0

Hi

I wonder if someone can help me - I've recently started getting random redirects from the google search page. Looking through some of the threads I've attached a hijack this log of the computer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42:46, on 29/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Norton Ghost 14\Agent\VProTray.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\tppnttry.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\imapi.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iolo\System Mechanic Professional\SMSystemAnalyzer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {06327DAD-90B6-4A7D-AD5C-6651DC0D7E0E} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {1A694F6B-FCFF-41F1-B4B6-73287FCF7D5B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {1F9492AD-88B1-44A5-8327-44CA94CB64F5} - C:\WINDOWS\system32\ddcDvvVn.dll (file missing)
O2 - BHO: (no name) - {3C9C135A-85A4-4120-BEF0-F5F1261C4840} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {3E4833AD-7C33-4E62-9D54-582EDD32EC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {75C64237-FF3D-49D5-B775-D8AB44A2F43C} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7770D561-A96E-4AD1-B9C9-26AF51E60DD5} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {9E128473-577E-4055-8DD9-AA646F2756DB} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {AF752ED8-57D6-4748-B3FB-0C04A2E9CC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {BC3651EB-157E-4C8C-937F-E0BDB1A1D27B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C2C84B99-0DB6-44D2-815D-EAACF90BC60F} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C5B12942-FB14-4889-A63E-343B85E36A09} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {E9D935B6-36C5-44D9-86BF-96B129940376} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {F42CAAB6-C88F-4CE1-9DDC-D62FCF50D4A8} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FA13A483-CEC8-4D05-9385-153A9B566615} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FB4475DD-E3ED-4ACB-B2DA-5548C8D55C52} - C:\WINDOWS\system32\atmli.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "c:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe" -startup
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost 14\Agent\VProTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NBKeyScan] "c:\Program Files\Nero 8\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NBHGui] c:\Program Files\Nero\Nero 9\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 9\InCD\InCD.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: kyziwd.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDSrv) - Nero AG - c:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - c:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe

--
End of file - 15009 bytes


Many thanks
Jon

Attachments
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42:46, on 29/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Norton Ghost 14\Agent\VProTray.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\tppnttry.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\imapi.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iolo\System Mechanic Professional\SMSystemAnalyzer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {06327DAD-90B6-4A7D-AD5C-6651DC0D7E0E} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {1A694F6B-FCFF-41F1-B4B6-73287FCF7D5B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {1F9492AD-88B1-44A5-8327-44CA94CB64F5} - C:\WINDOWS\system32\ddcDvvVn.dll (file missing)
O2 - BHO: (no name) - {3C9C135A-85A4-4120-BEF0-F5F1261C4840} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {3E4833AD-7C33-4E62-9D54-582EDD32EC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {75C64237-FF3D-49D5-B775-D8AB44A2F43C} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7770D561-A96E-4AD1-B9C9-26AF51E60DD5} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {9E128473-577E-4055-8DD9-AA646F2756DB} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {AF752ED8-57D6-4748-B3FB-0C04A2E9CC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {BC3651EB-157E-4C8C-937F-E0BDB1A1D27B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C2C84B99-0DB6-44D2-815D-EAACF90BC60F} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C5B12942-FB14-4889-A63E-343B85E36A09} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {E9D935B6-36C5-44D9-86BF-96B129940376} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {F42CAAB6-C88F-4CE1-9DDC-D62FCF50D4A8} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FA13A483-CEC8-4D05-9385-153A9B566615} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FB4475DD-E3ED-4ACB-B2DA-5548C8D55C52} - C:\WINDOWS\system32\atmli.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "c:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe" -startup
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost 14\Agent\VProTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NBKeyScan] "c:\Program Files\Nero 8\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NBHGui] c:\Program Files\Nero\Nero 9\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 9\InCD\InCD.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00
3
Contributors
28
Replies
29
Views
9 Years
Discussion Span
Last Post by welshbungyman
0

Hi and welcome to the Daniweb forums :).

==========

Please do not attach your logs. Paste into your reply as I have done above.

==

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.htmll) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

Thanks and appologies crunchie.

Here's the malwarebytes log file:

Malwarebytes' Anti-Malware 1.29
Database version: 1298
Windows 5.1.2600 Service Pack 2

01/11/2008 07:21:25
mbam-log-2008-11-01 (07-21-16).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 233043
Time elapsed: 1 hour(s), 2 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (%1 /s) Good: ("%1" /S) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (regedit.exe %1) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


computer has been rebooted and here's the new hijack this log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:30:56, on 01/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Norton Ghost 14\Agent\VProTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nero\Nero 9\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 9\InCD\InCD.exe
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\WINDOWS\tppnttry.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {06327DAD-90B6-4A7D-AD5C-6651DC0D7E0E} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {1A694F6B-FCFF-41F1-B4B6-73287FCF7D5B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {1F9492AD-88B1-44A5-8327-44CA94CB64F5} - C:\WINDOWS\system32\ddcDvvVn.dll (file missing)
O2 - BHO: (no name) - {3C9C135A-85A4-4120-BEF0-F5F1261C4840} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {3E4833AD-7C33-4E62-9D54-582EDD32EC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {75C64237-FF3D-49D5-B775-D8AB44A2F43C} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7770D561-A96E-4AD1-B9C9-26AF51E60DD5} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {9E128473-577E-4055-8DD9-AA646F2756DB} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {AF752ED8-57D6-4748-B3FB-0C04A2E9CC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {BC3651EB-157E-4C8C-937F-E0BDB1A1D27B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C2C84B99-0DB6-44D2-815D-EAACF90BC60F} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C5B12942-FB14-4889-A63E-343B85E36A09} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {E9D935B6-36C5-44D9-86BF-96B129940376} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {F42CAAB6-C88F-4CE1-9DDC-D62FCF50D4A8} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FA13A483-CEC8-4D05-9385-153A9B566615} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FB4475DD-E3ED-4ACB-B2DA-5548C8D55C52} - C:\WINDOWS\system32\atmli.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "c:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe" -startup
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost 14\Agent\VProTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NBKeyScan] "c:\Program Files\Nero 8\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NBHGui] c:\Program Files\Nero\Nero 9\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 9\InCD\InCD.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: kyziwd.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDSrv) - Nero AG - c:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - c:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe

--
End of file - 15189 bytes

Thanks
Jon

0

It appears that you may not have updated MBAM? Please check for updates and rerun it.
The MBAM log says that you took no action. Is that the case, or did you post the wrong log?

