• Problem began 4 days ago.
• Became concerned after unusual "security alert" that wouldn't clear
• AVG scan identified Clicker.AAWS and Downloader.Zlob and quarantined
• Not sorted though - Symptoms after that included IE (which I don't normally use) opening by itself every few minutes
• I noticed a couple of spurious processes running (a.exe) which I manually deleted
• Also none of my anti-malware apps would run, including AVG which was now disabled as well
• Tried HJT, Spybot, Adaware already on my PC - none worked
• Next ran HouseCall which identified an infected .sys file it labelled as TR/PCK.Tdss.C.92
• Still couldn't run any apps
• Next installed Avira and this was able to run a full scan, identifying and quarantining the file that HouseCall had quarantined plus 3 others KillIt.exe, KillWind.exe and 1890hp.exe which it labelled as Hupigon.huap
• Still unable to run any other malware apps, but Avira apparently running OK
• Installed MBAM, it updated, then launched and then crashed after 4 secs
• Tried running some other things, Rootrepeal, GMER, got Blue Screened

I've now no idea what to do for the best and would really appreciate some help.

Sorry if anything I've tried has made the problem more difficult to solve

Hi and welcome to Malwarebytes.


Please visit this webpage for instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Hello and thanks for your reply.

ComboFix appeared to remove/fix some files during the process but I can't see details of that in the log. You're probably not surprised by that but just thought I'd mention it.

Log follows:

ComboFix 09-09-25.01 - Compaq_Owner 27/09/2009 8:53.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.673 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Owner\Application Data\Desktopicon
c:\documents and settings\Compaq_Owner\Application Data\Desktopicon\eBayShortcuts.exe
c:\documents and settings\Compaq_Owner\My Documents\ZbThumbnail.info
c:\windows\jestertb.dll
c:\windows\system32\ps2.bat
E:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_uac4pdt
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_uac4pdt
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.

2009-09-26 11:01 . 2009-09-27 07:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-26 10:03 . 2009-09-26 10:03 -------- d-----w- c:\program files\ERUNT
2009-09-25 21:27 . 2009-09-23 16:02 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-24 21:07 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-24 21:07 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-24 21:07 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-24 21:07 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\program files\Avira
2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-24 16:06 . 2009-09-24 16:06 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Azureus
2009-09-23 18:38 . 2009-09-23 18:40 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb
2009-09-23 17:29 . 2009-09-23 17:29 -------- d-----w- c:\program files\OEBW
2009-09-23 16:02 . 2009-09-25 21:27 -------- d-----w- c:\documents and settings\Compaq_Owner\.housecall6.6
2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 17:03 . 2009-09-27 07:16 0 ----a-r- c:\windows\win32k.sys
2009-09-22 17:03 . 2009-09-22 17:03 68608 ----a-w- c:\windows\system32\drivers\cyehxtksmqecxrxe.sys
2009-09-22 17:03 . 2009-09-22 17:03 -------- d-----w- C:\spoolerlogs
2009-09-22 16:53 . 2009-09-22 16:53 68608 ----a-w- c:\windows\system32\drivers\rpvnyycbvorxvmtn.sys
2009-09-06 17:01 . 2009-09-06 17:01 -------- d-----w- c:\program files\CopyFilenames
2009-08-29 08:18 . 2009-08-29 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 08:01 . 2009-09-06 12:09 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-27 07:25 . 2005-09-10 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-26 10:39 . 2009-06-12 05:57 -------- d-----w- c:\program files\Unlocker
2009-09-25 22:41 . 2008-05-03 12:10 -------- d-----w- c:\program files\Lavasoft
2009-09-25 22:40 . 2005-09-10 17:06 -------- d-----w- c:\program files\Spybot
2009-09-25 22:38 . 2009-08-21 12:08 -------- d-----w- c:\program files\PicaLoader
2009-09-25 22:36 . 2008-05-31 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-23 22:44 . 2009-02-17 19:53 -------- d-----w- c:\program files\Azureus
2009-09-22 23:22 . 2008-06-12 17:37 -------- d-----w- c:\program files\PowerPacket
2009-09-20 20:00 . 2005-09-03 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2009-09-06 19:10 . 2005-10-28 16:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Skype
2009-09-06 15:01 . 2008-10-19 15:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\skypePM
2009-09-06 12:09 . 2008-02-04 16:56 -------- d-----w- c:\program files\Common Files\Logishrd
2009-08-26 21:07 . 2005-08-31 14:08 -------- d-----w- c:\program files\TotalRecorder
2009-08-17 09:01 . 2005-08-30 17:50 63904 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\MSBuild
2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 13:23 . 2009-08-15 13:23 -------- d-----w- c:\program files\MSXML 6.0
2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2005-08-31 13:54 -------- d-----w- c:\program files\whisper
2009-07-29 09:23 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2005-09-14 09:58 . 2005-09-09 11:08 20480 ----a-w- c:\program files\Common Files\UninstallDrv.exe
2005-10-28 07:31 . 2005-08-31 11:40 56 --sha-r- c:\windows\system32\5A04C4CEF8.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\DTV\\DVB-T USB 2.0\\DVB-Tplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\TotalRecorder\\TotalRecorder.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49251:TCP"= 49251:TCP:v
"49251:UDP"= 49251:UDP:v

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [24/07/2008 22:39 17264]
R1 HFSYS;HFSYS;c:\windows\system32\drivers\hfsys.sys [12/01/2004 01:34 19732]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/09/2009 22:07 108289]
R3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;c:\windows\system32\drivers\PCTELSAP.SYS [02/01/2005 01:00 306560]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [17/08/2008 14:48 126984]
R3 WDM_Capture_220A;DVB-T TV Receiver;c:\windows\system32\drivers\WDM_Capture_220A.sys [06/04/2006 13:57 18432]
S3 Arcadyan;Arcadyan NDIS Protocol Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\Arcadyan.SYS [20/08/2004 03:14 17422]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\PLCMPR5.SYS --> c:\windows\system32\PLCMPR5.SYS [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [26/04/2004 11:11 17280]
S3 WDM_Loader_220A;DVB-T TV Loader;c:\windows\system32\drivers\WDM_Loader_220A.sys [06/04/2006 13:56 15488]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [06/11/2008 20:55 24652]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {08422DD0-F4AF-4740-8A75-0201C59D6AC5} = 212.159.6.9,212.159.6.10
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} - hxxp://downloads.exam2score.com/ePenClientSpec.ocx
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\zkvadj3e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 09:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2844)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\progra~1\WINDOW~1\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-09-27 9:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 08:07

Pre-Run: 100,086,472,704 bytes free
Post-Run: 99,959,095,296 bytes free

214 --- E O F --- 2009-08-15 13:32


Whatever ComboFix did, I was then able to download, install and successfully run HJT - Log follows:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:16:42, on 27/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} (ePenClientSpec.ucEPenClientspec) - http://downloads.exam2score.com/ePenClientSpec.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 6772 bytes

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
• You should get a notification bar (on top) to install the ActiveX control.
• Click on it and select to install the ActiveX.
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
• Click the Full System Scan button.
• It will start to download scanner components and databases. This can take a while.
• The main scan will start.
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
• The cleaning can take a while, so please be patient.
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Ok, thanks again. Ran the two things you suggested and the logs follow below. Anything untoward?

Since then I've run Avira and it has detected two nasties (which weren't there on last night's scan) and also 25 "hidden files" which were also there last night and which it says it can't shift (despite my attempt to clean out IE temp files). There are 8 further warnings. Do I need to do anything about these? I've posted the Avira report also, after your Security Check file checkup.txt.

Everything appears to be running smoothly, though one or two processes I don't recognise (fssm32.exe is one of them) are now running - perhaps these are connected with what you asked me to do?

I would normally make regular use of SpyBot and Adaware alongside AVG and I'm still a bit spooked as to how the stuff that caused the trouble these last few days got onto my machine - what did I do wrong?

Is there something better you can recommend?

Many thanks for all your time and help - you guys are stars !!

Here's the F-Secure report...

Scanning Report
Monday, September 28, 2009 18:31:29 - 19:29:13
Computer name: STARSKY
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\ E:\


--------------------------------------------------------------------------------

No malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 56894
System: 4743
Not scanned: 13
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DUMPREP.EXE
C:\WINDOWS\SYSTEM32\MRT.EXE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\PROGRAM FILES\SPYBOT\SPYBOTSD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\LOADER\AOLLOAD.EXE
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\MY DOCUMENTS\STEVE\SPYWARE\HIJACKTHIS.EXE

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2009 Product support | Send virus sample to F-Secure


Here's the checkup.txt file...

