Solved Cpu running at 100% am i infected

Status
Not open for further replies.

vogelrok

Posts: 21   +0
i have checked and checked but cant find nothing at present.

avp.exe and system in the task manager are using up 100% of cpu when i connect to internet.

here is the hyjack me log file.

thank you for any help.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:42:44, on 26/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\UMonit.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hyjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [EPSON BX300F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEJE.EXE /FU "C:\WINDOWS\TEMP\E_S5C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 9470 bytes
 
Welcome to Techspot! I'll help find the problem.

avp.exe is related to Kaspersky_Internet_security Program.:
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"

System is, well, part of the system!
But malware can hide in almost every name.

But we don't 'screen' with HijackThis>>
If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Thank you Bobbye

here is the malware scan results and the rest to follow. i did find 10 trojans with the avira antivirus, i think it managed to quarntine 9 of them. so think 1 is left.


www.malwarebytes.org

Database version: 5882

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

26/02/2011 13:02:39
mbam-log-2011-02-26 (13-02-39).txt

Scan type: Quick scan
Objects scanned: 141693
Time elapsed: 2 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
the gmer.log

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-26 15:24:33
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6 Hitachi_HDT721032SLA360 rev.ST2OA31B
Running: m5gpmxv1.exe; Driver: C:\DOCUME~1\LEEVOG~1\LOCALS~1\Temp\afpciaob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xB2DAAE3A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xB2DAAEE4]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- EOF - GMER 1.0.15 ----
 
dds.log


DDS (Ver_10-12-12.02) - NTFSx86
Run by lee vogelrok at 15:20:16.45 on 26/02/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2659 [GMT 0:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\UMonit.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lee vogelrok\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ntlworld.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: {00B8E20C-5C71-4C2F-85A5-6AD541500DF0} - No File
uRun: [EPSON BX300F Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieje.exe /fu "c:\windows\temp\E_S5C.tmp" /EF "HKCU"
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [UMonit] c:\windows\system32\UMonit.exe
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-6-15 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-2-26 11608]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-9-1 296976]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/06 12:12:18];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-26 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-26 61960]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-7-3 311680]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-10-18 632792]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
S3 FoxAwdWINFLASH;FoxAwdWINFLASH;\??\c:\progra~1\afox\afoxli~1\foxawdwinflash.sys --> c:\progra~1\afox\afoxli~1\FoxAwdWINFLASH.SYS [?]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
S3 INFUSB;INFUSB;c:\windows\system32\drivers\infusb.sys [2002-9-30 15904]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-10-18 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-10-18 8320]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]

=============== Created Last 30 ================

2011-02-26 12:59:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 12:59:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 11:29:13 -------- d-----w- c:\windows\system32\NtmsData
2011-02-26 11:27:57 -------- d-----w- c:\docume~1\leevog~1\applic~1\Avira
2011-02-26 11:24:44 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-26 11:24:43 -------- d-----w- c:\program files\Avira
2011-02-26 11:24:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-02-25 20:36:51 -------- d-----w- c:\program files\ESET
2011-02-25 19:42:03 -------- d-----w- c:\docume~1\leevog~1\applic~1\Malwarebytes
2011-02-25 19:41:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-25 19:41:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-25 19:27:49 -------- d-----w- c:\windows\pss
2011-02-25 19:20:19 -------- d-----w- c:\program files\hyjackthis
2011-02-25 02:06:07 -------- d-----w- c:\program files\backups
2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-02-24 01:04:47 -------- d-----w- c:\docume~1\leevog~1\applic~1\Mozilla-Cache
2011-02-24 01:03:27 -------- d-----w- c:\program files\PartyGaming
2011-02-03 20:49:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2011-02-03 20:49:29 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-02-03 20:49:26 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-02-03 20:49:25 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-02-03 20:49:13 -------- d-----w- c:\program files\NVIDIA Corporation

==================== Find3M ====================

2011-02-02 21:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 15:21:00.01 ===============
 
attach.txt log


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 09/07/2009 18:21:47
System Uptime: 26/02/2011 15:14:45 (0 hours ago)