0

Sorry crunchie

here's the correct log

Malwarebytes' Anti-Malware 1.29
Database version: 1298
Windows 5.1.2600 Service Pack 2

01/11/2008 07:21:29
mbam-log-2008-11-01 (07-21-29).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 233043
Time elapsed: 1 hour(s), 2 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (%1 /s) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (regedit.exe %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Jon

0

You posted the identical MBAM log as your other post. Please update and run MBAM again, but this time post the current log :D

0

Here is the hosts file

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Crunchie here is the latest Malware log

Malwarebytes' Anti-Malware 1.30
Database version: 1361
Windows 5.1.2600 Service Pack 2

04/11/2008 07:47:45
mbam-log-2008-11-04 (07-47-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 214764
Time elapsed: 1 hour(s), 4 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

It's showing the same 4 registry values as the other logs, the system has been rebooted.

Jon

0

Hi crunchie

here's the new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:05:23, on 04/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Norton Ghost 14\Agent\VProTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\tppnttry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe
C:\Program Files\GrabIt171\GrabIt.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Temp\NERO1002626\ipclog.exe
C:\temp\nro.tmp\SetupX.exe
C:\WINDOWS\system32\msiexec.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
c:\WINDOWS\system32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {06327DAD-90B6-4A7D-AD5C-6651DC0D7E0E} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {1A694F6B-FCFF-41F1-B4B6-73287FCF7D5B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {1F9492AD-88B1-44A5-8327-44CA94CB64F5} - C:\WINDOWS\system32\ddcDvvVn.dll (file missing)
O2 - BHO: (no name) - {3C9C135A-85A4-4120-BEF0-F5F1261C4840} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {3E4833AD-7C33-4E62-9D54-582EDD32EC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {75C64237-FF3D-49D5-B775-D8AB44A2F43C} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7770D561-A96E-4AD1-B9C9-26AF51E60DD5} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {9E128473-577E-4055-8DD9-AA646F2756DB} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {AF752ED8-57D6-4748-B3FB-0C04A2E9CC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {BC3651EB-157E-4C8C-937F-E0BDB1A1D27B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C2C84B99-0DB6-44D2-815D-EAACF90BC60F} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C5B12942-FB14-4889-A63E-343B85E36A09} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {E9D935B6-36C5-44D9-86BF-96B129940376} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {F42CAAB6-C88F-4CE1-9DDC-D62FCF50D4A8} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FA13A483-CEC8-4D05-9385-153A9B566615} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FB4475DD-E3ED-4ACB-B2DA-5548C8D55C52} - C:\WINDOWS\system32\atmli.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "c:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe" -startup
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost 14\Agent\VProTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NBKeyScan] "c:\Program Files\Nero 8\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NBHGui] c:\Program Files\Nero\Nero 9\InCD\NBHGui.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: kyziwd.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - c:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe

--
End of file - 14838 bytes

Jon

0

Still got nasties on there.

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Hi crunchie

Here's the combofix log:

ComboFix 08-11-04.02 - Jon 2008-11-05 19:03:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.441 [GMT 0:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
c:\program files\iolo\common\lib\ioloHL.dll