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
HijackThis 2.0.2
CCleaner (remove only)
Java Web Start
Java™ 6 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.0_01
Java 2 Runtime Environment, SE v1.4.1_02
Out of date Java installed!
Adobe Flash Player 10
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 7.1.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
COMPAQ~1 LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe
COMPAQ~1 LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe
COMPAQ~1 LOCALS~1 Temp fsonlinescanner.exe
``````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````



Here's the Avira report...

Avira AntiVir Personal
Report file date: Monday, September 28, 2009 20:02

Scanning for 1756516 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : STARSKY

Version information:
BUILD.DAT : 9.0.0.410 18074 Bytes 25/09/2009 11:56:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 13:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 12:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 09:21:42
ANTIVIR2.VDF : 7.1.6.1 3857920 Bytes 16/09/2009 21:18:55
ANTIVIR3.VDF : 7.1.6.47 518144 Bytes 28/09/2009 19:00:37
Engineversion : 8.2.1.27
AEVDF.DLL : 8.1.1.2 106867 Bytes 24/09/2009 21:19:05
AESCRIPT.DLL : 8.1.2.33 479611 Bytes 24/09/2009 21:19:04
AESCN.DLL : 8.1.2.5 127346 Bytes 24/09/2009 21:19:03
AERDL.DLL : 8.1.2.4 430452 Bytes 23/07/2009 09:59:39
AEPACK.DLL : 8.2.0.0 422261 Bytes 24/09/2009 21:19:03
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 23/07/2009 09:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 24/09/2009 21:19:02
AEHELP.DLL : 8.1.7.0 237940 Bytes 24/09/2009 21:18:59
AEGEN.DLL : 8.1.1.66 364917 Bytes 25/09/2009 21:07:44
AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 14:32:40
AECORE.DLL : 8.1.8.1 184693 Bytes 24/09/2009 21:18:57
AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 14:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 25/09/2009 21:07:44
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 15:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 10:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, September 28, 2009 20:02

Starting search for hidden objects.
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\14292_small[1].jpg
[INFO] The file is not visible.
[NOTE] A backup was created as '4af30995.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\desktop.ini
[INFO] The file is not visible.
[NOTE] A backup was created as '4b3409c6.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_rosette[1].gif
[INFO] The file is not visible.
[NOTE] A backup was created as '4b2a09c5.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_tail_r2_c7[1].gif
[INFO] The file is not visible.
[NOTE] A backup was created as '4b2a09ca.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\tt-rain-butterfly-neutral-c3518[1].jpg
[INFO] The file is not visible.
[NOTE] A backup was created as '4aee09df.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\typeahead_log[1].htm
[INFO] The file is not visible.
[NOTE] A backup was created as '4b3109e4.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk3c.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '4b2c09cd.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk45.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '4a968efe.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk47.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '48a301be.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4a.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '48bd399e.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4e.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '48bf51fe.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk50.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '48b989de.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[10]
[INFO] The file is not visible.
[NOTE] A backup was created as '4af209c6.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[11]
[INFO] The file is not visible.
[NOTE] A backup was created as '496bc617.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[12]
[INFO] The file is not visible.
[NOTE] A backup was created as '4969fe77.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[13]
[INFO] The file is not visible.
[NOTE] A backup was created as '496c1657.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[1]
[INFO] The file is not visible.
[NOTE] A backup was created as '4b1c09c7.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[2]
[INFO] The file is not visible.
[NOTE] A backup was created as '48be6698.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[3]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b89ef8.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[4]
[INFO] The file is not visible.
[NOTE] A backup was created as '48bab6d8.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[5]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b4ef38.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[6]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b70718.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[7]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b13f78.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[8]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b35758.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[9]
[INFO] The file is not visible.
[NOTE] A backup was created as '48ad8fb8.qua' ( QUARANTINE )
'65424' objects were checked, '25' hidden objects were found.

The scan of running processes will be started
Scan process 'winmine.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'cmd.exe' - '1' Module(s) have been scanned
Scan process 'SecurityCheck.exe' - '1' Module(s) have been scanned
Scan process 'fssm32.exe' - '1' Module(s) have been scanned
Scan process 'fsgk32.exe' - '1' Module(s) have been scanned
Scan process 'fsonlinescanner.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wdsvc.exe' - '1' Module(s) have been scanned
Scan process 'SetPoint.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ps2.EXE' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'retrorun.exe' - '1' Module(s) have been scanned
Scan process 'NMSAccess.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
43 processes with 43 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\' <DRIVE1>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Compaq_Owner\Local Settings\temp\OnlineScanner\updates\aquawin32\cran.cvd
[DETECTION] Contains recognition pattern of the Trivial-28 (A) virus
C:\Documents and Settings\Compaq_Owner\Local Settings\temp\OnlineScanner\updates\aquawin32\cran.ivd
[DETECTION] Contains recognition pattern of the HTML/Silly.Gen HTML script virus
C:\Documents and Settings\Compaq_Owner\My Documents\Steve\spyware\HijackThis.exe
[WARNING] The file could not be opened!
C:\Program Files\Common Files\AOL\Loader\aolload.exe
[WARNING] The file could not be opened!
C:\Program Files\Spybot\SpybotSD.exe
[WARNING] The file could not be opened!
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\dumprep.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\MRT.exe
[WARNING] The file could not be opened!
Begin scan in 'D:\' <DRIVE2>
Begin scan in 'E:\' <PRESARIO_RP>

Beginning disinfection:
C:\Documents and Settings\Compaq_Owner\Local Settings\temp\OnlineScanner\updates\aquawin32\cran.cvd
[DETECTION] Contains recognition pattern of the Trivial-28 (A) virus
[NOTE] The file was moved to '4b22183e.qua'!
C:\Documents and Settings\Compaq_Owner\Local Settings\temp\OnlineScanner\updates\aquawin32\cran.ivd
[DETECTION] Contains recognition pattern of the HTML/Silly.Gen HTML script virus
[NOTE] The file was moved to '4b22183f.qua'!


End of the scan: Monday, September 28, 2009 21:08
Used time: 1:05:05 Hour(s)

The scan has been done completely.

8502 Scanned directories
435602 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
27 Files were moved to quarantine
0 Files were renamed
8 Files cannot be scanned
435592 Files not concerned
13254 Archives were scanned
8 Warnings
29 Notes
65424 Objects were scanned with rootkit scan
25 Hidden objects were found

Those "hidden" temp files are rather untoward, though they might have been part of the online scan. Grab a fresh copy of ComboFix, run it, and post its log.

Actually before you do that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java Web Start
Java™ 6 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.0_01
Java 2 Runtime Environment, SE v1.4.1_02
Adobe Reader 7.1.0

Restart your computer.

Get the latest version of Java and Adobe Reader.

Then run ComboFix and post its log.

We'll see after you post the ComboFix log.

That's from the F-Secure online scan.

Could be a number of things; the most common being visiting porn, keygen, and crack sites. Could be from social networking sites, P2P programs, etc. It's a tainted cyberworld we live in. Also, anti-malware programs are not infallible; the criminals come up with more deceptive tactics and often the major corporations are left behind.


-screen317

Hello and thanks again for your continued support. I've uninstalled all the things you listed, re-started, installed new Java and Adobe, then ran ComboFix. It appeared to run successfully, did not this time reboot into safe mode before scanning; logfile below.

All seemed to be running smoothly, so I tried moving back towards "normal" working, but some weird things are still happening.
1. I ran Avira and it reported exactly the same set of hidden files as last time, at the same location. But when I navigate to the folder where the files are located and get Avira to scan the folder (using the right-click menu) it reports no files present. Haven't bothered to post the Avira report since it's the same details as yesterday, but will do so if you'd like to see it.
2. Avira flagged that it needed to be updated but the updater wouldn't run (it launched and then hung, several times). I manually updated from the website.
3. Tried Spybot but cannot run it, or uninstall it or reinstall it. It doesn't appear in Control Panel ¦ Add/Remove Programs, although the folder is present together with files including the .exe file - but attempting to run it or rename it produces an error message Cannot access, etc etc.
4. Installed MBAM successfully and did a full scan. It identified several infections so I'm copying that logfile too, after the ComboFix file.


Combofix file follows....

ComboFix 09-09-29.04 - Compaq_Owner 30/09/2009 18:29.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.637 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-30 17:26 . 2009-09-30 17:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 17:31 . 2009-09-28 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-09-27 08:16 . 2009-09-27 08:16 -------- d-----w- c:\program files\Trend Micro
2009-09-26 11:01 . 2009-09-27 07:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-26 10:03 . 2009-09-26 10:03 -------- d-----w- c:\program files\ERUNT
2009-09-25 21:27 . 2009-09-23 16:02 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-24 21:07 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-24 21:07 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-24 21:07 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-24 21:07 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\program files\Avira
2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-24 16:06 . 2009-09-24 16:06 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Azureus
2009-09-23 18:38 . 2009-09-23 18:40 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb
2009-09-23 17:29 . 2009-09-23 17:29 -------- d-----w- c:\program files\OEBW
2009-09-23 16:02 . 2009-09-25 21:27 -------- d-----w- c:\documents and settings\Compaq_Owner\.housecall6.6
2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 17:03 . 2009-09-27 07:16 0 ----a-r- c:\windows\win32k.sys
2009-09-22 17:03 . 2009-09-22 17:03 68608 ----a-w- c:\windows\system32\drivers\cyehxtksmqecxrxe.sys
2009-09-22 17:03 . 2009-09-22 17:03 -------- d-----w- C:\spoolerlogs
2009-09-22 16:53 . 2009-09-22 16:53 68608 ----a-w- c:\windows\system32\drivers\rpvnyycbvorxvmtn.sys
2009-09-06 17:01 . 2009-09-06 17:01 -------- d-----w- c:\program files\CopyFilenames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 17:26 . 2005-01-01 23:54 -------- d-----w- c:\program files\Java
2009-09-30 17:23 . 2005-06-24 18:16 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-30 17:20 . 2009-09-06 12:09 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-30 17:07 . 2005-01-02 00:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-27 20:00 . 2005-09-03 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2009-09-27 07:25 . 2005-09-10 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-26 10:39 . 2009-06-12 05:57 -------- d-----w- c:\program files\Unlocker
2009-09-25 22:41 . 2008-05-03 12:10 -------- d-----w- c:\program files\Lavasoft
2009-09-25 22:40 . 2005-09-10 17:06 -------- d-----w- c:\program files\Spybot
2009-09-25 22:38 . 2009-08-21 12:08 -------- d-----w- c:\program files\PicaLoader
2009-09-25 22:36 . 2008-05-31 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-23 22:44 . 2009-02-17 19:53 -------- d-----w- c:\program files\Azureus
2009-09-22 23:22 . 2008-06-12 17:37 -------- d-----w- c:\program files\PowerPacket
2009-09-06 19:10 . 2005-10-28 16:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Skype
2009-09-06 15:01 . 2008-10-19 15:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\skypePM
2009-09-06 12:09 . 2008-02-04 16:56 -------- d-----w- c:\program files\Common Files\Logishrd
2009-08-29 08:18 . 2009-08-29 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-08-26 21:07 . 2005-08-31 14:08 -------- d-----w- c:\program files\TotalRecorder
2009-08-17 09:01 . 2005-08-30 17:50 63904 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\MSBuild
2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 13:23 . 2009-08-15 13:23 -------- d-----w- c:\program files\MSXML 6.0
2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2005-08-31 13:54 -------- d-----w- c:\program files\whisper
2009-07-29 09:23 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2005-09-14 09:58 . 2005-09-09 11:08 20480 ----a-w- c:\program files\Common Files\UninstallDrv.exe
2005-10-28 07:31 . 2005-08-31 11:40 56 --sha-r- c:\windows\system32\5A04C4CEF8.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-27_08.03.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-30 17:26 . 2009-09-30 17:26 149280 c:\windows\system32\javaws.exe
+ 2009-09-30 17:26 . 2009-09-30 17:26 145184 c:\windows\system32\javaw.exe
+ 2009-09-30 17:26 . 2009-09-30 17:26 145184 c:\windows\system32\java.exe
+ 2009-09-30 17:26 . 2009-09-30 17:26 537600 c:\windows\Installer\22fac.msi
+ 2009-09-30 16:58 . 2009-09-30 16:58 196608 c:\windows\ERDNT\AutoBackup\30-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-30 16:58 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\30-09-2009\ERDNT.EXE
+ 2009-09-29 05:13 . 2009-09-29 05:13 196608 c:\windows\ERDNT\AutoBackup\29-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-29 05:13 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\29-09-2009\ERDNT.EXE
+ 2009-09-28 14:46 . 2009-09-28 14:46 196608 c:\windows\ERDNT\AutoBackup\28-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-28 14:46 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\28-09-2009\ERDNT.EXE
+ 2009-07-10 09:39 . 2009-07-10 09:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll
+ 2009-09-30 17:23 . 2009-09-30 17:23 3938816 c:\windows\Installer\22fa4.msi
+ 2009-09-30 16:58 . 2009-09-30 16:58 7892992 c:\windows\ERDNT\AutoBackup\30-09-2009\Users\00000001\ntuser.dat
+ 2009-09-29 05:13 . 2009-09-29 05:13 7892992 c:\windows\ERDNT\AutoBackup\29-09-2009\Users\00000001\ntuser.dat
+ 2009-09-28 14:46 . 2009-09-28 14:46 7892992 c:\windows\ERDNT\AutoBackup\28-09-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-30 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\DTV\\DVB-T USB 2.0\\DVB-Tplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\TotalRecorder\\TotalRecorder.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49251:TCP"= 49251:TCP:v
"49251:UDP"= 49251:UDP:v

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [24/07/2008 22:39 17264]
R1 HFSYS;HFSYS;c:\windows\system32\drivers\hfsys.sys [12/01/2004 01:34 19732]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/09/2009 22:07 108289]