Motherboard: Foxconn | | G31MV/G31MV-K
Processor: Intel Pentium III Xeon processor | Socket 775 | 2499/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 128.122 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP506: 28/11/2010 14:37:51 - System Checkpoint
RP507: 29/11/2010 15:38:56 - System Checkpoint
RP508: 30/11/2010 18:36:19 - System Checkpoint
RP509: 01/12/2010 19:48:53 - System Checkpoint
RP510: 02/12/2010 20:57:06 - System Checkpoint
RP511: 03/12/2010 21:32:46 - System Checkpoint
RP512: 04/12/2010 21:47:54 - System Checkpoint
RP513: 05/12/2010 22:47:54 - System Checkpoint
RP514: 07/12/2010 00:08:52 - System Checkpoint
RP515: 08/12/2010 01:08:54 - System Checkpoint
RP516: 09/12/2010 02:08:54 - System Checkpoint
RP517: 10/12/2010 14:13:41 - System Checkpoint
RP518: 11/12/2010 14:48:18 - System Checkpoint
RP519: 12/12/2010 14:58:17 - System Checkpoint
RP520: 13/12/2010 15:18:33 - System Checkpoint
RP521: 14/12/2010 16:07:38 - System Checkpoint
RP522: 15/12/2010 17:24:38 - System Checkpoint
RP523: 16/12/2010 03:00:20 - Software Distribution Service 3.0
RP524: 17/12/2010 12:15:21 - System Checkpoint
RP525: 18/12/2010 10:20:06 - Software Distribution Service 3.0
RP526: 19/12/2010 12:52:28 - System Checkpoint
RP527: 20/12/2010 13:04:38 - System Checkpoint
RP528: 21/12/2010 14:29:24 - System Checkpoint
RP529: 22/12/2010 14:33:54 - System Checkpoint
RP530: 23/12/2010 16:24:23 - System Checkpoint
RP531: 24/12/2010 17:02:34 - System Checkpoint
RP532: 25/12/2010 17:38:16 - System Checkpoint
RP533: 26/12/2010 18:18:41 - System Checkpoint
RP534: 27/12/2010 21:38:05 - System Checkpoint
RP535: 28/12/2010 22:37:07 - System Checkpoint
RP536: 29/12/2010 23:03:12 - System Checkpoint
RP537: 30/12/2010 23:36:33 - System Checkpoint
RP538: 01/01/2011 00:36:32 - System Checkpoint
RP539: 02/01/2011 00:57:51 - System Checkpoint
RP540: 03/01/2011 11:14:34 - System Checkpoint
RP541: 04/01/2011 13:46:50 - System Checkpoint
RP542: 05/01/2011 13:50:12 - System Checkpoint
RP543: 06/01/2011 14:18:23 - System Checkpoint
RP544: 07/01/2011 14:57:12 - System Checkpoint
RP545: 08/01/2011 15:03:53 - System Checkpoint
RP546: 09/01/2011 16:46:05 - System Checkpoint
RP547: 10/01/2011 18:16:29 - System Checkpoint
RP548: 11/01/2011 18:19:24 - System Checkpoint
RP549: 12/01/2011 19:03:50 - System Checkpoint
RP550: 13/01/2011 00:54:23 - Software Distribution Service 3.0
RP551: 13/01/2011 10:33:32 - Software Distribution Service 3.0
RP552: 14/01/2011 11:21:20 - System Checkpoint
RP553: 15/01/2011 11:24:54 - System Checkpoint
RP554: 16/01/2011 14:39:42 - System Checkpoint
RP555: 17/01/2011 14:59:51 - System Checkpoint
RP556: 18/01/2011 15:24:09 - System Checkpoint
RP557: 19/01/2011 16:21:56 - System Checkpoint
RP558: 20/01/2011 17:04:09 - System Checkpoint
RP559: 21/01/2011 17:17:42 - System Checkpoint
RP560: 22/01/2011 17:19:11 - System Checkpoint
RP561: 23/01/2011 18:20:16 - System Checkpoint
RP562: 24/01/2011 20:50:17 - System Checkpoint
RP563: 25/01/2011 21:31:19 - System Checkpoint
RP564: 26/01/2011 21:48:19 - System Checkpoint
RP565: 28/01/2011 11:06:01 - System Checkpoint
RP566: 29/01/2011 11:12:53 - System Checkpoint
RP567: 30/01/2011 12:24:53 - System Checkpoint
RP568: 31/01/2011 17:47:26 - System Checkpoint
RP569: 01/02/2011 21:43:38 - System Checkpoint
RP570: 03/02/2011 14:05:10 - System Checkpoint
RP571: 03/02/2011 20:48:53 - Software Distribution Service 3.0
RP572: 04/02/2011 21:46:01 - System Checkpoint
RP573: 05/02/2011 21:51:13 - System Checkpoint
RP574: 07/02/2011 12:08:37 - System Checkpoint
RP575: 08/02/2011 13:55:24 - System Checkpoint
RP576: 09/02/2011 14:08:44 - System Checkpoint
RP577: 09/02/2011 20:13:04 - Software Distribution Service 3.0
RP578: 11/02/2011 10:47:51 - System Checkpoint
RP579: 12/02/2011 13:40:19 - System Checkpoint
RP580: 13/02/2011 14:10:30 - System Checkpoint
RP581: 14/02/2011 14:26:00 - System Checkpoint
RP582: 15/02/2011 14:42:47 - System Checkpoint
RP583: 16/02/2011 15:22:43 - System Checkpoint
RP584: 17/02/2011 15:25:21 - System Checkpoint
RP585: 18/02/2011 16:29:32 - System Checkpoint
RP586: 19/02/2011 16:31:56 - System Checkpoint
RP587: 20/02/2011 17:00:05 - System Checkpoint
RP588: 21/02/2011 18:11:44 - System Checkpoint
RP589: 22/02/2011 18:39:04 - System Checkpoint
RP590: 23/02/2011 21:24:34 - System Checkpoint
RP591: 24/02/2011 22:19:08 - System Checkpoint
RP592: 25/02/2011 00:30:43 - Installed Java(TM) 6 Update 24
RP593: 25/02/2011 00:37:40 - Installed QuickTime
RP594: 25/02/2011 01:59:29 - Configured DECAdry Express Business Cards 4
RP595: 25/02/2011 19:04:12 - Made by Registry Mechanic O