ADS - svchost.exe: deleted 68 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jon\Application Data\winexpl2.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\dxgpahqp.ini
c:\windows\system32\hsueawlo.ini
c:\windows\system32\iikefqeq.ini
c:\windows\system32\Updater.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 22:21 . 2008-11-05 22:21 <DIR> d-------- c:\temp\WPDNSE
2008-11-05 22:21 . 2008-11-05 22:21 53,248 --a------ c:\temp\catchme.dll
2008-11-05 22:21 . 2008-11-05 22:21 16,384 --a----t- c:\temp\Perflib_Perfdata_9e8.dat
2008-11-05 19:14 . 2008-11-05 19:14 16,384 --a----t- c:\temp\Perflib_Perfdata_954.dat
2008-11-05 19:13 . 2008-11-05 19:13 16,384 --a----t- c:\temp\Perflib_Perfdata_708.dat
2008-11-05 00:11 . 2006-12-29 00:31 19,569 --a------ c:\windows\003098_.tmp
2008-11-05 00:06 . 2008-08-14 10:00 2,180,352 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-04 23:59 . 2008-11-05 00:01 <DIR> d-------- C:\8f19dfe93aeb9ab1eb093884eb1f09d8
2008-11-04 23:26 . 2008-11-04 23:27 <DIR> d-------- c:\documents and settings\Jon\Application Data\Nero
2008-11-04 00:23 . 2008-11-04 00:57 <DIR> d-------- c:\program files\Nero
2008-11-04 00:20 . 2008-11-04 01:21 <DIR> d-------- c:\program files\Common Files\Nero
2008-11-04 00:15 . 2008-11-04 00:15 <DIR> d-------- c:\temp\nro.log
2008-11-03 00:03 . 2008-11-05 22:21 <DIR> d-------- c:\temp\NERO1002626
2008-11-01 00:42 . 2008-11-01 00:42 <DIR> d-------- c:\program files\VistaCodecPack
2008-11-01 00:38 . 2008-11-01 00:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\VistaCodecs
2008-10-29 23:31 . 2008-10-30 00:19 <DIR> d-------- c:\temp\msohtmlclip1
2008-10-29 23:31 . 2008-10-29 23:31 <DIR> d-------- c:\temp\msohtmlclip
2008-10-29 23:12 . 2008-11-05 22:21 <DIR> d-------- c:\temp\VBE
2008-10-29 22:41 . 2008-11-04 23:04 <DIR> d-------- C:\hijackthis
2008-10-28 22:55 . 2008-10-28 22:55 <DIR> d-------- c:\windows\Drivers
2008-10-28 22:55 . 2002-04-01 07:39 43,648 --a------ c:\windows\system32\drivers\ousb2hub.sys
2008-10-28 22:55 . 2001-10-05 11:54 43,269 --a------ c:\windows\system32\drivers\tpp725.sys
2008-10-28 22:55 . 2002-04-01 07:39 29,696 --a------ c:\windows\system32\drivers\ousbehci.sys
2008-10-28 22:55 . 2001-10-05 11:53 21,866 --a------ c:\program files\Common Files\tppupd2k.dll
2008-10-28 22:55 . 2008-10-28 22:55 0 --a------ C:\UFantasy.ini
2008-10-27 22:42 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2008-10-27 22:42 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2008-10-26 23:22 . 2008-10-26 23:22 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-10-20 23:47 . 2008-11-03 19:09 4,767 --a------ c:\windows\Irremote.ini
2008-10-20 23:44 . 2008-11-04 00:54 <DIR> d-------- c:\program files\Windows Sidebar
2008-10-20 22:32 . 2008-10-20 22:32 108,336 --a------ c:\windows\system32\mswinsck.ocx
2008-10-17 21:47 . 2008-06-24 12:45 1,414,440 --a------ c:\windows\system32\ShellManager310E2D762.dll
2008-10-17 21:47 . 2008-06-23 16:36 773,120 --a------ c:\windows\system32\NEROINSTAEC43759.DB
2008-10-17 21:19 . 2008-10-17 21:19 1,697,280 --a------ c:\documents and settings\Jon\Application Data\winexpl.exe
2008-10-15 22:07 . 2008-10-15 22:07 <DIR> d-------- c:\temp\Adobe
2008-10-14 21:40 . 2008-10-14 21:40 2,720 --a------ c:\windows\system32\settings.aaw
2008-10-14 21:40 . 2008-10-14 21:40 1,376 --a------ c:\windows\system32\history.aaw
2008-10-13 22:24 . 2008-10-13 22:24 <DIR> d-------- c:\program files\Lavasoft
2008-10-13 22:24 . 2008-10-13 22:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-13 22:24 . 2008-10-14 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 00:42 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-02 22:58 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-29 00:43 --------- d-----w c:\program files\TMPGEnc DVD Author 3
2008-10-29 00:43 --------- d-----w c:\program files\TMPGEnc 4.0 XPress
2008-10-29 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-10-29 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2008-10-28 23:51 --------- d-----w c:\program files\DriverGenius
2008-10-28 22:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 20:35 --------- d-----w c:\documents and settings\Jon\Application Data\U3
2008-10-22 16:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 16:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-21 00:06 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-17 06:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-12 23:09 --------- d-----w c:\program files\Wizardry 8
2008-10-08 23:06 --------- d-----w c:\program files\IsoBuster
2008-10-08 22:33 8,248 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-06 06:53 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-03 22:53 116,992 ----a-w c:\windows\system32\atmli.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-28 23:29 --------- d-----w c:\program files\GrabIt171
2008-09-27 00:10 --------- d-----w c:\program files\Microsoft ActiveSync
2008-09-24 10:32 28,672 ----a-w c:\windows\system32\iolobtdfg.exe
2008-09-17 23:48 --------- d-----w c:\program files\Windows Desktop Search
2008-09-17 23:45 --------- d-----w c:\documents and settings\Jon\Application Data\Comodo
2008-09-15 21:17 --------- d-----w c:\program files\Microsoft WSE
2008-09-15 21:16 --------- d-----w c:\program files\Family Tree Maker 2008
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-11 21:50 --------- d-----w c:\program files\HTML Help Workshop
2008-09-09 16:45 8,192 ----a-w c:\windows\system32\smrgdf.exe
2008-09-01 23:09 59,488 ----a-w c:\windows\system32\GenSvcInst.exe
2008-09-01 23:09 145,504 ----a-w c:\windows\system32\bgsvcgen.exe
2008-08-28 10:04 333,056 ----a-w c:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-26 14:23 118,784 ----a-w c:\windows\system32\iavlsp.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:00 2,180,352 ----a-w c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ----a-w c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ----a-w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:22 2,057,728 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:22 2,057,728 ----a-w c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ----a-w c:\windows\system32\dllcache\ntkrpamp.exe
2008-08-09 08:30 1,007,616 ----a-w c:\windows\system32\VSFilter.dll
2008-08-08 21:40 1,882,904 ----a-w c:\windows\system32\AutoPartNt.exe
2008-06-16 21:35 92,064 ----a-w c:\documents and settings\Jon\mqdmmdm.sys
2008-06-16 21:35 9,232 ----a-w c:\documents and settings\Jon\mqdmmdfl.sys
2008-06-16 21:35 79,328 ----a-w c:\documents and settings\Jon\mqdmserd.sys
2008-06-16 21:35 66,656 ----a-w c:\documents and settings\Jon\mqdmbus.sys
2008-06-16 21:35 6,208 ----a-w c:\documents and settings\Jon\mqdmcmnt.sys
2008-06-16 21:35 5,936 ----a-w c:\documents and settings\Jon\mqdmwhnt.sys
2008-06-16 21:35 4,048 ----a-w c:\documents and settings\Jon\mqdmcr.sys
2008-06-16 21:35 25,600 ----a-w c:\documents and settings\Jon\usbsermptxp.sys
2008-06-16 21:35 22,768 ----a-w c:\documents and settings\Jon\usbsermpt.sys
2006-03-16 22:26 91 ----a-w c:\program files\Crash.log
2006-02-03 18:27 1,260,032 ----a-w c:\program files\VsoStart.exe
2005-11-07 14:55 2,082,304 ----a-w c:\program files\PcSetup.exe
2005-05-22 17:46 5,608,448 ----a-w c:\program files\VsoStartSkin.dll
2005-05-13 17:12 217,073 --sha-r c:\windows\meta4.exe
2005-10-24 11:13 66,560 --sha-r c:\windows\MOTA113.exe
2005-10-13 21:27 422,400 --sha-r c:\windows\x2.64.exe
2008-07-16 22:22 168 --sh--r c:\windows\system32\0D567F53A4.sys
2007-05-29 21:55 88 --sh--r c:\windows\system32\10C4D9967A.sys
2005-06-26 15:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 22:37 45,568 --sha-r c:\windows\system32\cygz.dll
2006-04-27 10:24 2,945,024 --sha-r c:\windows\system32\Smab.dll
2005-02-28 13:16 240,128 --sha-r c:\windows\system32\x.264.exe
2007-01-14 22:53 2,815,264 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-01-14 22:53 97,824 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06327DAD-90B6-4A7D-AD5C-6651DC0D7E0E}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A694F6B-FCFF-41F1-B4B6-73287FCF7D5B}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C9C135A-85A4-4120-BEF0-F5F1261C4840}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E4833AD-7C33-4E62-9D54-582EDD32EC94}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75C64237-FF3D-49D5-B775-D8AB44A2F43C}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7770D561-A96E-4AD1-B9C9-26AF51E60DD5}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E128473-577E-4055-8DD9-AA646F2756DB}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF752ED8-57D6-4748-B3FB-0C04A2E9CC94}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC3651EB-157E-4C8C-937F-E0BDB1A1D27B}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2C84B99-0DB6-44D2-815D-EAACF90BC60F}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5B12942-FB14-4889-A63E-343B85E36A09}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9D935B6-36C5-44D9-86BF-96B129940376}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F42CAAB6-C88F-4CE1-9DDC-D62FCF50D4A8}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA13A483-CEC8-4D05-9385-153A9B566615}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB4475DD-E3ED-4ACB-B2DA-5548C8D55C52}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-05-19 86105]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RemoteControl"="c:\program files\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"STDSB"="c:\windows\system32\drivers\STDSB.exe" [2003-12-17 28672]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 16200]
"Norton Ghost 14.0"="c:\program files\Norton Ghost 14\Agent\VProTray.exe" [2008-05-07 2245984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-25 180269]
"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2002-06-24 118784]
"iolo AntiVirus"="c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe" [2008-08-26 1103712]
"iolo Personal Firewall"="c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe" [2008-06-18 1313632]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\Logi_MwX.Exe]
"VTTimer"="VTTimer.exe" [2006-09-21 c:\windows\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VP40"= vp4vfw.dll
"vidc.i420"= i420vfw.dll
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.32.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.32.lnk
backup=c:\windows\pss\Wireless Configuration Utility HW.32.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailChecker
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shell