R3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;c:\windows\system32\drivers\PCTELSAP.SYS [02/01/2005 01:00 306560]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [17/08/2008 14:48 126984]
R3 WDM_Capture_220A;DVB-T TV Receiver;c:\windows\system32\drivers\WDM_Capture_220A.sys [06/04/2006 13:57 18432]
S3 Arcadyan;Arcadyan NDIS Protocol Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\Arcadyan.SYS [20/08/2004 03:14 17422]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\PLCMPR5.SYS --> c:\windows\system32\PLCMPR5.SYS [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [26/04/2004 11:11 17280]
S3 WDM_Loader_220A;DVB-T TV Loader;c:\windows\system32\drivers\WDM_Loader_220A.sys [06/04/2006 13:56 15488]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [06/11/2008 20:55 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {08422DD0-F4AF-4740-8A75-0201C59D6AC5} = 212.159.6.9,212.159.6.10
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} - hxxp://downloads.exam2score.com/ePenClientSpec.ocx
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\zkvadj3e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 18:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(4072)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\progra~1\WINDOW~1\wmpband.dll
.
Completion time: 2009-09-30 18:39
ComboFix-quarantined-files.txt 2009-09-30 17:39
ComboFix2.txt 2009-09-27 08:07

Pre-Run: 98,881,982,464 bytes free
Post-Run: 99,316,580,352 bytes free

210 --- E O F --- 2009-08-15 13:32


MBAM file follows....

Malwarebytes' Anti-Malware 1.41
Database version: 2878
Windows 5.1.2600 Service Pack 2

30/09/2009 23:12:01
mbam-log-2009-09-30 (23-12-01).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 197533
Time elapsed: 57 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cyehxtksmqecxrxe (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpvnyycbvorxvmtn (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Desktopicon\eBayShortcuts.exe.vir (Adware.ADON) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cyehxtksmqecxrxe.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\rpvnyycbvorxvmtn.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

Hi,

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:



Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


After that, please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu). See if you can delete Spybot's folder now.

-screen317

OK, I copied the script and used it to launch ComboFix. Rebooted into Safe Mode but was unable to delete the Spybot folder. When Windows came to delete the SpybotSD.exe file access was denied. (FYI, there are two copies of Spybot files. When I first had problems I reinstalled Spybot into a differently named folder, but neither SpybotSD.exe file will run, or delete.) I do have two utilities (Unlocker and MoveOnBoot) that I have used before but have not yet tried on this Spybot problem in case it messes up anything you're trying do to help me.

I have also run Avira again and again it has identified the same 25 hidden files as before, in the same location as before. It also says it has found two further infections, looks like in the system restore, so I'm posting the log for that scan as well in case it tells you stuff.

Question - I have avoided, for the past week, using anything on the internet for which a password is required; do you think I'm safe to start doing that again yet?

Many thanks once more for your continued patience.

Combo Fix and HJT and Avira logs follow....

ComboFix 09-09-30.06 - Compaq_Owner 01/10/2009 17:57.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.595 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\81AVO1YR\desktop.ini
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[10]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[11]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[12]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[13]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[14]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[15]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[2]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[3]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[4]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[5]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[6]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[7]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[8]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\[9]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\desktop.ini
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\98U6ZA0R\eTicket.pdf
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\desktop.ini
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\FFNH1X0A\desktop.ini
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\index.dat
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\W12Z4TAV\desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.

2009-09-30 20:56 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 20:56 . 2009-09-30 22:03 -------- d-----w- c:\program files\Malwarebytes
2009-09-30 20:56 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 17:26 . 2009-09-30 17:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 17:31 . 2009-09-28 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-09-27 08:16 . 2009-09-27 08:16 -------- d-----w- c:\program files\Trend Micro
2009-09-26 11:01 . 2009-09-30 20:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-26 10:03 . 2009-09-26 10:03 -------- d-----w- c:\program files\ERUNT
2009-09-25 21:27 . 2009-09-23 16:02 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-24 21:07 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-24 21:07 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-24 21:07 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-24 21:07 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\program files\Avira
2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-24 16:06 . 2009-09-24 16:06 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Azureus
2009-09-23 18:38 . 2009-09-23 18:40 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb
2009-09-23 17:29 . 2009-09-23 17:29 -------- d-----w- c:\program files\OEBW
2009-09-23 16:02 . 2009-09-25 21:27 -------- d-----w- c:\documents and settings\Compaq_Owner\.housecall6.6
2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 17:03 . 2009-09-22 17:03 -------- d-----w- C:\spoolerlogs
2009-09-06 17:01 . 2009-09-06 17:01 -------- d-----w- c:\program files\CopyFilenames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 16:35 . 2009-09-06 12:09 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-30 20:35 . 2005-09-10 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-30 17:26 . 2005-01-01 23:54 -------- d-----w- c:\program files\Java
2009-09-30 17:23 . 2005-06-24 18:16 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-30 17:07 . 2005-01-02 00:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-27 20:00 . 2005-09-03 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2009-09-26 10:39 . 2009-06-12 05:57 -------- d-----w- c:\program files\Unlocker
2009-09-25 22:41 . 2008-05-03 12:10 -------- d-----w- c:\program files\Lavasoft
2009-09-25 22:40 . 2005-09-10 17:06 -------- d-----w- c:\program files\Spybot
2009-09-25 22:38 . 2009-08-21 12:08 -------- d-----w- c:\program files\PicaLoader
2009-09-25 22:36 . 2008-05-31 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-23 22:44 . 2009-02-17 19:53 -------- d-----w- c:\program files\Azureus
2009-09-22 23:22 . 2008-06-12 17:37 -------- d-----w- c:\program files\PowerPacket
2009-09-06 19:10 . 2005-10-28 16:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Skype
2009-09-06 15:01 . 2008-10-19 15:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\skypePM
2009-09-06 12:09 . 2008-02-04 16:56 -------- d-----w- c:\program files\Common Files\Logishrd
2009-08-29 08:18 . 2009-08-29 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-08-26 21:07 . 2005-08-31 14:08 -------- d-----w- c:\program files\TotalRecorder
2009-08-17 09:01 . 2005-08-30 17:50 63904 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\MSBuild
2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 13:23 . 2009-08-15 13:23 -------- d-----w- c:\program files\MSXML 6.0
2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2005-08-31 13:54 -------- d-----w- c:\program files\whisper
2009-07-29 09:23 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2005-09-14 09:58 . 2005-09-09 11:08 20480 ----a-w- c:\program files\Common Files\UninstallDrv.exe
2005-10-28 07:31 . 2005-08-31 11:40 56 --sha-r- c:\windows\system32\5A04C4CEF8.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-27_08.03.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-30 17:26 . 2009-09-30 17:26 149280 c:\windows\system32\javaws.exe
+ 2009-09-30 17:26 . 2009-09-30 17:26 145184 c:\windows\system32\javaw.exe
+ 2009-09-30 17:26 . 2009-09-30 17:26 145184 c:\windows\system32\java.exe
+ 2009-09-30 17:26 . 2009-09-30 17:26 537600 c:\windows\Installer\22fac.msi
+ 2009-09-30 16:58 . 2009-09-30 16:58 196608 c:\windows\ERDNT\AutoBackup\30-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-30 16:58 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\30-09-2009\ERDNT.EXE
+ 2009-09-29 05:13 . 2009-09-29 05:13 196608 c:\windows\ERDNT\AutoBackup\29-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-29 05:13 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\29-09-2009\ERDNT.EXE
+ 2009-09-28 14:46 . 2009-09-28 14:46 196608 c:\windows\ERDNT\AutoBackup\28-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-28 14:46 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\28-09-2009\ERDNT.EXE
+ 2009-10-01 12:33 . 2009-10-01 12:33 212992 c:\windows\ERDNT\AutoBackup\01-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-01 12:33 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\01-10-2009\ERDNT.EXE
+ 2009-07-10 09:39 . 2009-07-10 09:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll
+ 2009-09-30 17:23 . 2009-09-30 17:23 3938816 c:\windows\Installer\22fa4.msi
+ 2009-09-30 16:58 . 2009-09-30 16:58 7892992 c:\windows\ERDNT\AutoBackup\30-09-2009\Users\00000001\ntuser.dat
+ 2009-09-29 05:13 . 2009-09-29 05:13 7892992 c:\windows\ERDNT\AutoBackup\29-09-2009\Users\00000001\ntuser.dat
+ 2009-09-28 14:46 . 2009-09-28 14:46 7892992 c:\windows\ERDNT\AutoBackup\28-09-2009\Users\00000001\ntuser.dat
+ 2009-10-01 12:33 . 2009-10-01 12:33 7892992 c:\windows\ERDNT\AutoBackup\01-10-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-30 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes\mbam.exe" [2009-09-10 1312080]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\DTV\\DVB-T USB 2.0\\DVB-Tplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\TotalRecorder\\TotalRecorder.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49251:TCP"= 49251:TCP:v
"49251:UDP"= 49251:UDP:v

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [24/07/2008 22:39 17264]
R1 HFSYS;HFSYS;c:\windows\system32\drivers\hfsys.sys [12/01/2004 01:34 19732]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/09/2009 22:07 108289]
R3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;c:\windows\system32\drivers\PCTELSAP.SYS [02/01/2005 01:00 306560]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [17/08/2008 14:48 126984]
R3 WDM_Capture_220A;DVB-T TV Receiver;c:\windows\system32\drivers\WDM_Capture_220A.sys [06/04/2006 13:57 18432]
S3 Arcadyan;Arcadyan NDIS Protocol Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\Arcadyan.SYS [20/08/2004 03:14 17422]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\PLCMPR5.SYS --> c:\windows\system32\PLCMPR5.SYS [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [26/04/2004 11:11 17280]
S3 WDM_Loader_220A;DVB-T TV Loader;c:\windows\system32\drivers\WDM_Loader_220A.sys [06/04/2006 13:56 15488]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [06/11/2008 20:55 24652]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {08422DD0-F4AF-4740-8A75-0201C59D6AC5} = 212.159.6.9,212.159.6.10
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} - hxxp://downloads.exam2score.com/ePenClientSpec.ocx
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\zkvadj3e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 18:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-10-01 18:06
ComboFix-quarantined-files.txt 2009-10-01 17:06
ComboFix2.txt 2009-09-27 08:07

Pre-Run: 99,193,856,000 bytes free
Post-Run: 99,157,475,328 bytes free

229 --- E O F --- 2009-08-15 13:32



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:01, on 01/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccess.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} (ePenClientSpec.ucEPenClientspec) - http://downloads.exam2score.com/ePenClientSpec.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7550 bytes



Avira AntiVir Personal
Report file date: Thursday, October 01, 2009 18:27

Scanning for 1765187 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : STARSKY

Version information:
BUILD.DAT : 9.0.0.410 18074 Bytes 25/09/2009 11:56:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 13:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 13:50:58
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 13:50:58
ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 29/09/2009 08:16:20
ANTIVIR3.VDF : 7.1.6.59 128000 Bytes 30/09/2009 16:12:04
Engineversion : 8.2.1.27
AEVDF.DLL : 8.1.1.2 106867 Bytes 15/09/2009 15:58:02
AESCRIPT.DLL : 8.1.2.33 479611 Bytes 21/09/2009 16:27:58
AESCN.DLL : 8.1.2.5 127346 Bytes 03/09/2009 15:24:42
AERDL.DLL : 8.1.2.4 430452 Bytes 14/07/2009 17:08:26
AEPACK.DLL : 8.2.0.0 422261 Bytes 15/09/2009 15:58:00
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 17/06/2009 14:32:46
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 18/08/2009 14:02:16
AEHELP.DLL : 8.1.7.0 237940 Bytes 03/09/2009 15:24:42
AEGEN.DLL : 8.1.1.66 364917 Bytes 25/09/2009 16:23:24
AEEMU.DLL : 8.1.0.9 393588 Bytes 15/10/2008 10:49:36
AECORE.DLL : 8.1.8.1 184693 Bytes 15/09/2009 15:57:58
AEBB.DLL : 8.1.0.3 53618 Bytes 15/10/2008 10:49:34
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 25/09/2009 21:07:44
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 15:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 10:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, October 01, 2009 18:27

Starting search for hidden objects.
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\14292_small[1].jpg
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6edf3.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\desktop.ini
[INFO] The file is not visible.
[NOTE] A backup was created as '4b37ee24.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_rosette[1].gif
[INFO] The file is not visible.
[NOTE] A backup was created as '4b2dee23.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_tail_r2_c7[1].gif
[INFO] The file is not visible.
[NOTE] A backup was created as '4b2dee28.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\tt-rain-butterfly-neutral-c3518[1].jpg
[INFO] The file is not visible.
[NOTE] A backup was created as '4af1ee3c.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\typeahead_log[1].htm
[INFO] The file is not visible.
[NOTE] A backup was created as '4b34ee42.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk3c.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '4b2fee2b.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk45.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '4a95f014.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk47.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '48a0f084.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4a.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '48bea8a4.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4e.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '48bc8044.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk50.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '48ba7864.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[10]
[INFO] The file is not visible.
[NOTE] A backup was created as '4af5ee24.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[11]
[INFO] The file is not visible.
[NOTE] A backup was created as '496c082d.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[12]
[INFO] The file is not visible.
[NOTE] A backup was created as '4969e3cd.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[13]
[INFO] The file is not visible.