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
µTorrent
Avira AntiVir Personal - Free Antivirus
Bonjour
CloneCD
Cool Music CD Burner v7.4.3.36
Critical Update for Windows Media Player 11 (KB959772)
CyberLink PowerDVD 9
EPSON BX300F Series Printer Uninstall
Epson Easy Photo Print 2
EPSON Scan
EPSON Stylus Office BX300F_TX300F Manual
EPSON Web-To-Page
ESET Online Scanner v3
Facebook Plug-In
FlashFXP v3
gBurner
Genesys USB Mass Storage Device
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB981793)
ImgBurn
iTunes
Jasc Paint Shop Pro 9
Java Auto Updater
Java(TM) 6 Update 24
K-Lite Codec Pack 5.0.5 (Full)
Kaspersky Internet Security 2010
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MobileMe Control Panel
MSVC80_x86
MSVC80_x86_v2
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia Software Updater
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX v8.09.04
PC Connectivity Solution
PL-2303 USB-to-Serial
QuickTime
Realtek High Definition Audio Driver
Registry Mechanic 10.0
RocketDock 1.3.5
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
TomTom HOME 2.7.5.2014
TomTom HOME Visual Studio Merge Modules
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2492475)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB PC Camera Plus
VC80CRTRedist - 8.0.50727.762
VoiceOver Kit
Vtune 6.7
WebFldrs XP
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
Windows Driver Package - Nokia Modem (10/05/2009 4.2)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver

==== Event Viewer Messages From Past Week ========

26/02/2011 12:52:41, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
26/02/2011 12:52:40, error: Service Control Manager [7034] - The PC Tools Startup and Shutdown Monitor service service terminated unexpectedly. It has done this 1 time(s).
26/02/2011 12:52:40, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
26/02/2011 12:52:40, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
26/02/2011 12:48:14, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
26/02/2011 12:48:13, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
26/02/2011 11:21:57, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
26/02/2011 11:21:57, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\LEEVOG~1\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
26/02/2011 11:21:57, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
25/02/2011 20:05:51, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
25/02/2011 11:21:18, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
25/02/2011 10:26:41, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
22/02/2011 21:58:07, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.143. The machine with the IP address 192.168.1.109 did not allow the name to be claimed by this machine.
22/02/2011 20:51:10, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\QuickTime\QTTask.exe. Reference error message: The operation completed successfully. .
22/02/2011 20:51:10, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\QuickTime\QTTask.exe" on line 0.

==== End Of File ===========================
 
You are running 2 antivirus programs. This will make the system more vulnerable. Please remove one of them:
AV: AntiVir Desktop
AV: Kaspersky Internet Security

I would thing you may want to keep Kaspersky since there was a charge and Avira is free.
Please reboot the computer when through.
===============================================
Please don run any more Avira scans while I am helping you.
Please disable or uninstall Registry Mechanic while I am helping you.

=============================================
===============================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
http://www.forospyware.com/sUBs/ComboFix.exe
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Thank you Bobbye

here is the log file and i also deleted kaspersky as it wasn't finding anything. were avira did.

ComboFix 11-02-27.01 - lee vogelrok 27/02/2011 23:09:46.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2875 [GMT 0:00]
Running from: c:\documents and settings\lee vogelrok\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\install.exe
c:\windows\system32\twunk_32.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.