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Personal Firewall]
--a------ 2008-06-18 15:15 1313632 c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
--a------ 2008-05-15 16:29 54576 c:\program files\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2005-05-11 13:48 127118 c:\apps\Powercinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-11-25 19:15 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 14:28 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"CLCapSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiHacker]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

R0 bfenmtaa;bfenmtaa;c:\windows\system32\drivers\bfenmtaa.sys [2004-08-04 23424]
R0 videX32;videX32;c:\windows\system32\DRIVERS\videX32.sys [2007-09-21 9216]
R0 XPacket;iolo Personal Firewall Driver;c:\windows\system32\xpacket.sys [2007-05-18 39424]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-04-23 82200]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-24 596840]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-24 596840]
R2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [2005-08-25 11279]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-30 935208]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2006-10-30 2368]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-08-04 5120]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;c:\windows\system32\DRIVERS\fetnd5bv.sys [2008-06-25 43520]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe [2008-05-07 1558000]
R3 TPPFX;USB Storage Adapter FX (TPP);c:\windows\system32\DRIVERS\TPPFX.SYS [2002-06-24 32256]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe [ ]
S2 P32LOAD;Intel(R) AnyPoint(R) 3240 USB Modem Firmware Loader;c:\windows\system32\DRIVERS\p31usbld.sys [2002-04-23 18906]
S2 STDSB;STDSB;c:\windows\system32\DRIVERS\STDSB.sys [2005-08-25 11279]
S3 BIOSCHK;BIOSCHK;c:\temp\TIIF6.tmp\disk1\BIOSCHK.SYS [ ]
S3 CyUsbNT;Cypress Manufacturing Driver;c:\windows\system32\Drivers\CyUsbNT.sys [2005-02-16 28800]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\sis163u.sys [2006-09-05 217600]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\windows\system32\DRIVERS\TPP300.SYS [ ]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [2006-12-02 48128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\A92534099192A881.job
- c:\docume~1\jon\applic~1\cashbu~1\mix anti cake.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{1F9492AD-88B1-44A5-8327-44CA94CB64F5} - c:\windows\system32\ddcDvvVn.dll
ShellIconOverlayIdentifiers-{8D2223A2-B3C6-4e32-B096-CDD11F628C60} - (no file)
HKLM-Run-Corel Photo Downloader - c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe
HKLM-Run-NBKeyScan - c:\program files\Nero 8\Nero 8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-NBHGui - c:\program files\Nero\Nero 9\InCD\NBHGui.exe
Notify-dimsntfy - (no file)
MSConfigStartUp-Acronis Scheduler2 Service - c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
MSConfigStartUp-ACU - c:\program files\Atheros\ACU.exe
MSConfigStartUp-BM05af47d7 - c:\windows\system32\qguttcql.dll
MSConfigStartUp-InstallProgram - c:\documents and settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\U1FNPXU5\setup_100543_3_[1].exe
MSConfigStartUp-ioloDelayModule - c:\program files\System Mechanic Professional 6\delay.exe
MSConfigStartUp-LaunchList - c:\program files\Pinnacle Studio 10\LaunchList.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero 8\Nero 8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-SystemGuardAlerter - c:\program files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
MSConfigStartUp-Tunebite - c:\program files\Tunebite Platinum\Tunebite.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.co.uk/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: Append to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
O18 -: Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\Common\Lib\URLSTO~1.DLL
O18 -: Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\Common\Lib\URLSTO~1.DLL
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 22:21:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\program files\iolo\common\lib\ioloHL.dll