[NOTE] A backup was created as '496bdbed.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[1]
[INFO] The file is not visible.
[NOTE] A backup was created as '4b1fee25.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[2]
[INFO] The file is not visible.
[NOTE] A backup was created as '48bd6bae.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[3]
[INFO] The file is not visible.
[NOTE] A backup was created as '48bb434e.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[4]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b93b6e.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[5]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b7130e.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[6]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b4cb2e.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[7]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b2a2ce.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[8]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b09aee.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[9]
[INFO] The file is not visible.
[NOTE] A backup was created as '48ae728e.qua' ( QUARANTINE )
'63411' objects were checked, '25' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned
Scan process 'SetPoint.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ps2.EXE' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wdsvc.exe' - '1' Module(s) have been scanned
Scan process 'retrorun.exe' - '1' Module(s) have been scanned
Scan process 'NMSAccess.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
40 processes with 40 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\' <DRIVE1>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Compaq_Owner\My Documents\Steve\spyware\HijackThis.exe
[WARNING] The file could not be opened!
C:\Program Files\Common Files\AOL\Loader\aolload.exe
[WARNING] The file could not be opened!
C:\Program Files\Spybot\SpybotSD.exe
[WARNING] The file could not be opened!
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197001.sys
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197002.sys
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\dumprep.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\MRT.exe
[WARNING] The file could not be opened!
Begin scan in 'D:\' <DRIVE2>
Begin scan in 'E:\' <PRESARIO_RP>

Beginning disinfection:
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197001.sys
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4af5f983.qua'!
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197002.sys
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496233a4.qua'!


End of the scan: Thursday, October 01, 2009 19:47
Used time: 1:19:12 Hour(s)

The scan has been done completely.

8568 Scanned directories
428491 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
27 Files were moved to quarantine
0 Files were renamed
8 Files cannot be scanned
428481 Files not concerned
13265 Archives were scanned
8 Warnings
29 Notes
63411 Objects were scanned with rootkit scan
25 Hidden objects were found

Hmm... Hold off on doing anything password-sensitive yet.

There's something I want to try; there may be another infection hiding here.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  CODE
  :filefind
  DrvTrNTm.dll
  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt



After that, download this Registry Search by Bobbi Flekman, save it, and extract regsearch.exe to the Desktop. You will use it in a moment.

Doubleclick regsearch.exe to start it. In the top window, enter DrvTrNTm as the search string on the first line. Make sure all the option boxes are checked, and click "Ok". Notepad will be opened with text in it (the file will be saved to the Desktop as well as RegSearch.txt). Post this text in your next reply.

-screen317

Hi - sorry for the delay replying, been away for the weekend.

Ran both the things you asked, and logs follow....

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 19:26 on 04/10/2009 by Compaq_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "DrvTrNTm.dll"
C:\WINDOWS\system32\DrvTrNTm.dll --a--- 61448 bytes [14:50 15/10/2006] [23:18 18/11/2008] A96B945112263E3376FCAF33B94986CB

-=End Of File=-


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 04/10/2009 19:32:21 for strings:
; 'drvtrntm'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\drivers.desc]
"DrvTrNTm.dll"="Wave sound driver for the TotalRecorder"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"mixer"="DrvTrNTm.dll"
"wave"="DrvTrNTm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Userinstallable.drivers]
"wave"="DrvTrNTm.dll"

; End Of The Log...

Follow-up post from last night....

Chris, I'm off work at home today and done two scans this morning. MBAM has picked up 3 further infections in system restore. And then Avira has picked up another, different, infection. Plus Avira is still finding those 25 hidden files. Just on the off-chance I had another go at deleting the Spybot files but no go.

So I guess there's still - as you suggested - something nasty lingering.

Here are the logs from the two scans. I was puzzled at first by the incomplete MBAM log, until I realised that I clicked "Save Report" BEFORE I clicked "Repair", so where it says no action has been taken in fact those files were quarantined.


Malwarebytes' Anti-Malware 1.41
Database version: 2908
Windows 5.1.2600 Service Pack 2

05/10/2009 11:10:17
mbam-log-2009-10-05 (11-10-06).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 199503
Time elapsed: 59 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0196916.sys (Worm.Agent) -> No action taken.
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197047.sys (Worm.Agent) -> No action taken.
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1240\A0197208.sys (Worm.Agent) -> No action taken.



Avira AntiVir Personal
Report file date: Monday, October 05, 2009 11:13

Scanning for 1772828 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : STARSKY

Version information:
BUILD.DAT : 9.0.0.410 18074 Bytes 25/09/2009 11:56:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 13:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 13:50:58
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 13:50:58
ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 29/09/2009 08:16:20
ANTIVIR3.VDF : 7.1.6.68 216576 Bytes 02/10/2009 18:26:31
Engineversion : 8.2.1.33
AEVDF.DLL : 8.1.1.2 106867 Bytes 15/09/2009 15:58:02
AESCRIPT.DLL : 8.1.2.35 483707 Bytes 04/10/2009 18:27:00
AESCN.DLL : 8.1.2.5 127346 Bytes 03/09/2009 15:24:42
AERDL.DLL : 8.1.3.2 479604 Bytes 04/10/2009 18:26:57
AEPACK.DLL : 8.2.0.0 422261 Bytes 15/09/2009 15:58:00
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 17/06/2009 14:32:46
AEHEUR.DLL : 8.1.0.166 2003319 Bytes 04/10/2009 18:26:53
AEHELP.DLL : 8.1.7.0 237940 Bytes 03/09/2009 15:24:42
AEGEN.DLL : 8.1.1.67 364916 Bytes 04/10/2009 18:26:36
AEEMU.DLL : 8.1.1.0 393587 Bytes 04/10/2009 18:26:34
AECORE.DLL : 8.1.8.1 184693 Bytes 15/09/2009 15:57:58
AEBB.DLL : 8.1.0.3 53618 Bytes 15/10/2008 10:49:34
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 25/09/2009 21:07:44
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 15:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 10:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, October 05, 2009 11:13

Starting search for hidden objects.
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\14292_small[1].jpg
[INFO] The file is not visible.
[NOTE] A backup was created as '4afbc802.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\desktop.ini
[INFO] The file is not visible.
[NOTE] A backup was created as '4b3cc833.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_rosette[1].gif
[INFO] The file is not visible.
[NOTE] A backup was created as '4b32c832.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\editor_tail_r2_c7[1].gif
[INFO] The file is not visible.
[NOTE] A backup was created as '4b32c836.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\tt-rain-butterfly-neutral-c3518[1].jpg
[INFO] The file is not visible.
[NOTE] A backup was created as '4af6c84b.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\typeahead_log[1].htm
[INFO] The file is not visible.
[NOTE] A backup was created as '4b39c850.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk3c.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '4b34c839.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk45.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '484c0772.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk47.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '484e3f12.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4a.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '4849d732.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk4e.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '484b8ed2.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\wbk50.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '48b5a6f2.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[10]
[INFO] The file is not visible.
[NOTE] A backup was created as '4afac832.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[11]
[INFO] The file is not visible.
[NOTE] A backup was created as '497f76bb.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[12]
[INFO] The file is not visible.
[NOTE] A backup was created as '497d2e5b.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[13]
[INFO] The file is not visible.
[NOTE] A backup was created as '4970c67b.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[1]
[INFO] The file is not visible.
[NOTE] A backup was created as '4b24c833.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[2]
[INFO] The file is not visible.
[NOTE] A backup was created as '48aa963c.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[3]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b44ddc.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[4]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b665fc.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[5]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b01d9c.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[6]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b235bc.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[7]
[INFO] The file is not visible.
[NOTE] A backup was created as '48bded5c.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[8]
[INFO] The file is not visible.
[NOTE] A backup was created as '48bf857c.qua' ( QUARANTINE )
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn\[9]
[INFO] The file is not visible.
[NOTE] A backup was created as '48b9bd1c.qua' ( QUARANTINE )
'64245' objects were checked, '25' hidden objects were found.

The scan of running processes will be started
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'msimn.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wdsvc.exe' - '1' Module(s) have been scanned
Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned
Scan process 'SetPoint.exe' - '1' Module(s) have been scanned
Scan process 'aim6.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ps2.EXE' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'retrorun.exe' - '1' Module(s) have been scanned
Scan process 'NMSAccess.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\' <DRIVE1>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Compaq_Owner\My Documents\Steve\spyware\HijackThis.exe
[WARNING] The file could not be opened!
C:\Program Files\Common Files\AOL\Loader\aolload.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] The file could not be opened!
C:\Program Files\Spybot\SpybotSD.exe
[WARNING] The file could not be opened!
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\dumprep.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\MRT.exe
[WARNING] The file could not be opened!
Begin scan in 'D:\' <DRIVE2>
Begin scan in 'E:\' <PRESARIO_RP>

Beginning disinfection:
C:\Program Files\Common Files\AOL\Loader\aolload.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4b35d539.qua'!


End of the scan: Monday, October 05, 2009 12:13
Used time: 55:13 Minute(s)

The scan has been done completely.

8612 Scanned directories
429488 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
26 Files were moved to quarantine
0 Files were renamed
8 Files cannot be scanned
429479 Files not concerned
13268 Archives were scanned
8 Warnings
28 Notes
64245 Objects were scanned with rootkit scan
25 Hidden objects were found

Hmm.

It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio
Comodo
Outpost


After installing, restart your computer and see if it gives you any alerts from something trying to phone home.

-screen317

OK. I've done the following

1. Installed Kerio and rebooted. Can't see anything untoward in the alerts it throws up as everything gets going. There are 3 separate items for AIM6 including two separate connections out, which puzzles me but I'm well beyond what very limited techie knowledge I possess so it might well be fine. If I recognise a process trying to connect does that mean it's probably OK? Could post a screenshot but am unsure if it's wise to post in a public forum something with IP & port details. Could PM you if that's likely to help.

2. Uninstalled Firefox (been showing symptoms of corruption, eg bookmarking not working, home page not always loading) and installed clean updated copy. That now seems to be running smoothly.

3. Created system restore point (because MBAM had identified infections there so I just wondered....)

4. Run full MBAM scan, no problems.

5. Run Avira, and OK BUT still the same 25 hidden files that nothing except Avira seems to find.

6. Run Unlocker1.8.7 utility which appears to have successfully deleted the Spybot files I couldn't shift.

7. Installed clean copy of SpybotSD, run it, no threats reported.

So I guess I'm clean??? Should I just ignore Avira's hidden files? Can you suggest anything else, either regarding that or future good safety practice?

Yes it's fine; AIM has multiple functions so it's not surprising that it would establish multiple connections.Yes it's probably okay; as you "allow" programs with your firewall, it will get "smarter" and stop nagging you for legitimate things. Unknown processes are worth investigating. Feel free to post here; I'll delete the image after I'm done looking at it.


Good to hear.

That's fine.


Great, great, and great.

Not so great. I have an idea.

Let's give this a try:

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:



Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


-screen317

OK, I've run CF via the script. Didn't think to clean out the temp files before I did that, so CF has waded through and deleted a zillion files - but it looks like it didn't get the ones we were targeting.

Straight after it finished I relaunched Kerio (I had disabled it 'cos I thought I was supposed to) but a warning came up saying that Windows Firewall was blocking some functions of Kerio. Never had that before - what should I do about it?

Anyway here's the log, followed by the HJT log.

Thanks again for your continued help.

ComboFix 09-10-07.05 - Compaq_Owner 08/10/2009 23:20.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.560 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\$css$style.css,$css$growler[1].css
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\[2]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\[3]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\[4]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\[5]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\260x80_logo[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\2716841[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\2719617[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\315x440_catch_2[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\3A2728[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\3A2D21[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\3A2D2A[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\3B2D29[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\628x270_paulrodgers[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\88697518332[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\ace-logo[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\Ad0St1Sz5Sq0V1Id801449[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\archived_foot[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\archived_head_spring[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\arrow_pink1[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\arrow_sort[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\atw[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\audible_a_icon_15T[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\bg-mid[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\bg_filter_sidebar[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\book-online-banner_en[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\browse[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\bucket_sm_btns[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\CA36CVJ5.9803112329682134