2011-02-26 12:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 12:59 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 11:29 . 2011-02-26 12:23 -------- d-----w- c:\windows\system32\NtmsData
2011-02-26 11:27 . 2011-02-26 11:27 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Avira
2011-02-26 11:24 . 2011-01-10 14:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-26 11:24 . 2011-01-10 14:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-26 11:24 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-02-26 11:24 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\program files\Avira
2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-02-25 20:36 . 2011-02-25 20:36 -------- d-----w- c:\program files\ESET
2011-02-25 19:42 . 2011-02-25 19:42 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Malwarebytes
2011-02-25 19:41 . 2011-02-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-25 19:41 . 2011-02-26 12:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-25 19:20 . 2011-02-26 09:42 -------- d-----w- c:\program files\hyjackthis
2011-02-25 02:06 . 2011-02-25 02:06 -------- d-----w- c:\program files\backups
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-02-25 00:31 . 2011-02-25 00:31 -------- d-----w- c:\program files\Common Files\Java
2011-02-25 00:30 . 2011-02-25 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-02-24 01:04 . 2011-02-24 01:08 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Mozilla-Cache
2011-02-24 01:03 . 2011-02-25 02:01 -------- d-----w- c:\program files\PartyGaming
2011-02-03 20:49 . 2011-02-03 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-02-03 20:49 . 2011-02-03 20:49 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-02-03 20:49 . 2011-02-03 20:50 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-03 20:29 . 2011-02-03 20:30 -------- d-----w- c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 21:40 . 2010-09-21 09:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2009-07-13 12:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44 . 2008-04-14 08:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 08:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 08:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-23 00:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-07-12 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-23 00:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 08:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-07-12 19:09 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2008-04-14 08:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-14 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-14 08:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 04:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-12-19 395640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-05-07 75048]
"UMonit"="c:\windows\system32\UMonit.exe" [2007-06-18 200704]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-30 262144]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 843776]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-r- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-03-16 20:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 07:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 10:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
2009-04-27 19:41 87336 ------w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-04-10 23:52 16861184 ----a-r- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
2008-10-21 12:18 2154496 ----a-w- c:\program files\Vtune\TBPANEL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-06-24 14:41 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-12-19 21:37 395640 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/06 12:12];c:\program files\CyberLink\PowerDVD9\000.fcl [07/05/2009 20:05 87536]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26/02/2011 11:24 135336]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 14:41 92008]
S3 FoxAwdWINFLASH;FoxAwdWINFLASH;\??\c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS --> c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS [?]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
S3 INFUSB;INFUSB;c:\windows\system32\drivers\infusb.sys [30/09/2002 16:16 15904]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [18/10/2010 19:40 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [18/10/2010 19:40 8320]
.
Contents of the 'Scheduled Tasks' folder

2011-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{00B8E20C-5C71-4C2F-85A5-6AD541500DF0} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-27 23:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit = c:\windows\system32\UMonit.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-02-27 23:13:00
ComboFix-quarantined-files.txt 2011-02-27 23:12

Pre-Run: 138,026,754,048 bytes free
Post-Run: 137,994,788,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A9CF1A3D398E1A0846B95E172B51AB0B
 
Please go ahead and run this:
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::
d:\fxdrv32.sys
Folder::
c:\documents and settings\All Users\Application Data\McAfee
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit =-
Driver::
FXDrv32
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
============================================
Go on to my next reply when finished.
 
Please run this online virus scan:
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
  10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
  11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
========================================
I reviewed the HJT log you left initially and the following is based on that. It is possible that you won't see some of the entries- that's okay, they will have been removed elsewhere. Some of these entries are for nothing more than a tray icon, but they do use resources.

Please reopen HijackThis to 'do system scan only.' Check each of the following- if present:

C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\UMonit.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll>>> update
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\klo ehk.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
CyberLink
[/b]

Regarding: O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
I just went through a very lengthy discussion on the PCTools about this Service. All said it was a 'resource hog' that sometimes ran as long as 10 minutes.Although I'm recommending you change the Startup type to Manual for now, consider removing it all together.

Close all Windows except HijackThis and click on "Fix Checked."

Click on Start> Run> type in services.msc. Set Startup Type as indicated:
Apple Mobile Device > Manual
All Kaspersky Services> Disabled Start up, Stop the Services.
Bonjour Service> Manual
iPod> Manual
Java Quick Starter (jqs)> Disabled Startup, Stop the Service.
PC Tools Startup> Manual or Disable if you remove the program


None of the following need to Start on boot and can be unchecked:
CyberLink
Java Update\jusched.exe
SlySoft\CloneCD\CloneCDTray.exe
iTunesHelper.exe
Nokia PC Suite
QuickTime\QTTask.exe
TBPANEL.exe
uTorrent\uTorrent.exe


To remove entries from Startup using the msconfig utility:
  • Click on Start> Run> type in msconfig> enter>
  • Click on Selective Startup
  • Choose the Startup tab:
    This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
  • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
  • Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
 
Hi Bobbye.
my pc had a bit of a freezing fit earlier. checked the bios to see what temps was at the cpu. they was hitting 77. so turned machine off and went straight out and brought a coolmaster v8 cpu cooler.
fitted it all and machine up and running and cpu at 25. so all good there.

so on bootup had a few problems. i forgot to hookup the system fan and a few minor problems with bios as it was reset. all done

ran your script but combofix updated and i thought it was doing a scan from scratch again. however i have now noticed it hadn't after re-running the script.

here is the script at the 2nd attempt.
but it is missing the 2 mcfee deleted files. that was in the first run. hope this hasn't cocked it up to much

ComboFix 11-02-28.01 - lee vogelrok 28/02/2011 19:50:23.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2887 [GMT 0:00]
Running from: c:\documents and settings\lee vogelrok\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\lee vogelrok\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"d:\fxdrv32.sys"
.

