1. Save HJTInstall.exe to your desktop.
2. Double-click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
8. Come back here to this thread and paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

[#coin-op#]

've installed HiJackThis as requested.

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:14:30, on 13/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {02464DDC-3187-11D8-8004-0020ED227566} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5168E6-379A-4F8A-8A1F-C5493F27BE69}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Upsagent - UPS Monitor (Upsagent) - Unknown owner - C:\PROGRA~1\Upsmon\Upsag_nt.exe (file missing)

--
End of file - 7860 bytes

[amateur]

Hi,

Well, I think it was a silly mistake in syntax by me. Since we have the HJT, might as well continue with it. But first,

Have you edited your hosts file for these?

O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es

If not, please download HostsXpert.

• Unzip HostsXpert to it's own folder.
• Run HostsXpert.exe
• Click "Make Writable?" in the upper left corner.
• Click "Restore MS Hosts file" and then click OK.
• Close HostsXpert.
• Note: If a custom Hosts file was in place, you'll have to edit those entries back in.

=============================

Please rescan with HijackThis and put a checkmark against the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
O2 - BHO: (no name) - {02464DDC-3187-11D8-8004-0020ED227566} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O23 - Service: Upsagent - UPS Monitor (Upsagent) - Unknown owner - C:\PROGRA~1\Upsmon\Upsag_nt.exe (file missing)

Close all browsers and windows other than HijackThis and click on "fix checked".

==============================

Go to Start > Run. Copy/Paste or type:

sc delete Upsagent and then click OK

==============================

Restart your computer for the changes to take effect.

==============================

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

==============================

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

===============================

Please post back a fresh HijackThis log and the Kaspersky report along with the Add-Remove Programs.txt, and let me know how the computer is running now.

[#coin-op#]

I've got no idea what iwalton.com is, but i did download a custom hosts file a few years back to improve security. I've followed your instructions anyway to be on the safe side and reset the hosts file.

Here's the fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48:50, on 14/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02464DDC-3187-11D8-8004-0020ED227566} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5168E6-379A-4F8A-8A1F-C5493F27BE69}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Upsagent - UPS Monitor (Upsagent) - Unknown owner - C:\PROGRA~1\Upsmon\Upsag_nt.exe (file missing)

--
End of file - 7703 bytes



and the kaspersky report:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 14, 2008 14:02:05
Records in database: 1460709
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 74365
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:49:55


File name / Threat name / Threats count
C:\Program Files\CrossLoop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\CrossLoop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

The selected area was scanned.




and lastly the add/remove text:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Advanced Diary v1.1 (Build 28)
Album Art Downloader XUI 0.19
AnyDVD
AsusUpdate
ATI Control Panel
ATI Display Driver
Audio Recorder for FREE v5.6
avast! Antivirus
CloneCD
CrossLoop 2.20
Dawn Of War
Dawn Of War - Winter Assault
Drive Manager
EasyCleaner
EVEREST Home Edition v1.10
Exact Audio Copy 0.95b3
foobar2000 v0.9.5.3
Hotfix for Windows XP (KB952287)
InFlac 1.1.1
iPod for Windows 2006-01-10
Ipswitch WS_FTP Professional 2006
Java(TM) 6 Update 11
Last.fm 1.5.1.29527
LG USB Modem driver
Marvell Miniport Driver
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Mozilla Firefox (3.0.4)
Mozilla Sunbird (0.8)
Mozilla Thunderbird (2.0.0.18)
Mp3tag v2.42
MSXML 6.0 Parser (KB933579)
NVIDIA System Utility
NvMixer
Panda ActiveScan 2.0
PeerGuardian 2.0
Power Tab Editor 1.7
PowerDVD
REAPER
Reason 4.0
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy
SpywareBlaster 4.1
Sygate Personal Firewall Pro
The Sims 2
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VirtualCloneDrive
WebFldrs XP
WebReg
Winamp (remove only)
WindowBlinds
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Media Encoder 9 Series
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
XML Paper Specification Shared Components Pack 1.0
Zoo Tycoon 2 - Marine Mania

Computer seems to be running fine, no noticable problems.

: )

[amateur]

Something is interfering with the fixes. The entries you were supposed to have fixed with HijackThis are still there. Please reboot into Safe Mode and repeat the process for the HijackThis fix, including the O1 entries this time.

Safe Mode:

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Scan with HijackThis and put a checkmark against the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {02464DDC-3187-11D8-8004-0020ED227566} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O23 - Service: Upsagent - UPS Monitor (Upsagent) - Unknown owner - C:\PROGRA~1\Upsmon\Upsag_nt.exe (file missing)

Close all windows other than HijackThis and click on "fix checked".

=============================

Reboot into Normal Mode and post a fresh HijackThis log.

[#coin-op#]

Ok, I've rebooted into safe mode, and run another HJT scan, but none of the entries listed for deletion are present. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:59:23, on 15/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5168E6-379A-4F8A-8A1F-C5493F27BE69}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5713 bytes

[amateur]

Please reboot and post a log from Normal Mode. Thanks.

[#coin-op#]

sorry it's took a while, been away from home.

here's a HJT log from normal mode:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:49:00, on 18/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5168E6-379A-4F8A-8A1F-C5493F27BE69}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6695 bytes

[amateur]

Hi,

It looks good now. How is the computer behaving now?

[#coin-op#]

Seems to be fine. were there any signs of the infection in question?

[amateur]

Hi,

Quote:

Seems to be fine.

Good to hear that

Quote:

were there any signs of the infection in question?

No signs anymore. You're good to go.

• Click Start then Run
• Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing and Think Prevention!

[#coin-op#]

Big thanks again for all your time and expertise with this.

Out of interest, is there anything you'd recommend I change regarding the security methods i'm currently using? Any obvious weak areas, programs that could be replaced by better alternatives?