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\CFK5MGDZTVGJTJ6TBONACBZONN4L67HD[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\crossdomain[1].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\desktop.ini
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\docklands[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\drm_gen[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\e702826a3pb[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\featured_open_close[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\flashwrite_1_2[2].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\fo-balmoral[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\getmdrcd[1].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\getmdrcd[2].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\getmdrcd[3].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\getmdrcd[4].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\getmdrcd[5].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\GetMDRCDPOSTURL[1].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\GetMDRCDPOSTURL[2].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\GetMDRCDPOSTURL[3].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\gw[2].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\header_bg[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\hub_bottom[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\ianrXw-DASa2g_XaYeComSsPT7ebVkbh[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\ic_add_rss_lg[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\ico_rt_no[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\icon_donate[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\icon_media[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\icon_see_all[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\icon_toolbar[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\icon_twitter[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mjugbptqmc7i5ceguzukfme4wkminmdgn2jjzltmvkvjq3fqnbug5bvqn2cjzh
simrqg5adenjzgm3tombsia4tsmbwgbaeorcdkm2fcwcolfgegwbtg5eu4vzwkvkuynsygq2doq[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mrrgbptcmrql5eu2ukugrkuemrujzku2skckyzuon2vjjeemvbxg5neoscujzg
u2jbtgayuanzrgq2tcmbtiaytimrwg42easknkfkdivkcgi2e4vknjfbfmm2hg5kuuscgkq3tow[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mrrgbptcmrql5fu4ubtiuzfitjtgvheyukjivlvums2i5ctesspkrhfas2vkzi
fgjbtha3uamrvha2tenzygnadcnbtgaytaqcljzidgrjskrgtgnkojriusrkxlizfur2fgjfe6v[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mrrgbptcmrql5gemsswii2uurkyjbeemrcxizfu4ncei4zverspincvaqjtjbg
vsjbqgqzeamjugy4dimrugbadcnbtgm2dkqcmizffmqrvjjcvqsciizcforsljy2eirztkjde6q[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mrrgbptcmrql5idgrkojbfegvkmgvlemm2bjjce6rcigjeucwkpjbmteq2zjjg
vqjbwga4uamzqgy3dsmbwia4dmmrvg5afam2fjzeeuq2vjq2vmrrtiffeit2ejazesqkzj5efsm[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\inxw45dfnz2f6mrrgbptcmrql5keewsjlbeu2wsyiq2ummsdkzjtgszvizmu6wchky3e6ncije3
umjbsg42eaojthe4tinzsia3dimjvgnafiqs2jfmestk2lbcdkrrsinlfgm2lgvdfst2yi5ldmt[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\j12367al0pn[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\j12367al0pn[2].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\JYJOB6MQH5PXSI75IHYTHXTDG7ID6OQK[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\JYJOB6MQH5PXSI75IHYTHXTDG7ID6OQK[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\Key=8398.DX5..C[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\large-190x100[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\large-190x100[2].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\lb[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\lead_in_car-hire[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\list_header_bg[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\main_view_header_bg[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\metropolitan[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\nav_home[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\nav_insiders[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\new_tickets_nav_r1_c4[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\new_tickets_r6_c19[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\new_tickets_top_r1_c1[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\OFFERS_090803_01_plane_icon[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\OFFERS_090914_dest_bot_border[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\OFFERS_091006_bal_bot[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\OFFERS_091006_bal_top[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\OFFERS_091006_barc_images[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\pageset[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\quant[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\r[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\s_code[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\severecaned_free[1].wmv
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\size=120x90;noperf=1;alias=93242651;cfp=1;noaddonpl=y;kvmn=93242651;target=
_blank;aduho=-60;grp=38139906;misc=38139906;adiframe=y[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\size=120x90;noperf=1;alias=93242651;kvmn=93242651;target=_blank;aduho=-60;grp=18865187;misc=18865187[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\size=120x90;noperf=1;alias=93242651;kvmn=93242651;target=_blank;aduho=-60;grp=18924078;misc=18924078;adiframe=y[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\small[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\small[2].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\swfobject[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tickets_newsletter_r14_c10[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tickets_newsletter_r4_c1[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tickets_newsletter_r9_c1[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tn_O7B2WDCUGVZ6ESMZ5FL5WUN6PMSJSYVU[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tn_ZVFZJ6C2ZUAHH6RHXUXDDHFYZQLGB7RY[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\top_nav_bg[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tp_offers_4star[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\tpp[1].html
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\VUZEN-Footer[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\WHUFM5TFBMDOJIQOI6UN7M7FSILVD3UQ[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\WMP551d8d2b-9c33-41b7-acbb-1c42e0ad3396[1]..png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\xsearch_xregexp[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\0T3GHDBQ\XZC3HFESYSFHSR6OF6UVX2SMBUHADC6D[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[10]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[11]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[12]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[13]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[14]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[15]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[16]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[17]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[18]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[19]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[2]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[20]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[21]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[22]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[23]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[24]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[25]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[26]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[27]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[28]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[29]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[3]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[30]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[31]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[32]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[4]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[5]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[6]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[7]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[8]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\[9]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\02025621F3[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\33IZN4IBJHIIKZPM6O2NLJMNSTOGCLXA_3[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\382D29[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\3A2D44[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\3A2D50[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\4F3A2D29[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\559x57_rainforesttrust[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\adsWrapperAIMAT2[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\AIM_UAC_v2[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\aito-logo[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\atw[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\balloon-castle[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\beta[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\bg-bot[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\big_module_top[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\button_bg[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\CA63GJTU.php
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\capetown-xmas[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\central[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\crossdomain[1].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\desktop.ini
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\DKA6O7LZNITYGVW2V6LTHRYIHWSB2IOC[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\dragdrop[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\drm[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\ED5XTJWYMURQ7ICUM2ENFSPXSOUUO6MO[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\favicon[1].ico
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\filter_keyword[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\fo-boudicca[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\footer_gifts[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\ga[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\getmdrcd[1].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\getmdrcd[2].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\getmdrcd[3].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\getmdrcd[4].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\getmdrcd[5].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\GetMDRCDPOSTURL[1].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\GetMDRCDPOSTURL[2].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\GetMDRCDPOSTURL[3].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\global[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\global[2].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\hammersmith[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\hmv_2009_bg5[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\hmv_2009_bg6[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\ico_rt[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\icon_download[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\icon_reset[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\icon_site_states[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\icon_tshirt[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\icon_working[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\indicator_alert[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mjugbptqmc7jbgdowcekvauevcei5ldmvjvk5necq2wkrdvsskugjndmqjsjvg
ciobtgzadcnzqg4ydmmzyiaytgnbtga4uascmg5meivkbijkeir2wgzktkv22ifbvmvchlfevim[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mjugbptqmc7jy3dmvspkngfct2dgzjfsvbxizeeevceizheiskxljmegskdivf
simbxgfadcobug44tcnzqiaytgojrheyeatrwgzle6u2mkfhugnsslfkdorsiijkeirsoirevow[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mjugbptqmc7ljhfqu2djezektbwkizvms2ziy3umusljbeteq2jljiuiuzsjzd
cimrrg5adgnzrgjadomjrha3uawsolbjugsjsivgdmurtkzfvsrrxizjewscjgjbuswsrirjtet[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mrrgbptcmrql4zdgqklifbuqr2yinfuqrkekbjtgq2ukzbdesjvjngu2r2ej42
emjbygqyuaojwgeydcnbyia2diobvgnadem2bjnaugschlbbuwscfirifgm2dkrleemsjgvfu2t[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mrrgbptcmrql5btms2qknjfatclgnjesukllbddincqg4zeys2xkveeiwkikrj
fojbxgi4uanbvgy4ten2ageztenjvgvaegnslkbjveucmjmzveskrjnmemnbuka3tetclk5kuqr[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mrrgbptcmrql5htenjsivbukvstivmdotbxkzgvin2zjfivsncojzbdescxkzd
dijbwga4uamzqgy3dsmbwia4dmmrxgnae6mrvgjcugrkwkncvqn2mg5le2vbxlfevcwjujzheem[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\inxw45dfnz2f6mrrgbptcmrql5ndoskqkvavmrsejvjemtbwkjbfsvsfinhe6u2xgnhvou2xgmz
fujbvgmzeamrqha2dsmrtgvadcnbsg4zdaqc2g5evavkbkzdeitksizgdmusclflekq2oj5jvom[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\large-190x100[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\left_nav_top[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\logo_kitty_16x16[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\main_arrow[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\main2[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\mascot_v1_120x90_02_7-22[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\module_header_arrow[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\nav_spend[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c12[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c13[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c14[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c3[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c6[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_nav_r1_c8[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\new_tickets_top_r1_c2[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_090803_01_bed_icon[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_090803_01_zone_shadow[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_090914_top_anchor[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_091006_01_ttl[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_091006_bal_bg[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_091006_nyc_images[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\OFFERS_091006_prague_images[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\pcx[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\piccadilly[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\product_card_en_800[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\prototype[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\px[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\r[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\size=120x90;cfp=1;rndc=125493051;noperf=1;alias=93242651;kvmn=93242651;targ
et=_blank;aduho=-60;grp=930515140;misc=930515140;adiframe=y[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\slf[2].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\small[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\small[2].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\sortby_list_bg[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\sport;sz=160x600,120x600;refresh=60;ord=225817122[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\square[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\tcode3[1].html
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\tcodewads_at[1].html