((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))
.

2011-02-26 12:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 12:59 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 11:29 . 2011-02-26 12:23 -------- d-----w- c:\windows\system32\NtmsData
2011-02-26 11:27 . 2011-02-26 11:27 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Avira
2011-02-26 11:24 . 2011-01-10 14:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-26 11:24 . 2011-01-10 14:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-26 11:24 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-02-26 11:24 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\program files\Avira
2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-02-25 20:36 . 2011-02-25 20:36 -------- d-----w- c:\program files\ESET
2011-02-25 19:42 . 2011-02-25 19:42 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Malwarebytes
2011-02-25 19:41 . 2011-02-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-25 19:41 . 2011-02-26 12:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-25 19:20 . 2011-02-26 09:42 -------- d-----w- c:\program files\hyjackthis
2011-02-25 02:06 . 2011-02-25 02:06 -------- d-----w- c:\program files\backups
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-02-25 00:31 . 2011-02-25 00:31 -------- d-----w- c:\program files\Common Files\Java
2011-02-24 01:04 . 2011-02-24 01:08 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Mozilla-Cache
2011-02-24 01:03 . 2011-02-25 02:01 -------- d-----w- c:\program files\PartyGaming
2011-02-03 20:49 . 2011-02-03 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-02-03 20:49 . 2011-02-03 20:49 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-02-03 20:49 . 2011-02-03 20:50 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-03 20:29 . 2011-02-03 20:30 -------- d-----w- c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 21:40 . 2010-09-21 09:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2009-07-13 12:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44 . 2008-04-14 08:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 08:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 08:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-23 00:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-07-12 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-23 00:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 08:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-07-12 19:09 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2008-04-14 08:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-14 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-14 08:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 04:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-02-27_23.12.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-28 19:43 . 2011-02-28 19:43 16384 c:\windows\Temp\Perflib_Perfdata_598.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-05-07 75048]
"UMonit"="c:\windows\system32\UMonit.exe" [2007-06-18 200704]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-30 262144]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 843776]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-r- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-03-16 20:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 07:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 10:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
2009-04-27 19:41 87336 ------w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-04-10 23:52 16861184 ----a-r- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
2008-10-21 12:18 2154496 ----a-w- c:\program files\Vtune\TBPANEL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-06-24 14:41 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-12-19 21:37 395640 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/06 12:12];c:\program files\CyberLink\PowerDVD9\000.fcl [07/05/2009 20:05 87536]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26/02/2011 11:24 135336]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 14:41 92008]
S3 FoxAwdWINFLASH;FoxAwdWINFLASH;\??\c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS --> c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS [?]
S3 INFUSB;INFUSB;c:\windows\system32\drivers\infusb.sys [30/09/2002 16:16 15904]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [18/10/2010 19:40 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [18/10/2010 19:40 8320]
.
Contents of the 'Scheduled Tasks' folder

2011-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-28 19:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit = c:\windows\system32\UMonit.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2388)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-28 19:54:17
ComboFix-quarantined-files.txt 2011-02-28 19:54
ComboFix2.txt 2011-02-28 19:46
ComboFix3.txt 2011-02-27 23:13

Pre-Run: 137,907,765,248 bytes free
Post-Run: 137,894,162,432 bytes free

- - End Of File - - EDE0EB80D588D2260E71C9838A00282A
 
will do the other parts now in your 2nd message. thank you so much for the help you are putting in. the pctools can go for sure dont have a problem with that at all.
anything to make machine run better and safer.
 
heres the eset log as requested.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=09cce9760078d94c84dfbb0c80ba045a
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-25 08:40:52
# local_time=2011-02-25 08:40:52 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1280 16777175 100 0 46855509 46855509 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 3680 3680 0 0
# scanned=5187
# found=0
# cleaned=0
# scan_time=163
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=09cce9760078d94c84dfbb0c80ba045a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-28 08:32:24
# local_time=2011-02-28 08:32:24 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 202747 35456532 203993 0
# compatibility_mode=8192 67108863 100 0 260972 260972 0 0
# scanned=81581
# found=2
# cleaned=0
# scan_time=1563
C:\Documents and Settings\lee vogelrok\My Documents\Downloads\DivX7+Keygen\Universal Keygen.exe a variant of Win32/Keygen.AJ application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\lee vogelrok\My Documents\Downloads\IsoBuster.v2.5.5.1-AGAiN\Keygen.EXE a variant of Win32/Keygen.AF application (unable to clean) 00000000000000000000000000000000 I
 
Hi Bobbye

everything done as per your post.

couldn't find the pc tools so can only think that had something to do with the reg checker i had on pc which i had removed the other day. along with kaspersky.

nothing seems to be chewing up my cpu usage at present. just the usual opening of software or ie which uses it then drops straight away to normal running

so far so good. think the cpu fan was part of the problem maybe. but wouldn't have found that out if i hadn't of checked bios.

as the vtune software was saying it was fine at about 37 not 77 which it was at.

