help removing CiD. HijackThis log included.

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

• Restart your computer
• After hearing your computer beep once during startup, but before the
  Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract
  All,
• Open the extracted folder and double click RunThis.bat to
  start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the
  registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool
  will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and
  display Finished, then press any key to end the script and load
  your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the
  contents of the results file Report.txt back onto the forum with
  a new HijackThis log

Thanks heaps for the help. I will do what you suggested as soon as i have access to the computer i am trying to fix (tomorrow about this time) but its getting late so I'm going to sleep. I will report back tomorrow.

thanks

no worries. I'm in bed too anyway.

Ok, the person who owns the infected computer has tried to do what you said but when rebooting in safe mode he had a problem. He would reboot the computer, press F8, select start windows in safe mode and press enter and then after some code flows over the screen, the computer would restart in the normal fashion.

I am not sure what is going here... I might be having a look at the computer some time but not for a while...

any ideas?

(On a side note, the pop ups can be stopped by ending 2 processes by iexplorer.exe that are running when the computer starts up (they must both be ended very quickly because it seems that they start each other up when closed)).

Try this instead;

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Heres the combofix log:

ComboFix 08-02.05.3 - Sam 2008-02-09 9:39:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT 9:00]
Running from: C:\Documents and Settings\Sam\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Instant Messenger Names
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-08 23:52 . 2008-02-08 23:52 335,872 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll
2008-02-02 14:51 . 2008-02-02 14:51 <DIR> d-------- C:\Program Files\Activision
2008-02-01 20:56 . 2008-02-01 20:56 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2008-02-01 20:56 . 2008-02-01 20:56 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2008-02-01 17:41 . 2008-02-01 17:41 <DIR> d-------- C:\Program Files\uTorrent
2008-02-01 17:40 . 2008-02-04 20:38 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\uTorrent
2008-01-29 07:27 . 2008-01-29 07:27 <DIR> d-------- C:\Program Files\Supportwaybend
2008-01-25 09:58 . 2008-01-25 09:58 46,300 --a------ C:\WINDOWS\system32\DcadsSocial-uninstall.exe
2008-01-22 21:39 . 2007-10-11 08:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-22 21:39 . 2007-07-01 12:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-22 21:39 . 2007-07-01 12:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-22 21:39 . 2007-10-11 08:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-22 21:39 . 2007-10-11 08:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-22 21:39 . 2007-10-11 08:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-22 21:39 . 2007-10-11 08:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-22 21:39 . 2007-10-11 08:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-22 21:39 . 2007-10-10 19:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-22 21:29 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-20 15:41 . 2008-01-20 15:41 <DIR> d-------- C:\Documents and Settings\silver moon rose\Application Data\Apple Computer
2008-01-20 13:21 . 2008-01-20 13:21 268 --ah----- C:\sqmdata03.sqm
2008-01-20 13:21 . 2008-01-20 13:21 244 --ah----- C:\sqmnoopt03.sqm
2008-01-18 19:06 . 2008-01-18 19:06 294,912 --a------ C:\WINDOWS\system32\iebrowserc.dll
2008-01-18 15:06 . 2008-02-09 08:16 84,729 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 23:39 --------- d-----w C:\Documents and Settings\Sam\Application Data\LimeWire
2008-02-08 23:12 --------- d-----w C:\Documents and Settings\Sam\Application Data\OpenOffice.org2
2008-02-08 11:31 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\OpenOffice.org2
2008-02-08 09:36 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\AVG7
2008-02-08 07:12 --------- d-----w C:\Documents and Settings\Sam\Application Data\AVG7
2008-02-07 04:59 --------- d-----w C:\Documents and Settings\Nadene\Application Data\OpenOffice.org2
2008-02-07 04:23 --------- d-----w C:\Documents and Settings\Nadene\Application Data\AVG7
2008-02-05 01:57 --------- d-----w C:\Program Files\Circle Developement
2008-02-05 01:57 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\Supportwaybend
2008-02-05 01:56 --------- d-----w C:\Documents and Settings\Nadene\Application Data\Supportwaybend
2008-02-05 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\manager exit list active
2008-02-05 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-03 01:01 --------- d-----w C:\Program Files\Google
2008-02-03 00:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 00:55 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-03 00:52 --------- d-----w C:\Documents and Settings\Sam\Application Data\Ahead
2008-02-01 11:56 --------- d-----w C:\Documents and Settings\Marley\Application Data\AVG7
2008-02-01 07:01 --------- d-----w C:\Documents and Settings\Sam\Application Data\Supportwaybend
2008-02-01 06:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-25 23:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-17 05:31 --------- d-----w C:\Program Files\LimeWire
2008-01-07 01:25 80,097 ----a-w C:\WINDOWS\system32\dcads-remove.exe
2008-01-07 01:24 77,379 ----a-w C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
2008-01-07 01:24 40,731 ----a-w C:\WINDOWS\system32\superiorads-uninst.exe
2008-01-07 01:24 --------- d-----w C:\Program Files\Dcads Games Collection
2008-01-05 09:10 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\DataCast
2008-01-05 09:09 --------- d-----w C:\Program Files\Samsung
2008-01-05 09:09 --------- d-----w C:\Program Files\MarkAny
2008-01-05 09:08 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\InstallShield
2008-01-02 02:24 --------- d-----w C:\Program Files\FinePixViewer
2008-01-02 01:19 --------- d-----w C:\Program Files\Common Files\COWON
2008-01-02 01:19 --------- d-----w C:\Documents and Settings\Sam\Application Data\COWON
2007-12-29 12:13 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\COWON
2007-12-26 06:34 --------- d-----w C:\Program Files\REGSHAVE
2007-12-26 03:02 --------- d-----w C:\Program Files\Windows Live
2007-12-26 03:02 --------- d-----w C:\Program Files\MSN Messenger
2007-12-26 03:02 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-24 13:07 319,488 ----a-w C:\WINDOWS\system32\dcads_sidebar.dll
2007-12-20 00:50 --------- d-----w C:\Program Files\Macromedia
2007-12-19 04:42 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-18 09:13 --------- d-----w C:\Program Files\Common Files\Vbox
2007-12-14 08:19 40,960 ------w C:\WINDOWS\system32\MAMACExtract.dll
2007-12-13 23:07 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-12-13 23:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-13 23:04 --------- d-----w C:\Program Files\OLYMPUS
2007-12-13 16:10 78,848 ----a-w C:\WINDOWS\system32\nse1B.dll
2007-11-20 06:36 118,784 ----a-w C:\WINDOWS\system32\MaDRM.dll
.