PROCESS: c:\windows\system32\lsass.exe
-> c:\program files\iolo\common\lib\ioloHL.dll

PROCESS: c:\windows\explorer.exe
-> c:\program files\iolo\common\lib\ioloHL.dll

PROCESS: c:\windows\system32\csrss.exe
-> c:\program files\iolo\common\lib\ioloHL.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\apps\HIDSERVICE\HidService.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\windows\system32\imapi.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\NetLimiter 2 Pro\nlsvc.exe
c:\program files\Norton Ghost 14\Agent\VProSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\802.11 Wireless LAN\SiSWLSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\msdtc.exe
c:\windows\TPPNTTRY.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-11-05 22:24:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-05 22:24:42

Pre-Run: 6,994,042,880 bytes free
Post-Run: 8,775,188,480 bytes free

371 --- E O F --- 2008-11-05 01:13:32


and the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:27:42, on 05/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Norton Ghost 14\Agent\VProTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\WINDOWS\tppnttry.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {06327DAD-90B6-4A7D-AD5C-6651DC0D7E0E} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {1A694F6B-FCFF-41F1-B4B6-73287FCF7D5B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {3C9C135A-85A4-4120-BEF0-F5F1261C4840} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {3E4833AD-7C33-4E62-9D54-582EDD32EC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {75C64237-FF3D-49D5-B775-D8AB44A2F43C} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7770D561-A96E-4AD1-B9C9-26AF51E60DD5} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {9E128473-577E-4055-8DD9-AA646F2756DB} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {AF752ED8-57D6-4748-B3FB-0C04A2E9CC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {BC3651EB-157E-4C8C-937F-E0BDB1A1D27B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C2C84B99-0DB6-44D2-815D-EAACF90BC60F} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C5B12942-FB14-4889-A63E-343B85E36A09} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {E9D935B6-36C5-44D9-86BF-96B129940376} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {F42CAAB6-C88F-4CE1-9DDC-D62FCF50D4A8} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FA13A483-CEC8-4D05-9385-153A9B566615} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FB4475DD-E3ED-4ACB-B2DA-5548C8D55C52} - C:\WINDOWS\system32\atmli.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "c:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost 14\Agent\VProTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - c:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe

--
End of file - 13780 bytes


thanks
Jon

0

A. Please RUN HijackThis Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {06327DAD-90B6-4A7D-AD5C-6651DC0D7E0E} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {1A694F6B-FCFF-41F1-B4B6-73287FCF7D5B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {3C9C135A-85A4-4120-BEF0-F5F1261C4840} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {3E4833AD-7C33-4E62-9D54-582EDD32EC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {75C64237-FF3D-49D5-B775-D8AB44A2F43C} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {7770D561-A96E-4AD1-B9C9-26AF51E60DD5} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {9E128473-577E-4055-8DD9-AA646F2756DB} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {AF752ED8-57D6-4748-B3FB-0C04A2E9CC94} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {BC3651EB-157E-4C8C-937F-E0BDB1A1D27B} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C2C84B99-0DB6-44D2-815D-EAACF90BC60F} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {C5B12942-FB14-4889-A63E-343B85E36A09} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {E9D935B6-36C5-44D9-86BF-96B129940376} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {F42CAAB6-C88F-4CE1-9DDC-D62FCF50D4A8} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FA13A483-CEC8-4D05-9385-153A9B566615} - C:\WINDOWS\system32\atmli.dll
O2 - BHO: (no name) - {FB4475DD-E3ED-4ACB-B2DA-5548C8D55C52} - C:\WINDOWS\system32\atmli.dll
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:



KillAll::

File::
c:\windows\system32\atmli.dll



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), pleasere-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:Combofix.txt
A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

Hi crunchie

Don't know I've managed to get rid of all instances of that file - saw a message flash up during the combofix process that access was denied

Here's the resultant combofix log

ComboFix 08-11-07.01 - Jon 2008-11-07 22:44:04.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.455 [GMT 0:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jon\Desktop\cfscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\atmli.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\atmli.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.