Thank you so much for your help so far. i know we not finished yet but its always nice to say thank you.
 
And I appreciate the 'thank you'!

The Eset log shows you have pirated some downloads. I will remove the malware that came with them, but you will have to remove the pirated software for support to continue.:
DivX7+Keygen
IsoBuster.v2.5.5.1-AGAiN

===============================================
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Files  
    C:\Documents and Settings\lee vogelrok\My Documents\Downloads\DivX7+Keygen\Universal Keygen.exe 
    C:\Documents and Settings\lee vogelrok\My Documents\Downloads\IsoBuster.v2.5.5.1-AGAiN\Keygen.EXE 
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================
When finished with OTM, please run this:

Download CKScanner and save to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
    in your next reply.
 
Hi Bobbye

As requested both scan logs below

will remove divx7 and isobuster.

All processes killed
========== FILES ==========
C:\Documents and Settings\lee vogelrok\My Documents\Downloads\DivX7+Keygen\Universal Keygen.exe moved successfully.
C:\Documents and Settings\lee vogelrok\My Documents\Downloads\IsoBuster.v2.5.5.1-AGAiN\Keygen.EXE moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: lee vogelrok
->Temp folder emptied: 114688 bytes
->Temporary Internet Files folder emptied: 4492708 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 4061 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 03012011_085314

Files moved on Reboot...

Registry entries deleted on Reboot...


CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\lee vogelrok\my documents\azureus downloads\adobe photoshop cs3\cs3\cs3\crack.rar
c:\documents and settings\lee vogelrok\my documents\azureus downloads\adobe photoshop cs3\cs3\cs3\crack\crack\photoshop.exe
c:\documents and settings\lee vogelrok\my documents\azureus downloads\adobe photoshop cs3\cs3\cs3\crack\crack\serial.nfo
c:\documents and settings\lee vogelrok\my documents\downloads\divx7+keygen\divxinstaller.exe
c:\documents and settings\lee vogelrok\my documents\downloads\divx7+keygen\torrent downloaded from demonoid.com.txt
c:\documents and settings\lee vogelrok\my documents\downloads\flashfxp v3.6.0.1240\flashfxp.v3.6.0.1240.multilingual.patch.and.keymaker.only-acme\ac-ffx36\ffxp36_keygen.exe
c:\documents and settings\lee vogelrok\my documents\downloads\macromedia studio 8 with working keygen- dreamweaver 8, flash 8 and fireworks 8\dreamweaver 8 setup.exe
c:\documents and settings\lee vogelrok\my documents\downloads\macromedia studio 8 with working keygen- dreamweaver 8, flash 8 and fireworks 8\fireworks 8 setup.exe
c:\documents and settings\lee vogelrok\my documents\downloads\macromedia studio 8 with working keygen- dreamweaver 8, flash 8 and fireworks 8\flash 8 setup.exe
c:\documents and settings\lee vogelrok\my documents\downloads\macromedia studio 8 with working keygen- dreamweaver 8, flash 8 and fireworks 8\macromedia dreamweaver 8, flash 8 and fireworks 8 keygen.exe
c:\documents and settings\lee vogelrok\my documents\downloads\macromedia studio 8 with working keygen- dreamweaver 8, flash 8 and fireworks 8\torrent downloaded from demonoid.com.txt
c:\documents and settings\lee vogelrok\my documents\downloads\rarlab.winrar.v3.91.proper-eat\rarlab.winrar.v3.91.proper-eat\crack\rar.exe
c:\documents and settings\lee vogelrok\my documents\downloads\rarlab.winrar.v3.91.proper-eat\rarlab.winrar.v3.91.proper-eat\crack\rarreg.key
c:\documents and settings\lee vogelrok\my documents\downloads\rarlab.winrar.v3.91.proper-eat\rarlab.winrar.v3.91.proper-eat\crack\unrar.exe
c:\documents and settings\lee vogelrok\my documents\downloads\rarlab.winrar.v3.91.proper-eat\rarlab.winrar.v3.91.proper-eat\crack\winrar.exe
c:\documents and settings\lee vogelrok\my documents\my recievced\poweriso v3.6 (full) use for daa or iso plus\keygen.nfo
c:\documents and settings\lee vogelrok\my documents\tattooflash\pc.tools.registry.mechanic.v10.0.0.126.multilingual-crd\cxx2683a\cxx2683a\crack\install.txt
c:\documents and settings\lee vogelrok\my documents\tattooflash\pc.tools.registry.mechanic.v10.0.0.126.multilingual-crd\cxx2683a\cxx2683a\crack\serial.txt
c:\documents and settings\lee vogelrok\my documents\tattooflash\pc.tools.registry.mechanic.v10.0.0.126.multilingual-crd\cxx2683a\cxx2683a\crack\update.exe
c:\program files\jasc software inc\paint shop pro 9\bump maps\cracked desert.pspimage
c:\program files\jasc software inc\paint shop pro 9\patterns\cracked paint.pspimage
c:\_otm\movedfiles\03012011_085314\c_documents and settings\lee vogelrok\my documents\downloads\divx7+keygen\universal keygen.exe
c:\_otm\movedfiles\03012011_085314\c_documents and settings\lee vogelrok\my documents\downloads\isobuster.v2.5.5.1-again\keygen.exe
scanner sequence 3.ZZ.11
----- EOF -----
 