<pre>
----a-w         3,529,728 2007-12-25 06:19:50  C:\Documents and Settings\All Users\Application Data\manager exit list active\type default .exe
----a-w         3,529,728 2007-12-25 06:09:04  C:\Documents and Settings\All Users\Application Data\manager exit list active\TYPEDE~1 .EXE
----a-w            69,632 2007-12-25 06:07:56  C:\Program Files\Analog Devices\SoundMAX\Smtray .exe
----a-w           147,456 2007-12-25 06:08:11  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w            68,856 2007-12-25 06:08:17  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           579,072 2007-12-25 06:07:59  C:\Program Files\Grisoft\AVG Free\avgcc .exe
----a-w           132,496 2007-12-25 06:08:01  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w         5,674,352 2007-12-25 06:08:44  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w            95,800 2007-12-25 06:08:33  C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor .exe
----a-w            53,248 2007-12-25 06:07:59  C:\Program Files\REGSHAVE\REGSHAVE .EXE
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}]
2008-02-08 23:52 335872 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}]
2008-01-18 19:06 294912 --a------ C:\WINDOWS\system32\iebrowserc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FC3C36D-7635-4D43-BA62-0D9D2F2CD06E}]
2007-12-14 01:10 78848 --a------ C:\WINDOWS\system32\nse1B.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74AFC1F8-67E1-446D-B734-EA37D1FACD45}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"igndlm.exe"="G:\Program Files\Download Manager\DLM.exe" [2007-03-06 06:57 1103480]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor .exe" [2007-12-25 15:08 95800]
"Dvd Dash"="C:\DOCUME~1\Sam\APPLIC~1\SUPPOR~1\drvwarnhide.exe" [2008-01-21 18:36 612864]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"Picasa Media Detector"="G:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-04-20 08:17 421888]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 08:23 132624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-01 20:55 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SVX Control Service"="svxhost.exe" []
"Microsoft Update"="msnmsgr.exe" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-01 20:55 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SVX Control Service"="svxhost.exe" []