2008-11-07 22:51 . 2008-11-07 22:51 53,248 --a------ c:\temp\catchme.dll
2008-11-07 22:51 . 2008-11-07 22:51 16,384 --a----t- c:\temp\Perflib_Perfdata_9d8.dat
2008-11-07 22:50 . 2008-11-07 22:50 <DIR> d-------- c:\temp\WPDNSE
2008-11-07 22:50 . 2008-11-07 22:50 16,384 --a----t- c:\temp\Perflib_Perfdata_278.dat
2008-11-06 00:11 . 2008-11-06 00:11 461,360 --a------ c:\windows\system32\system23.exe
2008-11-06 00:11 . 2008-11-06 00:11 307,812 --a------ c:\windows\system32\system13.exe
2008-11-06 00:11 . 2008-11-06 00:11 176,128 --a------ C:\nss3.dll
2008-11-06 00:11 . 2008-11-06 00:11 159,232 --a------ C:\softokn3.dll
2008-11-06 00:11 . 2008-11-06 00:11 73,728 --a------ C:\nspr4.dll
2008-11-06 00:11 . 2008-11-06 00:11 8,704 --a------ C:\plc4.dll
2008-11-06 00:11 . 2008-11-06 00:11 6,144 --a------ C:\plds4.dll
2008-11-05 23:54 . 2008-11-05 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-11-05 23:36 . 2008-11-07 22:30 <DIR> d-------- c:\temp\DriverAgent
2008-11-05 00:11 . 2006-12-29 00:31 19,569 --a------ c:\windows\003098_.tmp
2008-11-05 00:06 . 2008-08-14 10:00 2,180,352 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-04 23:26 . 2008-11-04 23:27 <DIR> d-------- c:\documents and settings\Jon\Application Data\Nero
2008-11-04 00:23 . 2008-11-04 00:57 <DIR> d-------- c:\program files\Nero
2008-11-04 00:20 . 2008-11-04 01:21 <DIR> d-------- c:\program files\Common Files\Nero
2008-11-04 00:15 . 2008-11-04 00:15 <DIR> d-------- c:\temp\nro.log
2008-11-03 00:03 . 2008-11-05 22:21 <DIR> d-------- c:\temp\NERO1002626
2008-11-01 00:42 . 2008-11-01 00:42 <DIR> d-------- c:\program files\VistaCodecPack
2008-11-01 00:38 . 2008-11-01 00:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\VistaCodecs
2008-10-29 23:31 . 2008-10-30 00:19 <DIR> d-------- c:\temp\msohtmlclip1
2008-10-29 23:31 . 2008-10-29 23:31 <DIR> d-------- c:\temp\msohtmlclip
2008-10-29 23:12 . 2008-11-05 22:21 <DIR> d-------- c:\temp\VBE
2008-10-29 22:41 . 2008-11-07 22:38 <DIR> d-------- C:\hijackthis
2008-10-28 22:55 . 2008-10-28 22:55 <DIR> d-------- c:\windows\Drivers
2008-10-28 22:55 . 2002-04-01 07:39 43,648 --a------ c:\windows\system32\drivers\ousb2hub.sys
2008-10-28 22:55 . 2001-10-05 11:54 43,269 --a------ c:\windows\system32\drivers\tpp725.sys
2008-10-28 22:55 . 2002-04-01 07:39 29,696 --a------ c:\windows\system32\drivers\ousbehci.sys
2008-10-28 22:55 . 2001-10-05 11:53 21,866 --a------ c:\program files\Common Files\tppupd2k.dll
2008-10-28 22:55 . 2008-10-28 22:55 0 --a------ C:\UFantasy.ini
2008-10-27 22:42 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2008-10-27 22:42 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2008-10-26 23:22 . 2008-10-26 23:22 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-10-20 23:47 . 2008-11-03 19:09 4,767 --a------ c:\windows\Irremote.ini
2008-10-20 23:44 . 2008-11-04 00:54 <DIR> d-------- c:\program files\Windows Sidebar
2008-10-20 22:32 . 2008-10-20 22:32 108,336 --a------ c:\windows\system32\mswinsck.ocx
2008-10-17 21:47 . 2008-06-24 12:45 1,414,440 --a------ c:\windows\system32\ShellManager310E2D762.dll
2008-10-17 21:47 . 2008-06-23 16:36 773,120 --a------ c:\windows\system32\NEROINSTAEC43759.DB
2008-10-17 21:19 . 2008-10-17 21:19 1,697,280 --a------ c:\documents and settings\Jon\Application Data\winexpl.exe
2008-10-15 22:07 . 2008-10-15 22:07 <DIR> d-------- c:\temp\Adobe
2008-10-14 21:40 . 2008-10-14 21:40 2,720 --a------ c:\windows\system32\settings.aaw
2008-10-14 21:40 . 2008-10-14 21:40 1,376 --a------ c:\windows\system32\history.aaw
2008-10-13 22:24 . 2008-10-13 22:24 <DIR> d-------- c:\program files\Lavasoft
2008-10-13 22:24 . 2008-10-13 22:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-13 22:24 . 2008-10-14 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 23:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-04 00:42 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-02 22:58 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-29 00:43 --------- d-----w c:\program files\TMPGEnc DVD Author 3
2008-10-29 00:43 --------- d-----w c:\program files\TMPGEnc 4.0 XPress
2008-10-29 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-10-29 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2008-10-28 23:51 --------- d-----w c:\program files\DriverGenius
2008-10-24 20:35 --------- d-----w c:\documents and settings\Jon\Application Data\U3
2008-10-22 16:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 16:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-21 00:06 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-17 06:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-12 23:09 --------- d-----w c:\program files\Wizardry 8
2008-10-08 23:06 --------- d-----w c:\program files\IsoBuster
2008-10-06 06:53 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-09-28 23:29 --------- d-----w c:\program files\GrabIt171
2008-09-27 00:10 --------- d-----w c:\program files\Microsoft ActiveSync
2008-09-17 23:48 --------- d-----w c:\program files\Windows Desktop Search
2008-09-17 23:45 --------- d-----w c:\documents and settings\Jon\Application Data\Comodo
2008-09-15 21:17 --------- d-----w c:\program files\Microsoft WSE
2008-09-15 21:16 --------- d-----w c:\program files\Family Tree Maker 2008
2008-09-11 21:50 --------- d-----w c:\program files\HTML Help Workshop
2008-06-16 21:35 92,064 ----a-w c:\documents and settings\Jon\mqdmmdm.sys
2008-06-16 21:35 9,232 ----a-w c:\documents and settings\Jon\mqdmmdfl.sys
2008-06-16 21:35 79,328 ----a-w c:\documents and settings\Jon\mqdmserd.sys
2008-06-16 21:35 66,656 ----a-w c:\documents and settings\Jon\mqdmbus.sys
2008-06-16 21:35 6,208 ----a-w c:\documents and settings\Jon\mqdmcmnt.sys
2008-06-16 21:35 5,936 ----a-w c:\documents and settings\Jon\mqdmwhnt.sys
2008-06-16 21:35 4,048 ----a-w c:\documents and settings\Jon\mqdmcr.sys
2008-06-16 21:35 25,600 ----a-w c:\documents and settings\Jon\usbsermptxp.sys
2008-06-16 21:35 22,768 ----a-w c:\documents and settings\Jon\usbsermpt.sys
2006-03-16 22:26 91 ----a-w c:\program files\Crash.log
2006-02-03 18:27 1,260,032 ----a-w c:\program files\VsoStart.exe
2005-11-07 14:55 2,082,304 ----a-w c:\program files\PcSetup.exe
2005-05-22 17:46 5,608,448 ----a-w c:\program files\VsoStartSkin.dll
2005-05-13 17:12 217,073 --sha-r c:\windows\meta4.exe
2005-10-24 11:13 66,560 --sha-r c:\windows\MOTA113.exe
2005-10-13 21:27 422,400 --sha-r c:\windows\x2.64.exe
2008-07-16 22:22 168 --sh--r c:\windows\system32\0D567F53A4.sys
2007-05-29 21:55 88 --sh--r c:\windows\system32\10C4D9967A.sys
2005-06-26 15:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 22:37 45,568 --sha-r c:\windows\system32\cygz.dll
2006-04-27 10:24 2,945,024 --sha-r c:\windows\system32\Smab.dll
2005-02-28 13:16 240,128 --sha-r c:\windows\system32\x.264.exe
2007-01-14 22:53 2,815,264 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-01-14 22:53 97,824 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-05_22.23.41.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-05 23:55:36 2,535,424 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\0f26690c43ac85139172b205d0c5e31a\DriversHQ.DriverDetective.Client.ni.exe
+ 2008-11-05 23:55:39 57,856 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\66b5d9417069d39040b563cd51757a1d\DriversHQ.DriverDetective.ExceptionLogging.ni.dll
+ 2008-11-05 23:55:39 229,376 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\aa44e20707330a28787ca921baa45bb8\DriversHQ.DriverDetective.Common.ni.dll
+ 2008-11-05 23:55:38 253,952 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\ce5b2d51d90578b549732c919c0ddb40\DriversHQ.DriverDetective.Client.Communication.ni.dll
+ 2008-11-05 23:55:40 258,048 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\8156e585829352ffed2b05fd3ceaea9a\Microsoft.ApplicationBlocks.Updater.ni.dll
+ 2008-11-05 23:55:47 2,441,216 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b3b62fe820b416515420a6ec17b247c3\Microsoft.JScript.ni.dll
+ 2008-11-05 23:55:49 167,936 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\84b97134b94449de89075277f80fc43f\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.ni.dll
+ 2008-11-05 23:55:41 368,640 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\de10584876f793036ef5eb208bbcc3c8\Microsoft.Practices.EnterpriseLibrary.Common.ni.dll
+ 2008-11-05 23:55:48 356,352 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\f0b8d81426ccacdd479c64ca04eb9649\Microsoft.Practices.ObjectBuilder.ni.dll
+ 2008-11-05 23:55:48 77,824 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\e674ba75a514e00b26329e212da938e0\Microsoft.Vsa.ni.dll
+ 2008-11-05 23:55:43 1,064,960 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\29c7192327cf3999961560bf3a3995c6\System.Management.ni.dll
+ 2008-11-05 23:55:50 139,264 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\XPBurnComponent\1fcfda856b6a110ed833efa1ec27e647\XPBurnComponent.ni.dll
+ 2000-08-31 08:00:00 98,816 ----a-w c:\windows\sed.exe
- 2008-11-05 19:17:35 98,262 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-07 22:35:01 98,262 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-05 19:17:35 510,276 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-07 22:35:01 510,276 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5B12942-FB14-4889-A63E-343B85E36A09}]
2008-10-03 22:53 116992 --a------ c:\windows\system32\atmli.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-05-19 86105]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RemoteControl"="c:\program files\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"STDSB"="c:\windows\system32\drivers\STDSB.exe" [2003-12-17 28672]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 16200]
"Norton Ghost 14.0"="c:\program files\Norton Ghost 14\Agent\VProTray.exe" [2008-05-07 2245984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-25 180269]
"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2002-06-24 118784]
"iolo AntiVirus"="c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe" [2008-08-26 1103712]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\Logi_MwX.Exe]
"VTTimer"="VTTimer.exe" [2006-09-21 c:\windows\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VP40"= vp4vfw.dll
"vidc.i420"= i420vfw.dll
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.32.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.32.lnk
backup=c:\windows\pss\Wireless Configuration Utility HW.32.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailChecker
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shell