i checked to see if both programs was running neither of them was. have deleted the files for them programs.

looking at the last list. i will need to be removing that lot. not a problem. dont want to lose the help im getting to get my machine clean.
thank you
 
just had a warning pop up. something called system tool protect your pc.

avira has picked it up and stared to run scan.

i was logged into my shop email account from my home pc. i was just hitting the send button. it sent the email to draft and also sent it. then attack happend.

the unwanted program is EXP/Pidief.deo

avira is wanting to run.

so is this system tool thing. i havent downloaded anything since we started the cleanup. not even any pictures from emails.

please advise.

Since i typed the message just now. my desktop has been changed and now have a great big warning sign over it.

warning
your in danger
your computer is infected with spyware.

just had a blue screen of death, then pc shut down and rebooted and the program mentioned above is trying to run a scan again. keep getting popups telling me files are infected.
i hate these scam pc tools.

edit: now avira is closed it wont open, cant get in to task manager either. the program has now placed itselfs in the tray at bottom with its own little padlock symbol.
 
This is a Java exploit: Clear the cache:

To clear the Java Plug-in cache:

  • [1]. Click Start > Control Panel.
    [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
    5000020301.jpg

    [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
    [4] Click Delete Files.The Delete Temporary Files dialog box appears.
    5000020303.jpg

    There are three options on this window to clear the cache.Check all.
  • . Delete Files
  • .View Applications
  • .View Applets
    [5]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [6]. Click Apply> OK on Temporary Files Settings window.
Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.

You most likely got the malware from all the programs and apps you pirated. You will have to remove all of those program as we do not support piracy. ll the entries in the Eset log with the words keygen or crack have been pirated.
 
cant get into anything now. even tried in safe mode and im locked out of the admin section.

think i might just go and do the upgrade to windows 7. gutted as i have a lot of photos on my pc that i need to keep.

so lesson learned, something for free aint always best.

cant get any of the programs we downloaded to start either

cant get into java it wont let me and in safe mode i dont have the admin control as that is blocked from me. or im just not getting the password right

thank you for your help. think the best option now it to reinstall. and start again.
 
managed to get rid of it.

had to use combofix in safemode. I know i shouldn't have done it without instruction sorry.

here is the log.

will remove the software and apps now,

Edit: have removed them all as far as i can tell.

thank you for your help.

ComboFix 11-02-28.01 - lee vogelrok 02/03/2011 10:36:15.4.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.3063 [GMT 0:00]
Running from: c:\documents and settings\lee vogelrok\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\mAbLoKm06300
c:\documents and settings\All Users\Application Data\mAbLoKm06300\mAbLoKm06300
c:\documents and settings\All Users\Application Data\mAbLoKm06300\mAbLoKm06300.exe

.
((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
.