C:\Documents and Settings\silver moon rose\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-06-21 23:58:33 159744]

C:\Documents and Settings\Nadene\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56 393216]

C:\Documents and Settings\Sam\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe [2007-02-14 17:59:53 303104]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-19 13:44:02 113664]
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-03-18 18:09:19 294912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-02-01 20:56 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvusts]
tuvusts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
--a------ 2001-10-11 09:14 28672 C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Microsoft Update"=msnmsgr.exe
"SVX Control Service"=svxhost.exe
"srmclean"=C:\Cpqs\Scom\srmclean.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"WorksFUD"=
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Microsoft Update"=msnmsgr.exe
"SVX Control Service"=svxhost.exe

S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S3 ALN325;AcerLAN ALN-325 10/100M Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ALN325.SYS [1999-12-15 10:33]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2002-06-12 22:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 00:00:00 C:\WINDOWS\Tasks\A8584055931BFA3D.job"
- c:\docume~1\silver~1\applic~1\suppor~1\axismodebird.exe
"2008-02-09 00:00:00 C:\WINDOWS\Tasks\A8C5D8A4918E52EC.job"
- c:\docume~1\nadene\applic~1\suppor~1\axismodebird.exe
"2008-02-09 00:00:00 C:\WINDOWS\Tasks\ABBB7ECE906CF7AA.job"
- c:\docume~1\sam\applic~1\suppor~1\axismodebird.exe
"2008-01-30 01:26:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-01 06:01:33 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 09:49:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
.
**************************************************************************
.
Completion time: 2008-02-09 9:59:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 00:59:03
.
2008-01-24 01:38:50 --- E O F ---

And heres the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:46 PM, on 10/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MySidesearch Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: BrowserCmp - {1D8282E6-BC4F-469B-AAED-7E4FF077AD93} - C:\WINDOWS\system32\iebrowserc.dll
O2 - BHO: (no name) - {2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: dcads - {6FC3C36D-7635-4D43-BA62-0D9D2F2CD06E} - C:\WINDOWS\system32\nse1B.dll
O2 - BHO: (no name) - {74AFC1F8-67E1-446D-B734-EA37D1FACD45} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Picasa Media Detector] G:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] G:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor .exe"
O4 - HKCU\..\Run: [Dvd Dash] C:\DOCUME~1\Sam\APPLIC~1\SUPPOR~1\drvwarnhide.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [SVX Control Service] svxhost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SVX Control Service] svxhost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SVX Control Service] svxhost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SVX Control Service] svxhost.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93380751-1D9B-49E2-82A1-C631AAE53035}: NameServer = 61.88.88.88,192.65.91.129
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: tuvusts - tuvusts.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 7934 bytes

Could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run the Lop Remover from:
http://66.220.17.157/help.html

=================

A. Please RUN HijackThis

1. Click the SCAN button to produce a log.
   
2. Place a check mark beside each one of the following items:

   O2 - BHO: MySidesearch Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
   O2 - BHO: BrowserCmp - {1D8282E6-BC4F-469B-AAED-7E4FF077AD93} - C:\WINDOWS\system32\iebrowserc.dll
   O2 - BHO: (no name) - {2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917} - (no file)
   O2 - BHO: dcads - {6FC3C36D-7635-4D43-BA62-0D9D2F2CD06E} - C:\WINDOWS\system32\nse1B.dll
   O2 - BHO: (no name) - {74AFC1F8-67E1-446D-B734-EA37D1FACD45} - (no file)
   O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