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Personal Firewall]
--a------ 2008-06-18 15:15 1313632 c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
--a------ 2008-05-15 16:29 54576 c:\program files\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2005-05-11 13:48 127118 c:\apps\Powercinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-11-25 19:15 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 14:28 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"CLCapSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiHacker]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=

R0 bfenmtaa;bfenmtaa;c:\windows\system32\drivers\bfenmtaa.sys [2004-08-04 23424]
R0 videX32;videX32;c:\windows\system32\DRIVERS\videX32.sys [2007-09-21 9216]
R0 XPacket;iolo Personal Firewall Driver;c:\windows\system32\xpacket.sys [2007-05-18 39424]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-04-23 82200]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-24 596840]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-24 596840]
R2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [2005-08-25 11279]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-30 935208]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2006-10-30 2368]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-08-04 5120]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;c:\windows\system32\DRIVERS\fetnd5bv.sys [2008-06-25 43520]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe [2008-05-07 1558000]
R3 TPPFX;USB Storage Adapter FX (TPP);c:\windows\system32\DRIVERS\TPPFX.SYS [2002-06-24 32256]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe [ ]
S2 P32LOAD;Intel(R) AnyPoint(R) 3240 USB Modem Firmware Loader;c:\windows\system32\DRIVERS\p31usbld.sys [2002-04-23 18906]
S2 STDSB;STDSB;c:\windows\system32\DRIVERS\STDSB.sys [2005-08-25 11279]
S3 BIOSCHK;BIOSCHK;c:\temp\TIIF6.tmp\disk1\BIOSCHK.SYS [ ]
S3 CyUsbNT;Cypress Manufacturing Driver;c:\windows\system32\Drivers\CyUsbNT.sys [2005-02-16 28800]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\sis163u.sys [2006-09-05 217600]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\windows\system32\DRIVERS\TPP300.SYS [ ]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [2006-12-02 48128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\A92534099192A881.job
- c:\docume~1\jon\applic~1\cashbu~1\mix anti cake.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 22:51:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\program files\iolo\common\lib\ioloHL.dll