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\tickets_newsletter_r14_c3[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\tips.aim[1].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\tpp3[2].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\upgrades_banner[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\vernon_everitt[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\web_detail_icons_close[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\WHUFM5TFBMDOJIQOI6UN7M7FSILVD3UQ_2[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\WMP7424dbd7-813c-4315-a1b4-1dc0065a8020[1]..jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\xsearch[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\XZC3HFESYSFHSR6OF6UVX2SMBUHADC6D[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\3QDX8FUH\za-sml[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\desktop.ini
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\index.dat
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\$js$core.js,$js$json.js,$js$swt_message.js,$js$browse.js,$js$magnet.js,$js$browser_az.js,$js$swfobject[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\[2]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\[3]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\[4]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\[5]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\232x117_24hourcountdown[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\33IZN4IBJHIIKZPM6O2NLJMNSTOGCLXA[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\3A2D24[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\3A2D29[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\3A2D5C[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\3D2D4F[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\4113c364732e2bf18885f0a0559ac8f0[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\42XONMXVHBUCYESY7MVLZDCDS5J2PDPV[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\5186546262[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\7WS476MQMXYMWS676STRHTJOHLVW3BNW[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\88697594162[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\abta-logo[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\adlink%2F5113%2F159339%2F0%2F5%2FAdId%3D470886%3BBnId%3D1%3Bitime%3D930518130%3Bkvmn%3D93242651%3Bnodecode%3Dyes%3Blink%3D;ord=930518130[2]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\adsWrapper[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\advice_header[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\anatp[1].html
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\anatp1[2].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\bloader[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\btn_bg[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\CA0DEH3K.24122490190619583
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\cda1[2].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\click[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\crossdomain[1].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\deals_bottom[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\desktop.ini
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\DKA6O7LZNITYGVW2V6LTHRYIHWSB2IOC[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\drm_fffs[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\ED5XTJWYMURQ7ICUM2ENFSPXSOUUO6MO_1[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\effects[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\ELLIOTSOLARIS[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\fo-bramear[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\footer_ba_atol_abta[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\getmdrcd[1].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCD[2].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\getmdrcd[3].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\getmdrcd[4].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\getmdrcd[5].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCDPOSTURL[1].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCDPOSTURL[2].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCDPOSTURL[3].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCDPOSTURL[4].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\GetMDRCDPOSTURL[5].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\grey_blue_btn_bg[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\header[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\header_mg[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\hub_top[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\icon_facebook[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\icon_vuzetogo[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\index_head[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mjugbptqmc7inbfqwsdjrlfonkvgzitiq2qgrjvowksjnfugtclgridoucfjzk
cinjygvademjrg43dkobviaytenbygu2uaq2clbnegtcwk42vknsrgrbvanctk5mves2lingewn[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mrrgbptcmrql4zeetrvkzhuen2jgu3e2ukoi5cfuvjsg5au2qkvjjhe4rsfkzh
eqjbsgyzuamzwgu4dgmzwgjadcmzvgiydiqbsijhdkvspii3usnjwjviu4r2eljkten2bjvavks[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mrrgbptcmrql4zestcgkrdfgnkekjkvqwcyjq2tmvkzi42vqqsvijcuon2lgzi
u6jbwge3eanbqguztqnrrgzadcnbthaydoqbsjfgemvcgkm2uiusvlbmfqtbvgzkvsrzvlbbfkq[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mrrgbptcmrql5cdgwsllfne4vklinavem2bjzle4v2yjridgnkyg5ddgtshijh
fcjbtgayuanzrgq2tcmbtiaytgnjqgm2uarbtljfvswsokvfugqksgnau4vsok5meyubtgvmdor[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mrrgbptcmrql5eekvjtgvivanjxiizuwmrsjzgtiuslkzjfqujule2fgwkhkvi
ecjbxgi4uanbvgy4ten2ageztembwg5aeqrkvgm2vcubvg5bdgszsgjhe2ncsjnlfewcrgrmtiu[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\inxw45dfnz2f6mrrgbptcmrql5gviqs2j5cvgvkkjyzu6rsylbgdgnsbgzneuwchjvlfcuzwjvg
eejbygu4eamrtgy4dcobvhbadsmjzgyyeatkuijne6rktkvfe4m2pizmfqtbtgzatmwsklbdu2v[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\jubilee[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\large-190x100[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\left_nav_bottom[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\m_filter_icons_2[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\main_view_subheader_bg[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\MAU5CD02[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\mayor_london[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\MPS_My_Station_icon_16x16[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\nav_activities[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\ND5CD7GWOMAYTVZOJ7UKSDJ26X4RV25N[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\new_tickets_nav_r1_c1[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\new_tickets_nav_r1_c15[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\new_tickets_r4_c3[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\new_tickets_top_r1_c3[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_090803_01_travel_dates_btn[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_090914_dest_top_border[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_090914_header01[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_091006_03_img[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_091006_bal_div[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\OFFERS_091006_dubai_images[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\pclip01[1].wmv
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\size=120x90;noperf=1;alias=93242651;kvmn=93242651;target=_blank;aduho=-60;grp=18865187;misc=18865187;adiframe=y[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\size=120x90;noperf=1;alias=93242651;kvmn=93242651;target=_blank;aduho=-60;grp=18924078;misc=18924078[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\slider[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\small[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\small[2].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\sortby_bg[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\space[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\space[2].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\spacer[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\strapline_generic[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tcode3[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tickets_newsletter_r10_c1[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tickets_newsletter_r14_c6[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tile_city_by_city[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tile_earth-touch[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tile_sanctuary[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\tn_CZTO35PY4Z3CPXRFWUNOVPAPXMBX3H2W[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\toolbar_client_ad_right[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\top_nav_btns[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\trashcan[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\turnon[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\verisign[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\victoria[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\VUZEN-Header2[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\web_detail_icons_back[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\xsearch[1].css
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\KP6JCTMZ\xsearch[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\$css$new$reset-fonts-grids.css,$css$new$style.css,$css$new$bucket.css,$css$growler.css,$css$new$client_style[1].css
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\$js$core.js,$js$json.js,$js$swt_message.js,$js$growler.js,$js$browse.js,$js$browse_resize.js,$js$magnet.js,$js$browser_az[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[10]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[11]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[12]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[13]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[14]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[15]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[16]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[17]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[18]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[19]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[2]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[20]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[21]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[22]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[23]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[24]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[25]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[26]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[27]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[28]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[29]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[3]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[30]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[31]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[32]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[33]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[34]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[35]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[36]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[37]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[38]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[39]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[4]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[40]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[41]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[42]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[43]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[5]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[6]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[7]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[8]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\[9]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\2-8216_120x90_Free_BT_CameraPhones_Refresh[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3A2D28[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3A2D29[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3A2D58[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3A2D5B[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3CL5273RD5GRL7RC3VOE4CELQVQRUP5V[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3CL5273RD5GRL7RC3VOE4CELQVQRUP5V[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\3E3A6F[1]
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\400x140_dizzee_2[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\42XONMXVHBUCYESY7MVLZDCDS5J2PDPV[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\600x190_gifts10_2[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\7WS476MQMXYMWS676STRHTJOHLVW3BNW[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\aceUAC[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\addtobasket[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\AIM_UAC_v2[1].adp
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\AllServices[1].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\atol-logo[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\atw[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\bg-top[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\bg_filter_sidebar_top[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\big_module_bottom[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\Carousel[1].swf
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\CASCD2014[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\CAT8ADHV.03040414649684242
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\CFK5MGDZTVGJTJ6TBONACBZONN4L67HD[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\client_style[1].css
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\controls[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\desktop.ini
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\details_tile[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\district[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\filter_keyword_bg[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\flosensing[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\fo-blackwatch[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\frog_bg[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\ga[2].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\getmdrcd[1].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\getmdrcd[2].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\getmdrcd[3].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\getmdrcd[4].xml
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[1].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[2].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[3].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[4].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[5].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[6].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\GetMDRCDPOSTURL[7].aspx
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\hd_icon[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\header-email[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\icon_play_2[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mjugbptqmc7ie3vmr2njfcdgwcpifltkm2ojazfmm2ggzmeunklifnegusjknm
cinjygvademjrg43dkobviaytcnrvg4zeaqjxkzdu2skegnme6qkxguzu4sbskyzumnsyji2uwq[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql42u6wjvkfmeewktjnbu2vkvkbefqvcqji3vivbtgznfgtjsjjf
e6jbqguyeamzqguytgmbvgbadcmjugy3daqbvj5mtkukyijmvgs2djvkvkucilbkfasrxkrkdgn[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql5bdgv2cljkvavc2gvcesvzwijfeutsdjbitkvkigu3umwcckjk
tgjbtgayuanzrgq2tcmbtia2danbugjaeem2xijnfkuculi2uiskxgzbeussoinefcnkvja2tor[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql5fu6scqgmzfowkygngvoqsdi5nfesk2ja2vutsoji2uqrstjnd
fajbtgayuanzrgq2tcmbtiaytimrwg4zuas2pjbidgmsxlfmdgtkxijbuowssjfneqnk2jzheun[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql5gdoncnlblvetrujfbtktcxjzmeeukegjfvkv2wgnhueqkqjqz