   O4 - HKUS\S-1-5-18\..\Run: [SVX Control Service] svxhost.exe (User 'SYSTEM')
   O4 - HKUS\S-1-5-18\..\RunOnce: [SVX Control Service] svxhost.exe (User 'SYSTEM')
   O4 - HKUS\.DEFAULT\..\Run: [SVX Control Service] svxhost.exe (User 'Default user')
   O4 - HKUS\.DEFAULT\..\RunOnce: [SVX Control Service] svxhost.exe (User 'Default user')
   O4 - Global Startup: Exif Launcher 2.lnk = ?

   O20 - Winlogon Notify: tuvusts - tuvusts.dll (file missing)

3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Folder::
C:\Documents and Settings\Nadene\Application Data\Supportwaybend
C:\Documents and Settings\All Users\Application Data\manager exit list active

RENV::
----a-w 3,529,728 2007-12-25 06:19:50 C:\Documents and Settings\All Users\Application Data\manager exit list active\type default .exe
----a-w 3,529,728 2007-12-25 06:09:04 C:\Documents and Settings\All Users\Application Data\manager exit list active\TYPEDE~1 .EXE
----a-w 69,632 2007-12-25 06:07:56 C:\Program Files\Analog Devices\SoundMAX\Smtray .exe
----a-w 147,456 2007-12-25 06:08:11 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w 68,856 2007-12-25 06:08:17 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 579,072 2007-12-25 06:07:59 C:\Program Files\Grisoft\AVG Free\avgcc .exe
----a-w 132,496 2007-12-25 06:08:01 C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w 5,674,352 2007-12-25 06:08:44 C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w 95,800 2007-12-25 06:08:33 C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor .exe
----a-w 53,248 2007-12-25 06:07:59 C:\Program Files\REGSHAVE\REGSHAVE .EXE

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]

7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Thanks for that, the log files have been attached.

Note: I was told the lop uninstall was run after the logs were taken.