2011-03-01 08:53 . 2011-03-01 08:53 -------- d-----w- C:\_OTM
2011-02-26 12:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 12:59 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 11:29 . 2011-02-26 12:23 -------- d-----w- c:\windows\system32\NtmsData
2011-02-26 11:27 . 2011-02-26 11:27 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Avira
2011-02-26 11:24 . 2011-01-10 14:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-26 11:24 . 2011-01-10 14:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-26 11:24 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-02-26 11:24 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\program files\Avira
2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-02-25 20:36 . 2011-02-25 20:36 -------- d-----w- c:\program files\ESET
2011-02-25 19:42 . 2011-02-25 19:42 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Malwarebytes
2011-02-25 19:41 . 2011-02-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-25 19:41 . 2011-02-26 12:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-25 19:20 . 2011-02-28 21:03 -------- d-----w- c:\program files\hyjackthis
2011-02-25 02:06 . 2011-02-25 02:06 -------- d-----w- c:\program files\backups
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-02-25 00:31 . 2011-02-25 00:31 -------- d-----w- c:\program files\Common Files\Java
2011-02-24 01:04 . 2011-02-24 01:08 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Mozilla-Cache
2011-02-24 01:03 . 2011-02-25 02:01 -------- d-----w- c:\program files\PartyGaming
2011-02-03 20:49 . 2011-02-03 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-02-03 20:49 . 2011-02-03 20:49 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-02-03 20:49 . 2011-02-03 20:50 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-03 20:29 . 2011-02-03 20:30 -------- d-----w- c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 21:40 . 2010-09-21 09:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2009-07-13 12:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44 . 2008-04-14 08:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 08:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 08:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-23 00:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-07-12 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-23 00:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 08:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-07-12 19:09 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2008-04-14 08:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-14 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-14 08:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 04:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-30 262144]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 843776]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-r- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-03-16 20:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2009-05-07 19:05 75048 ----a-w- c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 07:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 10:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD9LanguageShortcut]
2009-04-27 16:50 50472 ------w- c:\program files\CyberLink\PowerDVD9\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
2009-04-27 19:41 87336 ------w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-04-10 23:52 16861184 ----a-r- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
2008-10-21 12:18 2154496 ----a-w- c:\program files\Vtune\TBPANEL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-06-24 14:41 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-12-19 21:37 395640 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/06 12:12];c:\program files\CyberLink\PowerDVD9\000.fcl [07/05/2009 20:05 87536]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26/02/2011 11:24 135336]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 14:41 92008]
S3 FoxAwdWINFLASH;FoxAwdWINFLASH;\??\c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS --> c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS [?]
S3 INFUSB;INFUSB;c:\windows\system32\drivers\infusb.sys [30/09/2002 16:16 15904]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [18/10/2010 19:40 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [18/10/2010 19:40 8320]
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 10:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-02 10:42:50
ComboFix-quarantined-files.txt 2011-03-02 10:42
ComboFix2.txt 2011-02-28 19:54
ComboFix3.txt 2011-02-28 19:46
ComboFix4.txt 2011-02-27 23:13

Pre-Run: 138,048,823,296 bytes free
Post-Run: 138,136,449,024 bytes free

- - End Of File - - F1F461E68468DAD04492BA2EC3405088
 
Hi Bobbye

i have deleted all the pirated software i can find on my pc.

have also downloaded comdo firewall and geekbuddy. as noticed in a few other posts that the windows firewall is only one way not bi-directional

if this was a mistake please advise

thank you.
 
heres the latest Eset scan to show i have removed the pirated software from my pc.

but it is still showing two of them remaining even thought they are uninstalled and deleted.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=09cce9760078d94c84dfbb0c80ba045a
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-25 08:40:52
# local_time=2011-02-25 08:40:52 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1280 16777175 100 0 46855509 46855509 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 3680 3680 0 0
# scanned=5187
# found=0
# cleaned=0
# scan_time=163
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=09cce9760078d94c84dfbb0c80ba045a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-28 08:32:24
# local_time=2011-02-28 08:32:24 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 202747 35456532 203993 0
# compatibility_mode=8192 67108863 100 0 260972 260972 0 0
# scanned=81581
# found=2
# cleaned=0
# scan_time=1563
C:\Documents and Settings\lee vogelrok\My Documents\Downloads\DivX7+Keygen\Universal Keygen.exe a variant of Win32/Keygen.AJ application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\lee vogelrok\My Documents\Downloads\IsoBuster.v2.5.5.1-AGAiN\Keygen.EXE a variant of Win32/Keygen.AF application (unable to clean) 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=09cce9760078d94c84dfbb0c80ba045a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-03 08:43:15
# local_time=2011-03-03 08:43:15 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 462494 35716279 105643 0
# compatibility_mode=3073 16777213 80 75 119415 5600024 0 0
# compatibility_mode=8192 67108863 100 0 520719 520719 0 0
# scanned=76094
# found=3
# cleaned=0
# scan_time=1667
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\mAbLoKm06300\mAbLoKm06300.exe.vir a variant of Win32/Kryptik.LFO trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{754642D3-1915-4355-981C-527A3385A415}\RP600\A0069866.exe a variant of Win32/Keygen.AJ application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{754642D3-1915-4355-981C-527A3385A415}\RP600\A0069867.EXE a variant of Win32/Keygen.AF application (unable to clean) 00000000000000000000000000000000 I
 
i take it im not getting anymore help then because i had the cracked software. i have removed it all and as far as i can see none is left.

if my help is over with how do i remove the stuff from the desktop safely and not messing up my system.


i only ask as last reply was couple of days ago now, i know you have other people to help i know you are doing this for free,
but i hope you are not judging me for having downloaded a bit of pirated software.

if the above comment offends im sorry, but your last comment sort of told me to do one in my books your help is ended, so im asking.
 
A sudden and tragic death in the family took me away for a while. I am catching up now.

The Eset log shows no new infections. Perhaps you would be kind enough to let me know if there has been any improvement in the system.
=========================================
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
====================
Yes, downloading Geekbuddy was a mistake. It is to get remote help. If you plan on using that, you don't need me. However, be advised that the remote help will cost $$$.
==============================================
What is the status of the system please? Why did you run Combofix in Safe Mode?
 
Status
Not open for further replies.
Back