vcjbwge3eanbqguztqnrrgzadcnbthazdiqcmg42e2wcxkjhdiskdgvgfotsyijiuimslkvlvmm[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql5gfqs2wjuzegvs2jzfees22kjgemn2hgzeukqjuifgfmrkuk5l
tmjbwga4uamzqgy3dsmbwia4dmmrwhbaeywclkzgteq2wljheuqslljjeyrrxi43esrkbgrauyv[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\inxw45dfnz2f6mrrgbptcmrql5hdotjsjvduossllfjuqucigzmfmtsjknjeosbtjfltiubxgvi
fqjbwga4uamzqgy3dsmbwia4dmmrxgbae4n2ngjguor2kjnmvgscqja3fqvsojfjver2ignevon[1].jp
g
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\large-190x100[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\large-190x100[2].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\loader[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\logo_new[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\LogoFaroLatino16x16[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\nav_account[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\nav_collect[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\nav_control[1].png
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\ND5CD7GWOMAYTVZOJ7UKSDJ26X4RV25N[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c10[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c11[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c2[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c5[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c7[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\new_tickets_nav_r1_c9[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\northern[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\notifier.avira[2].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OFFERS_090803_01_dots[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OFFERS_090914_dest_top_spacer[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OFFERS_091006_bal_foot[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OFFERS_091006_istanbul_images[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OFFERS_091006_rome_images[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\offers_med[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\OSA_squirrel_120x90_20091109[1].swf
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\overground[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\pclip01[1].wmv
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\pcx[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\pngfix[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\ranking_4_pixel[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\SGDJH7QG7WK74QY2HRVZVX6DD62L5G2C[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\SGDJH7QG7WK74QY2HRVZVX6DD62L5G2C_1[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\size=120x90;noperf=1;alias=93242651;cfp=1;noaddonpl=y;kvmn=93242651;target=
_blank;aduho=-60;grp=38139906;misc=38139906[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\size=120x90;noperf=1;alias=93242651;kvmn=93242651;target=_blank;aduho=-60;grp=930515140;misc=930515140[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\slf[2].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\slider_thumb_arrow2[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\small[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\small[2].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\spacer[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\tcodewads_at[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\tickets_newsletter_r12_c44[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\tickets_newsletter_r15_c10[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\tn_HRQRC2XWUAM54D7WS2J4ZKI3V2OSNAEY[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\top_head_en_autumn[1].jpg
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\tpp[1].htm
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\VUZEN-Header[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\wloader[1].gif
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\TWSALOLE\xsearch_carousel[1].js
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5 . . . . failed to delete
c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-06 22:49 . 2009-10-06 22:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-06 22:21 . 2009-10-06 22:21 -------- d-----w- c:\program files\Unlocker
2009-10-06 20:48 . 2009-10-06 20:48 -------- d-----w- c:\program files\Kerio
2009-10-06 20:48 . 2002-04-15 11:28 102912 ------w- c:\windows\system32\drivers\FWDRV.SYS
2009-09-30 20:56 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 20:56 . 2009-10-05 10:10 -------- d-----w- c:\program files\Malwarebytes
2009-09-30 20:56 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 17:26 . 2009-09-30 17:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 17:31 . 2009-09-28 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-09-27 08:16 . 2009-09-27 08:16 -------- d-----w- c:\program files\Trend Micro
2009-09-26 10:03 . 2009-09-26 10:03 -------- d-----w- c:\program files\ERUNT
2009-09-25 21:27 . 2009-09-23 16:02 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-24 21:07 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-24 21:07 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-24 21:07 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-24 21:07 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\program files\Avira
2009-09-24 21:07 . 2009-09-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-24 16:06 . 2009-10-08 19:15 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Azureus
2009-09-23 18:38 . 2009-09-23 18:40 -------- d-----w- c:\documents and settings\Compaq_Owner\DoctorWeb
2009-09-23 17:29 . 2009-09-23 17:29 -------- d-----w- c:\program files\OEBW
2009-09-23 16:02 . 2009-09-25 21:27 -------- d-----w- c:\documents and settings\Compaq_Owner\.housecall6.6
2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-09-22 22:55 . 2009-09-22 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 17:03 . 2009-09-22 17:03 -------- d-----w- C:\spoolerlogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 22:32 . 2009-09-06 12:09 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-08 21:15 . 2005-08-31 14:08 -------- d-----w- c:\program files\TotalRecorder
2009-10-07 18:11 . 2009-02-17 19:53 -------- d-----w- c:\program files\Azureus
2009-10-07 17:08 . 2008-11-06 19:54 -------- d-----w- c:\program files\AIM6
2009-10-06 23:26 . 2005-09-10 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 20:48 . 2005-01-02 00:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-04 20:00 . 2005-09-03 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2009-09-30 17:26 . 2005-01-01 23:54 -------- d-----w- c:\program files\Java
2009-09-30 17:23 . 2005-06-24 18:16 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-25 22:41 . 2008-05-03 12:10 -------- d-----w- c:\program files\Lavasoft
2009-09-25 22:38 . 2009-08-21 12:08 -------- d-----w- c:\program files\PicaLoader
2009-09-25 22:36 . 2008-05-31 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-22 23:22 . 2008-06-12 17:37 -------- d-----w- c:\program files\PowerPacket
2009-09-06 19:10 . 2005-10-28 16:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Skype
2009-09-06 17:01 . 2009-09-06 17:01 -------- d-----w- c:\program files\CopyFilenames
2009-09-06 15:01 . 2008-10-19 15:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\skypePM
2009-09-06 12:09 . 2008-02-04 16:56 -------- d-----w- c:\program files\Common Files\Logishrd
2009-08-29 08:18 . 2009-08-29 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-08-17 09:01 . 2005-08-30 17:50 63904 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\MSBuild
2009-08-15 13:27 . 2009-08-15 13:27 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 13:23 . 2009-08-15 13:23 -------- d-----w- c:\program files\MSXML 6.0
2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-15 09:32 . 2009-08-14 11:08 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2005-08-31 13:54 -------- d-----w- c:\program files\whisper
2009-07-29 09:23 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2005-09-14 09:58 . 2005-09-09 11:08 20480 ----a-w- c:\program files\Common Files\UninstallDrv.exe
2005-10-28 07:31 . 2005-08-31 11:40 56 --sha-r- c:\windows\system32\5A04C4CEF8.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-27_08.03.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-08 22:32 . 2009-10-08 22:32 16384 c:\windows\temp\Perflib_Perfdata_26c.dat
+ 2009-09-30 17:26 . 2009-09-30 17:26 149280 c:\windows\system32\javaws.exe
+ 2009-09-30 17:26 . 2009-09-30 17:26 145184 c:\windows\system32\javaw.exe
+ 2009-09-30 17:26 . 2009-09-30 17:26 145184 c:\windows\system32\java.exe
+ 2009-09-30 17:26 . 2009-09-30 17:26 537600 c:\windows\Installer\22fac.msi
+ 2009-09-30 16:58 . 2009-09-30 16:58 196608 c:\windows\ERDNT\AutoBackup\30-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-30 16:58 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\30-09-2009\ERDNT.EXE
+ 2009-09-29 05:13 . 2009-09-29 05:13 196608 c:\windows\ERDNT\AutoBackup\29-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-29 05:13 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\29-09-2009\ERDNT.EXE
+ 2009-09-28 14:46 . 2009-09-28 14:46 196608 c:\windows\ERDNT\AutoBackup\28-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-28 14:46 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\28-09-2009\ERDNT.EXE
+ 2009-10-08 16:20 . 2009-10-08 16:20 221184 c:\windows\ERDNT\AutoBackup\08-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-08 16:20 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\08-10-2009\ERDNT.EXE
+ 2009-10-07 15:47 . 2009-10-07 15:47 221184 c:\windows\ERDNT\AutoBackup\07-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-07 15:47 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\07-10-2009\ERDNT.EXE
+ 2009-10-06 15:30 . 2009-10-06 15:30 221184 c:\windows\ERDNT\AutoBackup\06-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-06 15:30 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\06-10-2009\ERDNT.EXE
+ 2009-10-05 08:24 . 2009-10-05 08:24 212992 c:\windows\ERDNT\AutoBackup\05-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-05 08:24 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\05-10-2009\ERDNT.EXE
+ 2009-10-04 18:20 . 2009-10-04 18:20 212992 c:\windows\ERDNT\AutoBackup\04-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-04 18:20 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\04-10-2009\ERDNT.EXE
+ 2009-10-02 14:54 . 2009-10-02 14:54 212992 c:\windows\ERDNT\AutoBackup\02-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-02 14:54 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\02-10-2009\ERDNT.EXE
+ 2009-10-01 12:33 . 2009-10-01 12:33 212992 c:\windows\ERDNT\AutoBackup\01-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-01 12:33 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\01-10-2009\ERDNT.EXE
+ 2009-07-10 09:39 . 2009-07-10 09:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll
+ 2009-09-30 17:23 . 2009-09-30 17:23 3938816 c:\windows\Installer\22fa4.msi
+ 2009-09-30 16:58 . 2009-09-30 16:58 7892992 c:\windows\ERDNT\AutoBackup\30-09-2009\Users\00000001\ntuser.dat
+ 2009-09-29 05:13 . 2009-09-29 05:13 7892992 c:\windows\ERDNT\AutoBackup\29-09-2009\Users\00000001\ntuser.dat
+ 2009-09-28 14:46 . 2009-09-28 14:46 7892992 c:\windows\ERDNT\AutoBackup\28-09-2009\Users\00000001\ntuser.dat
+ 2009-10-08 16:20 . 2009-10-08 16:20 7892992 c:\windows\ERDNT\AutoBackup\08-10-2009\Users\00000001\ntuser.dat
+ 2009-10-07 15:47 . 2009-10-07 15:47 7892992 c:\windows\ERDNT\AutoBackup\07-10-2009\Users\00000001\ntuser.dat
+ 2009-10-06 15:30 . 2009-10-06 15:30 7892992 c:\windows\ERDNT\AutoBackup\06-10-2009\Users\00000001\ntuser.dat
+ 2009-10-05 08:24 . 2009-10-05 08:24 7892992 c:\windows\ERDNT\AutoBackup\05-10-2009\Users\00000001\ntuser.dat
+ 2009-10-04 18:20 . 2009-10-04 18:20 7892992 c:\windows\ERDNT\AutoBackup\04-10-2009\Users\00000001\ntuser.dat
+ 2009-10-02 14:54 . 2009-10-02 14:54 7892992 c:\windows\ERDNT\AutoBackup\02-10-2009\Users\00000001\ntuser.dat
+ 2009-10-01 12:33 . 2009-10-01 12:33 7892992 c:\windows\ERDNT\AutoBackup\01-10-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-30 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes\mbam.exe" [2009-09-10 1312080]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\DTV\\DVB-T USB 2.0\\DVB-Tplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\TotalRecorder\\TotalRecorder.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49251:TCP"= 49251:TCP:v
"49251:UDP"= 49251:UDP:v

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [24/07/2008 22:39 17264]
R1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\drivers\FWDRV.SYS [06/10/2009 21:48 102912]
R1 HFSYS;HFSYS;c:\windows\system32\drivers\hfsys.sys [12/01/2004 01:34 19732]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/09/2009 22:07 108289]
R3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;c:\windows\system32\drivers\PCTELSAP.SYS [02/01/2005 01:00 306560]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [17/08/2008 14:48 126984]
R3 WDM_Capture_220A;DVB-T TV Receiver;c:\windows\system32\drivers\WDM_Capture_220A.sys [06/04/2006 13:57 18432]
S3 Arcadyan;Arcadyan NDIS Protocol Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\Arcadyan.SYS [20/08/2004 03:14 17422]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\PLCMPR5.SYS --> c:\windows\system32\PLCMPR5.SYS [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [26/04/2004 11:11 17280]
S3 WDM_Loader_220A;DVB-T TV Loader;c:\windows\system32\drivers\WDM_Loader_220A.sys [06/04/2006 13:56 15488]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [06/11/2008 20:55 24652]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {08422DD0-F4AF-4740-8A75-0201C59D6AC5} = 212.159.6.9,212.159.6.10
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} - hxxp://downloads.exam2score.com/ePenClientSpec.ocx
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\zkvadj3e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 23:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3376)
c:\program files\Unlocker\UnlockerHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\progra~1\WINDOW~1\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-10-08 23:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-08 22:40
ComboFix2.txt 2009-10-01 17:06
ComboFix3.txt 2009-09-27 08:07

Pre-Run: 60,715,339,776 bytes free
Post-Run: 60,681,048,064 bytes free

759 --- E O F --- 2009-08-15 13:32



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45:51, on 08/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kerio\Personal Firewall\PERSFW.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} (ePenClientSpec.ucEPenClientspec) - http://downloads.exam2score.com/ePenClientSpec.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7886 bytes

Interesting..

Those files are protected, but by what... hmmm. Let's give this a try.


Next, we need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

1. Please download The Avenger2 by Swandog46.
2. Unzip avenger.exe to your desktop.
3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
   
   CODE
   Begin Copying Here:
   Folders to Delete:
   c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn
4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
5. Read the prompt that appears, and press OK.
6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
7. Press the "Execute" button.
8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
   Note: It is possible that Avenger will reboot your system TWICE.
9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-screen317

Ok, I've done that and it seems to have shifted the awkward files.

I've also run Avira, to try and confirm, and it's now not reporting any hidden files. The number of warnings it reporrts has also gone down from 8 in recent scans to 5 - but I don't know if that's significant.

The other thing to mention is that when Avenger rebooted the machine I received a message saying "Windows - No Disk c0000013 Exception processing message Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c" The options available were Cancel, Try Again, Continue. I had to press Continue several times before the box disappeared.

Logs follow....


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "c:\documents and settings\compaq_owner\local settings\temporary internet files\content.ie5\krcbu1sn" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.





Avira AntiVir Personal
Report file date: Sunday, October 11, 2009 21:18