ComboFix 08-02-22.2 - Sam 2008-02-22 17:59:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.189 [GMT 9:00]
Running from: C:\Documents and Settings\Sam\Desktop\un used icons\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sam\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\manager exit list active
C:\Documents and Settings\All Users\Application Data\manager exit list active\Readme Bore.exe
C:\Documents and Settings\All Users\Application Data\manager exit list active\TYPEDE~1.EXE
C:\Documents and Settings\Nadene\Application Data\Supportwaybend
C:\Documents and Settings\Nadene\Application Data\Supportwaybend\0
C:\Documents and Settings\Nadene\Application Data\Supportwaybend\AceMagsGridRemote.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-16 14:17 . 2008-02-16 14:17 <DIR> d-------- C:\Free Chess
2008-02-02 14:51 . 2008-02-02 14:51 <DIR> d-------- C:\Program Files\Activision
2008-02-01 20:56 . 2008-02-01 20:56 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2008-02-01 20:56 . 2008-02-01 20:56 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2008-02-01 17:41 . 2008-02-01 17:41 <DIR> d-------- C:\Program Files\uTorrent
2008-02-01 17:40 . 2008-02-04 20:38 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\uTorrent
2008-01-29 07:27 . 2008-01-29 07:27 <DIR> d-------- C:\Program Files\Supportwaybend
2008-01-25 09:58 . 2008-01-25 09:58 46,300 --a------ C:\WINDOWS\system32\DcadsSocial-uninstall.exe
2008-01-22 21:39 . 2007-12-07 11:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-22 21:39 . 2007-07-01 12:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-22 21:39 . 2007-07-01 12:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-22 21:39 . 2007-12-07 11:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-22 21:39 . 2007-12-07 11:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-22 21:39 . 2007-12-07 11:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-22 21:39 . 2007-12-07 11:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-22 21:39 . 2007-12-07 11:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-22 21:39 . 2007-12-06 20:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-22 21:29 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-22 08:59 --------- d-----w C:\Program Files\REGSHAVE
2008-02-22 08:59 --------- d-----w C:\Program Files\MSN Messenger
2008-02-22 07:37 --------- d-----w C:\Documents and Settings\Sam\Application Data\OpenOffice.org2
2008-02-22 07:14 --------- d-----w C:\Documents and Settings\Sam\Application Data\AVG7
2008-02-21 07:59 --------- d-----w C:\Documents and Settings\Sam\Application Data\LimeWire
2008-02-20 05:39 --------- d-----w C:\Program Files\LimeWire
2008-02-20 01:23 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\AVG7
2008-02-08 11:31 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\OpenOffice.org2
2008-02-07 04:59 --------- d-----w C:\Documents and Settings\Nadene\Application Data\OpenOffice.org2
2008-02-07 04:23 --------- d-----w C:\Documents and Settings\Nadene\Application Data\AVG7
2008-02-05 01:57 --------- d-----w C:\Program Files\Circle Developement
2008-02-05 01:57 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\Supportwaybend
2008-02-05 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-03 01:01 --------- d-----w C:\Program Files\Google
2008-02-03 00:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 00:55 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-03 00:52 --------- d-----w C:\Documents and Settings\Sam\Application Data\Ahead
2008-02-01 11:56 --------- d-----w C:\Documents and Settings\Marley\Application Data\AVG7
2008-02-01 07:01 --------- d-----w C:\Documents and Settings\Sam\Application Data\Supportwaybend
2008-02-01 06:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-25 23:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-20 06:41 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\Apple Computer
2008-01-07 01:24 --------- d-----w C:\Program Files\Dcads Games Collection
2008-01-05 09:10 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\DataCast
2008-01-05 09:09 --------- d-----w C:\Program Files\Samsung
2008-01-05 09:09 --------- d-----w C:\Program Files\MarkAny
2008-01-05 09:08 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\InstallShield
2008-01-02 02:24 --------- d-----w C:\Program Files\FinePixViewer
2008-01-02 01:19 --------- d-----w C:\Program Files\Common Files\COWON
2008-01-02 01:19 --------- d-----w C:\Documents and Settings\Sam\Application Data\COWON
2007-12-29 12:13 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\COWON
2007-12-26 03:02 --------- d-----w C:\Program Files\Windows Live
2007-12-26 03:02 --------- d-----w C:\Program Files\Messenger Plus! Live
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-12-25 15:08 5674352]
"igndlm.exe"="G:\Program Files\Download Manager\DLM.exe" [2007-03-06 06:57 1103480]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor .exe" [ ]
"Dvd Dash"="C:\DOCUME~1\Sam\APPLIC~1\SUPPOR~1\drvwarnhide.exe" [2008-01-21 18:36 612864]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"Picasa Media Detector"="G:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-04-20 08:17 421888]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 08:23 132624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-01 20:55 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"="msnmsgr.exe" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-01 20:55 219136]

C:\Documents and Settings\silver moon rose\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-06-21 23:58:33 159744]

C:\Documents and Settings\Nadene\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56 393216]

C:\Documents and Settings\Sam\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-02-01 20:56 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
--a------ 2001-10-11 09:14 28672 C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Microsoft Update"=msnmsgr.exe
"SVX Control Service"=svxhost.exe
"srmclean"=C:\Cpqs\Scom\srmclean.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"WorksFUD"=
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Microsoft Update"=msnmsgr.exe
"SVX Control Service"=svxhost.exe