PROCESS: c:\windows\system32\lsass.exe
-> c:\program files\iolo\common\lib\ioloHL.dll

PROCESS: c:\windows\explorer.exe
-> c:\program files\iolo\common\lib\ioloHL.dll

PROCESS: c:\windows\system32\csrss.exe
-> c:\program files\iolo\common\lib\ioloHL.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\apps\HIDSERVICE\HidService.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\windows\system32\imapi.exe
c:\windows\TPPNTTRY.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\NetLimiter 2 Pro\nlsvc.exe
c:\program files\Norton Ghost 14\Agent\VProSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\802.11 Wireless LAN\SiSWLSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\msdtc.exe
.
**************************************************************************
.
Completion time: 2008-11-07 22:58:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-07 22:57:50
ComboFix2.txt 2008-11-07 22:37:31
ComboFix3.txt 2008-11-05 22:24:54

Pre-Run: 7,926,407,168 bytes free
Post-Run: 7,902,502,912 bytes free

292 --- E O F --- 2008-11-07 22:18:53

and the new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:02:15, on 07/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Norton Ghost 14\Agent\VProTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\tppnttry.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C5B12942-FB14-4889-A63E-343B85E36A09} - C:\WINDOWS\system32\atmli.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "c:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost 14\Agent\VProTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - c:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe

--
End of file - 12359 bytes

Jon

0

Download Avenger by Swandog and unzip it to your Desktop.

Note: This program must be run from an account with Administrator privileges.


[*]Open the Avenger folder and double click Avenger.exe to launch the programme.
[*]Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
c:\windows\system32\atmli.dll
  • Note: the above code was created specifically for this user. If you are not this user, do

NOT follow these directions as they could damage the workings of your system.


[*]Ensure the following:

  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.

[*]Press the Execute key.
[*]Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
[*]Post the log back here please. (it can also be found at C:\avenger.txt)

0

Hi crunchie

Here's the log produced

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\windows\system32\atmli.dll"
Deletion of file "c:\windows\system32\atmli.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

0

Please boot into safe mode and repeat the process. If it still does not work, we will try something else :).

0

Hi crunchie

No joy with Avenger in safe mode either

here is the log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\windows\system32\atmli.dll"
Deletion of file "c:\windows\system32\atmli.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

0

Do you know how to delete using the recovery console? I don't. Will check in after work and see how you are going.

0

to get recovery console installed and configured so its actually helpful (not installed / locked down by default). It is very handy.

a) insert xp cd
b) in run do (where X is your CD Drive) X:\i386\winnt32.exe /cmdcons
c) in run, type regedit
d) REBOOT. IMPORTANT. DO NOT CHOOSE RECOVERY CONSOLE YET
d) in regedit go to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
Setup\RecoveryConsole
e) Change the values of the keys SetCommand and SecurityLevel to 1
f) Reboot again. Choose recovery console at the bootloader menu

g) Log into your XP install using recovery console. At the prompt type:

SET AllowAllPaths = TRUE
SET AllowRemovableMedia = TRUE
SET AllowWildCards = TRUE
SET NoCopyPrompt = TRUE

h) now the recovery console is installed and configured for future use. its commands are very much like DOS.

0

Hi both

Managed to delete the file via the recovery console but still have the one registry key on th hijackthis scan. Have tried to remove it with hijackthis but with no success.

According to regedit I have permission to delete the file but am unable to do so.

Here is the latest hijackthis scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:41, on 2008-11-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Norton Ghost 14\Agent\VProTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\tppnttry.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C5B12942-FB14-4889-A63E-343B85E36A09} - C:\WINDOWS\system32\atmli.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "c:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost 14\Agent\VProTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - c:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - c:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost 14\Agent\VProSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\SiSWLSvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost 14\Shared\Drivers\SymSnapService.exe

--
End of file - 12118 bytes

thx
Jon

0

Make sure all browser and explorer windows are closed before fixing with hijackthis.

If still no luck, try in safe mode.

Make sure none of your anti-malware progams are running when you do this also.

0

Hi crunchie

Still no joy getting rid of the final registry key with hijack this either in normal mode or safe mode.

Is there anything else we can try?

thx

0

Registrar Registry Manager 6.00.
http://www.resplendence.com/downloads

Run Reglite and navigate to the “Browser Helper Objects” registry key using the following path:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ explorer\ Browser Helper Objects

Highlite the following keys and check the permissions on them (or simply "Take Ownership" of the key) and then delete them.

C5B12942-FB14-4889-A63E-343B85E36A09

==

To take ownership, select the 'security' button and then 'Take Ownership.'

==

Reboot and rescan with hijackthis and see if it is gone.

0

Hi crunchie

I've tried to take control of the registry subkey but I'm getting an error message

Error taking ownership - a device attached to the system is not functioning

Jon

0

Are you logged in as an administrator? Not sure what the problem is there. Can also try it in safe mode to manually delete it from the registry.
The entry is only an orphaned one now and can do no harm.

0

Hi crunchie

Still no joy deleting the offending key from safe mode - checking out the registry key it says I own it and have complete control but won't let me delete it. As you say though it's an orphaned key so I don't suppose there's any harm in leaving it there.

Jon

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.