S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S2 SurferService;AutomatedSurfer;C:\WINDOWS\system32\srvany.exe [1997-05-15 00:49]
S3 ALN325;AcerLAN ALN-325 10/100M Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ALN325.SYS [1999-12-15 10:33]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2002-06-12 22:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 09:00:00 C:\WINDOWS\Tasks\A8584055931BFA3D.job"
- c:\docume~1\silver~1\applic~1\suppor~1\axismodebird.exe
"2008-02-22 09:00:00 C:\WINDOWS\Tasks\A8C5D8A4918E52EC.job"
- c:\docume~1\nadene\applic~1\suppor~1\axismodebird.exe
"2008-02-22 09:00:01 C:\WINDOWS\Tasks\ABBB7ECE906CF7AA.job"
- c:\docume~1\sam\applic~1\suppor~1\axismodebird.exe
"2008-02-20 01:26:39 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-01 06:01:33 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 18:06:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-02-22 18:13:24 - machine was rebooted [Sam]
ComboFix-quarantined-files.txt 2008-02-22 09:13:18
ComboFix2.txt 2008-02-09 00:59:13
.
2008-02-16 03:08:55 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:43 PM, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Picasa Media Detector] G:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] G:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor .exe" -NoStart
O4 - HKCU\..\Run: [Dvd Dash] C:\DOCUME~1\Sam\APPLIC~1\SUPPOR~1\drvwarnhide.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] msnmsgr.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] msnmsgr.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93380751-1D9B-49E2-82A1-C631AAE53035}: NameServer = 61.88.88.88,192.65.91.129
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 7033 bytes

A. Please RUN HijackThis Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKCU\..\Run: [Dvd Dash] C:\DOCUME~1\Sam\APPLIC~1\SUPPOR~1\drvwarnhide.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] msnmsgr.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] msnmsgr.exe (User 'Default user')
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\Tasks\A8584055931BFA3D.job
C:\WINDOWS\Tasks\A8C5D8A4918E52EC.job
C:\WINDOWS\Tasks\ABBB7ECE906CF7AA.job

Folder::
C:\DOCUME~1\Sam\APPLIC~1\SUPPOR~1

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), pleasere-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:Combofix.txt
A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Hi,

I've attached the two new logs.

==

ComboFix 08-02-22.2 - Sam 2008-02-23 9:00:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.196 [GMT 9:00]
Running from: C:\Documents and Settings\Sam\Desktop\un used icons\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sam\Desktop\un used icons\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Tasks\A8584055931BFA3D.job
C:\WINDOWS\Tasks\A8C5D8A4918E52EC.job
C:\WINDOWS\Tasks\ABBB7ECE906CF7AA.job
.

((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-16 14:17 . 2008-02-16 14:17 <DIR> d-------- C:\Free Chess
2008-02-02 14:51 . 2008-02-02 14:51 <DIR> d-------- C:\Program Files\Activision
2008-02-01 20:56 . 2008-02-01 20:56 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2008-02-01 20:56 . 2008-02-01 20:56 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2008-02-01 17:41 . 2008-02-01 17:41 <DIR> d-------- C:\Program Files\uTorrent
2008-02-01 17:40 . 2008-02-04 20:38 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\uTorrent
2008-01-25 09:58 . 2008-01-25 09:58 46,300 --a------ C:\WINDOWS\system32\DcadsSocial-uninstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 00:12 --------- d-----w C:\Documents and Settings\Sam\Application Data\OpenOffice.org2
2008-02-22 23:39 --------- d-----w C:\Documents and Settings\Sam\Application Data\AVG7
2008-02-22 08:59 --------- d-----w C:\Program Files\REGSHAVE
2008-02-22 08:59 --------- d-----w C:\Program Files\MSN Messenger
2008-02-21 07:59 --------- d-----w C:\Documents and Settings\Sam\Application Data\LimeWire
2008-02-20 05:39 --------- d-----w C:\Program Files\LimeWire
2008-02-20 01:23 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\AVG7
2008-02-08 23:16 84,729 ----a-w C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-02-08 11:31 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\OpenOffice.org2
2008-02-07 04:59 --------- d-----w C:\Documents and Settings\Nadene\Application Data\OpenOffice.org2
2008-02-07 04:23 --------- d-----w C:\Documents and Settings\Nadene\Application Data\AVG7
2008-02-05 01:57 --------- d-----w C:\Program Files\Circle Developement
2008-02-05 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-03 01:01 --------- d-----w C:\Program Files\Google
2008-02-03 00:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 00:55 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-03 00:52 --------- d-----w C:\Documents and Settings\Sam\Application Data\Ahead
2008-02-01 11:56 --------- d-----w C:\Documents and Settings\Marley\Application Data\AVG7
2008-02-01 06:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-25 23:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-20 06:41 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\Apple Computer
2008-01-07 01:25 80,097 ----a-w C:\WINDOWS\system32\dcads-remove.exe
2008-01-07 01:24 77,379 ----a-w C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
2008-01-07 01:24 40,731 ----a-w C:\WINDOWS\system32\superiorads-uninst.exe
2008-01-07 01:24 --------- d-----w C:\Program Files\Dcads Games Collection
2008-01-05 09:10 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\DataCast
2008-01-05 09:09 --------- d-----w C:\Program Files\Samsung
2008-01-05 09:09 --------- d-----w C:\Program Files\MarkAny
2008-01-05 09:08 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\InstallShield
2008-01-02 02:24 --------- d-----w C:\Program Files\FinePixViewer
2008-01-02 01:19 --------- d-----w C:\Program Files\Common Files\COWON
2008-01-02 01:19 --------- d-----w C:\Documents and Settings\Sam\Application Data\COWON
2007-12-29 12:13 --------- d-----w C:\Documents and Settings\silver moon rose\Application Data\COWON
2007-12-26 03:02 --------- d-----w C:\Program Files\Windows Live
2007-12-26 03:02 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-24 13:07 319,488 ----a-w C:\WINDOWS\system32\dcads_sidebar.dll
2007-12-14 08:19 40,960 ------w C:\WINDOWS\system32\MAMACExtract.dll
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-12-25 15:08 5674352]
"igndlm.exe"="G:\Program Files\Download Manager\DLM.exe" [2007-03-06 06:57 1103480]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor .exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"Picasa Media Detector"="G:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-04-20 08:17 421888]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 08:23 132624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-01 20:55 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-01 20:55 219136]

C:\Documents and Settings\silver moon rose\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-06-21 23:58:33 159744]

C:\Documents and Settings\Nadene\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56 393216]

C:\Documents and Settings\Sam\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-02-01 20:56 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
--a------ 2001-10-11 09:14 28672 C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Microsoft Update"=msnmsgr.exe
"SVX Control Service"=svxhost.exe
"srmclean"=C:\Cpqs\Scom\srmclean.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"WorksFUD"=
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Microsoft Update"=msnmsgr.exe
"SVX Control Service"=svxhost.exe

S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S2 SurferService;AutomatedSurfer;C:\WINDOWS\system32\srvany.exe [1997-05-15 00:49]
S3 ALN325;AcerLAN ALN-325 10/100M Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ALN325.SYS [1999-12-15 10:33]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2002-06-12 22:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 01:26:39 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-01 06:01:33 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 09:10:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
.
**************************************************************************
.
Completion time: 2008-02-23 9:17:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-23 00:16:53
ComboFix2.txt 2008-02-22 09:13:25
ComboFix3.txt 2008-02-09 00:59:13
.
2008-02-16 03:08:55 --- E O F ---

=======

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:14 AM, on 23/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
G:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\explorer.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Picasa Media Detector] G:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] G:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor .exe" -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93380751-1D9B-49E2-82A1-C631AAE53035}: NameServer = 61.88.88.88,192.65.91.129
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 7031 bytes

How is the pc now? Log looks ok to me.

Thanks for all that, he's been using the computer for a while now with no pop ups or anything like that so the problem seems to be fixed.

Thanks for your expertise on the subject,
Ben

You are welcome :).

Let's get rid of Combofix now that we are finished with it. Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

The above procedure will: Delete the following: ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

==

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders. Uncheck "Cookies" under "Internet Explorer".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Close when finished.
Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.