Scanning for 1787120 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : STARSKY

Version information:
BUILD.DAT : 9.0.0.410 18074 Bytes 25/09/2009 11:56:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 13:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 13:50:58
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 13:50:58
ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 29/09/2009 08:16:20
ANTIVIR3.VDF : 7.1.6.95 404480 Bytes 09/10/2009 22:48:44
Engineversion : 8.2.1.35
AEVDF.DLL : 8.1.1.2 106867 Bytes 15/09/2009 15:58:02
AESCRIPT.DLL : 8.1.2.35 483707 Bytes 04/10/2009 18:27:00
AESCN.DLL : 8.1.2.5 127346 Bytes 03/09/2009 15:24:42
AERDL.DLL : 8.1.3.2 479604 Bytes 04/10/2009 18:26:57
AEPACK.DLL : 8.2.0.0 422261 Bytes 15/09/2009 15:58:00
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 17/06/2009 14:32:46
AEHEUR.DLL : 8.1.0.167 2011511 Bytes 08/10/2009 19:37:47
AEHELP.DLL : 8.1.7.0 237940 Bytes 03/09/2009 15:24:42
AEGEN.DLL : 8.1.1.67 364916 Bytes 04/10/2009 18:26:36
AEEMU.DLL : 8.1.1.0 393587 Bytes 04/10/2009 18:26:34
AECORE.DLL : 8.1.8.1 184693 Bytes 15/09/2009 15:57:58
AEBB.DLL : 8.1.0.3 53618 Bytes 15/10/2008 10:49:34
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 25/09/2009 21:07:44
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 15:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 10:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, October 11, 2009 21:18

Starting search for hidden objects.
'64262' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'ntvdm.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'msimn.exe' - '1' Module(s) have been scanned
Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'SetPoint.exe' - '1' Module(s) have been scanned
Scan process 'aim6.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'UnlockerAssistant.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ps2.EXE' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wdsvc.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'retrorun.exe' - '1' Module(s) have been scanned
Scan process 'PERSFW.exe' - '1' Module(s) have been scanned
Scan process 'NMSAccess.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
44 processes with 44 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\' <DRIVE1>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Compaq_Owner\My Documents\Steve\spyware\HijackThis.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\dumprep.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\MRT.exe
[WARNING] The file could not be opened!
Begin scan in 'D:\' <DRIVE2>
Begin scan in 'E:\' <PRESARIO_RP>


End of the scan: Sunday, October 11, 2009 22:14
Used time: 55:56 Minute(s)

The scan has been done completely.

8764 Scanned directories
428739 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
5 Files cannot be scanned
428734 Files not concerned
13310 Archives were scanned
5 Warnings
2 Notes
64262 Objects were scanned with rootkit scan
0 Hidden objects were found

The warnings just mean that the files were 'in use' and couldn't be scanned. Feel free to do a boot-time scan to avoid that issue.

Please download OTC by OldTimer and save it to your Desktop.

• Double-click OTC.exe
• Click the CleanUp! button.
• Select Yes when the Begin cleanup Process? prompt appears.
• If you are prompted to reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes. If it doesn't, delete it by yourself.

Let me know what issues remain.

-screen317

Thank, OTC got rid of CF (and not sure what else) and left some things behind which I've deleted manually.

Everything seems to be working fine, Avira scan reports nothing untoward.

Unless you're aware of anything else that should be addressed, I guess I have a clean machine again. (Do we need to understand what it was that was protecting those hidden files?)

Many thanks for your help and patience.

At this point it is difficult to say what exactly was protecting those files, but they're gone and now I know what to do should I come across it in the future.


Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful.

-screen317

Hmmm. I noticed that you'd highlighted this in an earlier posting. I'm puzzled because I don't understand why this hasn't been done already as part of automatic update - which, I've just checked, is turned on.

Now, however, I can't seem to access the update site either by following your link or navigating there myself. There's a brief flash of a message saying (something like) that the site is checking what my machine has and what updates are available and then there's an error message saying that "The website has encountered a problem and cannot display the page you are trying to view". Some links are provided to investigate other options but I haven't so far found anything that helps. The error code displayed is Error number: 0x800703EE, but this is not one of the codes referenced in the list of suggested solutions.

I'll try again tomorrow, but if you have any suggestions in the meantime please let me know and I'll check back to see.

Hi,

Please download Dial-A-Fix from here.

Save it to your Desktop.

Open Dial-a-fix.exe

Click the green checkmark at the bottom of the window; this should select all options.

Now, click GO.

Allow it to run (the status will be displayed at the bottom), and follow any prompts you receive.


Restart your computer and see if you can get access the site now.

-screen317

Well, that was an interesting experience.

1st run of Dial-a-fix
(a) couldn't clean out all the temp files
( found a problem with wucltui.dll and then got permanently stuck trying to register wuaueng1.dll

So I rebooted, ran ATF Cleaner to try to delete all temp files, then tried again

2nd run
still (a) and ( as above

So went looking for copies of the two .dll files, downloaded them , scanned them, pasted them into the windows\system32 folder.

3rd run
still couldn't clean out all the temp files, but did get much further than before, seemed to be able to register everything until it gave an error message with file called shdocvw.dll (error code -2147319780: error accessing OLE registry). It couldn't suggest any solution and invited me to email DjLizard with a copy of the log. Shall I do that or is there no need?

I tried finding and replacing that file too, but on a 4th run of dial-a-fix, exactly the same thing happened, so now I'm stuck.

I've tried again to access the windows update site (just in case...) but still get the error message saying can't be accessed.

Here's the dial-a-fix log file in case it's of any use...



Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
dial-a-fix@DjLizard.net and include a copy of this log

DAF version: v0.60.0.24

--- System info ---
OS: Microsoft Windows XP Service Pack 2
IE version: 6.0.2900.2180
MPC: 76477-OEM
CPU: Intel® Pentium® 4 CPU 3.40GHz (~3400MHz)
CPU: 2 CPU cores present
BIOS: 10/03/2005
Memory (approx): 1023MB
Uptime: 0 hour(s)
Current directory: C:\Documents and Settings\Compaq_Owner\Local Settings\temp
---

13/10/2009 17:57:18 -- Dial-a-fix : [v0.60.0.24] -- started
17:57:19 | Policy scan started
17:57:19 | Policy scan ended - no restrictive policies were found
--- Emptying temp folders ---
17:57:23 | Deleting C:\Documents and Settings\Compaq_Owner\Local Settings\temp...
17:57:23 | C:\Documents and Settings\Compaq_Owner\Local Settings\temp could not be completely emptied, please reboot and try again
17:57:23 | Deleting C:\WINDOWS\temp...
17:57:23 | C:\WINDOWS\temp could not be completely emptied, please reboot and try again
17:57:23 | Deleting C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp...
17:57:23 | C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp could not be completely emptied, please reboot and try again
--- MSI ---
17:57:29 | Registered: C:\WINDOWS\system32\msi.dll
--- Windows Update ---
--- Registration: Windows Update/Automatic Update DLLs ---
17:57:34 | Unregistered: C:\WINDOWS\system32\msxml.dll
17:57:34 | Registered: C:\WINDOWS\system32\msxml.dll
17:57:34 | Unregistered: C:\WINDOWS\system32\msxml2.dll
17:57:34 | Registered: C:\WINDOWS\system32\msxml2.dll
17:57:36 | Unregistered: C:\WINDOWS\system32\msxml3.dll
17:57:37 | Registered: C:\WINDOWS\system32\msxml3.dll
17:57:37 | Unregistered: C:\WINDOWS\system32\qmgr.dll
17:57:37 | Registered: C:\WINDOWS\system32\qmgr.dll
17:57:37 | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll
17:57:37 | Registered: C:\WINDOWS\system32\qmgrprxy.dll
17:57:37 | Unregistered: C:\WINDOWS\system32\winhttp.dll
17:57:37 | Registered: C:\WINDOWS\system32\winhttp.dll
17:57:37 | Registered: C:\WINDOWS\system32\wuapi.dll
17:57:37 | Unregistered: C:\WINDOWS\system32\wuaueng.dll
17:57:38 | Registered: C:\WINDOWS\system32\wuaueng.dll
17:57:38 | Unregistered: C:\WINDOWS\system32\wuaueng1.dll
17:57:38 | Registered: C:\WINDOWS\system32\wuaueng1.dll
17:57:38 | Unregistered: C:\WINDOWS\system32\wucltui.dll
17:57:38 | Registered: C:\WINDOWS\system32\wucltui.dll
17:57:38 | Unregistered: C:\WINDOWS\system32\wups.dll
17:57:38 | Registered: C:\WINDOWS\system32\wups.dll
17:57:38 | Unregistered: C:\WINDOWS\system32\wups2.dll
17:57:39 | Registered: C:\WINDOWS\system32\wups2.dll
17:57:39 | Unregistered: C:\WINDOWS\system32\wuweb.dll
17:57:39 | Registered: C:\WINDOWS\system32\wuweb.dll
17:57:39 | Registered: C:\WINDOWS\system32\ole32.dll
--- SSL/HTTPS/Cryptography ---
17:57:51 | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'
--- Registration: SSL/HTTPS/Cryptography ---
17:57:55 | Unregistered: C:\WINDOWS\system32\cryptdlg.dll
17:57:55 | Registered: C:\WINDOWS\system32\cryptdlg.dll
17:57:55 | Unregistered: C:\WINDOWS\system32\cryptui.dll
17:57:55 | Registered: C:\WINDOWS\system32\cryptui.dll
17:57:55 | Unregistered: C:\WINDOWS\system32\cryptext.dll
17:57:55 | Registered: C:\WINDOWS\system32\cryptext.dll
17:57:56 | Unregistered: C:\WINDOWS\system32\dssenh.dll
17:57:56 | Registered: C:\WINDOWS\system32\dssenh.dll
17:57:56 | Unregistered: C:\WINDOWS\system32\gpkcsp.dll
17:57:56 | Registered: C:\WINDOWS\system32\gpkcsp.dll
17:57:56 | Unregistered: C:\WINDOWS\system32\initpki.dll
17:58:52 | Registered: C:\WINDOWS\system32\initpki.dll
17:58:52 | Unregistered: C:\WINDOWS\system32\licdll.dll
17:58:53 | Registered: C:\WINDOWS\system32\licdll.dll
17:58:53 | Unregistered: C:\WINDOWS\system32\mssign32.dll
17:58:53 | Registered: C:\WINDOWS\system32\mssign32.dll
17:58:53 | Unregistered: C:\WINDOWS\system32\mssip32.dll
17:58:53 | Registered: C:\WINDOWS\system32\mssip32.dll
17:58:54 | Unregistered: C:\WINDOWS\system32\scardssp.dll
17:58:55 | Registered: C:\WINDOWS\system32\scardssp.dll
17:58:55 | Unregistered: C:\WINDOWS\system32\sccbase.dll
17:58:55 | Registered: C:\WINDOWS\system32\sccbase.dll
17:58:55 | Unregistered: C:\WINDOWS\system32\scecli.dll
17:58:55 | Registered: C:\WINDOWS\system32\scecli.dll
17:58:55 | Unregistered: C:\WINDOWS\system32\softpub.dll
17:58:55 | Registered: C:\WINDOWS\system32\softpub.dll
17:58:56 | Unregistered: C:\WINDOWS\system32\slbcsp.dll
17:58:56 | Registered: C:\WINDOWS\system32\slbcsp.dll
17:58:56 | Unregistered: C:\WINDOWS\system32\regwizc.dll
17:58:56 | Registered: C:\WINDOWS\system32\regwizc.dll
17:58:56 | Unregistered: C:\WINDOWS\system32\rsaenh.dll
17:58:56 | Registered: C:\WINDOWS\system32\rsaenh.dll
17:58:56 | Unregistered: C:\WINDOWS\system32\winhttp.dll
17:58:56 | Registered: C:\WINDOWS\system32\winhttp.dll
17:58:56 | Unregistered: C:\WINDOWS\system32\wintrust.dll
17:58:57 | Registered: C:\WINDOWS\system32\wintrust.dll
--- Registration: ActiveX controls/codecs ---
17:58:57 | Registered: C:\WINDOWS\system32\acelpdec.ax
17:58:57 | Registered: C:\WINDOWS\system32\actxprxy.dll
17:58:57 | Registered: C:\WINDOWS\system32\asctrls.ocx
17:58:58 | Registered: C:\WINDOWS\system32\daxctle.ocx
17:58:58 | Registered: C:\WINDOWS\system32\hhctrl.ocx
17:58:58 | Registered: C:\WINDOWS\system32\l3codecx.ax
17:58:58 | Registered: C:\WINDOWS\system32\licmgr10.dll
17:58:58 | Registered: C:\WINDOWS\system32\mpg4ds32.ax
17:59:04 | Registered: C:\WINDOWS\system32\msdxm.ocx
17:59:04 | Registered: C:\WINDOWS\system32\proctexe.ocx
17:59:04 | Registered: C:\WINDOWS\system32\tdc.ocx
17:59:04 | Registered: C:\WINDOWS\system32\wshom.ocx
--- Registration: Control Panel applets ---
17:59:05 | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl
17:59:05 | DllInstalled: C:\WINDOWS\system32\appwiz.cpl
17:59:05 | Registered: C:\WINDOWS\system32\appwiz.cpl
17:59:06 | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl
17:59:06 | Registered: C:\WINDOWS\system32\nusrmgr.cpl
--- Registration: Direct[X|Draw|Show|Media] ---
17:59:06 | Registered: C:\WINDOWS\system32\quartz.dll
17:59:06 | Registered: C:\WINDOWS\system32\danim.dll
17:59:06 | Registered: C:\WINDOWS\system32\dmscript.dll
17:59:06 | Registered: C:\WINDOWS\system32\dmstyle.dll
17:59:07 | Registered: C:\WINDOWS\system32\dxmasf.dll
17:59:07 | Registered: C:\WINDOWS\system32\dxtmsft.dll
17:59:07 | Registered: C:\WINDOWS\system32\dxtrans.dll
17:59:07 | Registered: C:\WINDOWS\system32\sbe.dll
--- Registration: Programming cores/runtimes ---
17:59:08 | Registered: C:\WINDOWS\system32\atl.dll
17:59:08 | Registered: C:\WINDOWS\system32\corpol.dll
17:59:08 | Registered: C:\WINDOWS\system32\jscript.dll
17:59:08 | Registered: C:\WINDOWS\system32\dispex.dll
17:59:08 | Registered: C:\WINDOWS\system32\scrrun.dll
17:59:08 | Registered: C:\WINDOWS\system32\scrobj.dll
17:59:08 | Registered: C:\WINDOWS\system32\vbscript.dll
17:59:08 | Registered: C:\WINDOWS\system32\wshext.dll
--- Registration: Explorer/IE/OE/shell/WMP ---
17:59:08 | Registered: C:\WINDOWS\system32\activeds.dll
17:59:08 | Registered: C:\WINDOWS\system32\audiodev.dll
17:59:09 | DllInstalled: C:\WINDOWS\system32\browseui.dll
17:59:09 | Registered: C:\WINDOWS\system32\browseui.dll
17:59:09 | Registered: C:\WINDOWS\system32\browsewm.dll
17:59:09 | Registered: C:\WINDOWS\system32\cabview.dll
17:59:09 | Registered: C:\WINDOWS\system32\cdfview.dll
17:59:09 | Registered: C:\WINDOWS\system32\clbcatex.dll
17:59:09 | Registered: C:\WINDOWS\system32\clbcatq.dll
17:59:09 | Registered: C:\WINDOWS\system32\comcat.dll
17:59:10 | Registered: C:\WINDOWS\system32\cscui.dll
17:59:10 | Registered: C:\WINDOWS\system32\credui.dll
17:59:10 | Registered: C:\WINDOWS\system32\datime.dll
17:59:10 | Registered: C:\WINDOWS\system32\devmgr.dll
17:59:10 | Registered: C:\WINDOWS\system32\dfsshlex.dll
17:59:10 | Registered: C:\WINDOWS\system32\dmdlgs.dll
17:59:10 | Registered: C:\WINDOWS\system32\dmdskmgr.dll
17:59:11 | Registered: C:\WINDOWS\system32\dmloader.dll
17:59:11 | Registered: C:\WINDOWS\system32\dmocx.dll
17:59:11 | Registered: C:\WINDOWS\system32\dmview.ocx
17:59:11 | DllInstalled: C:\WINDOWS\system32\dsuiext.dll
17:59:11 | Registered: C:\WINDOWS\system32\dsuiext.dll
17:59:11 | DllInstalled: C:\WINDOWS\system32\dsquery.dll
17:59:11 | Registered: C:\WINDOWS\system32\dsquery.dll
17:59:11 | Registered: C:\WINDOWS\system32\dskquoui.dll
17:59:11 | Registered: C:\WINDOWS\system32\els.dll
17:59:12 | Registered: C:\WINDOWS\system32\es.dll
17:59:12 | Registered: C:\WINDOWS\system32\fontext.dll
17:59:12 | Registered: C:\WINDOWS\system32\hlink.dll
17:59:12 | Registered: C:\WINDOWS\system32\hnetcfg.dll
17:59:12 | Registered: C:\WINDOWS\system32\iedkcs32.dll
17:59:12 | Registered: C:\WINDOWS\system32\iepeers.dll
17:59:12 | DllInstalled: C:\WINDOWS\system32\iesetup.dll
17:59:12 | Registered: C:\WINDOWS\system32\iesetup.dll
17:59:13 | Registered: C:\WINDOWS\system32\ils.dll
17:59:13 | Registered: C:\WINDOWS\system32\imgutil.dll
17:59:13 | Registered: C:\WINDOWS\system32\inetcfg.dll
17:59:13 | Registered: C:\WINDOWS\system32\inetcomm.dll
17:59:13 | DllInstalled: C:\WINDOWS\system32\inseng.dll
17:59:13 | Registered: C:\WINDOWS\system32\inseng.dll
17:59:13 | Registered: C:\WINDOWS\system32\laprxy.dll
17:59:13 | Registered: C:\WINDOWS\system32\lmrt.dll
17:59:14 | Registered: C:\WINDOWS\system32\mlang.dll
17:59:14 | Registered: C:\WINDOWS\system32\mmcndmgr.dll
17:59:14 | Registered: C:\WINDOWS\system32\mmcshext.dll
17:59:14 | Registered: C:\WINDOWS\system32\mscoree.dll
17:59:15 | DllInstalled: C:\WINDOWS\system32\mshtml.dll
17:59:16 | Registered: C:\WINDOWS\system32\mshtml.dll
17:59:16 | Registered: C:\WINDOWS\system32\mshtmled.dll
17:59:16 | Registered: C:\WINDOWS\system32\msieftp.dll
17:59:16 | Registered: C:\WINDOWS\system32\msoeacct.dll
17:59:16 | Registered: C:\WINDOWS\system32\msr2c.dll
17:59:16 | Registered: C:\WINDOWS\system32\msrating.dll
17:59:16 | DllInstalled: C:\WINDOWS\system32\mydocs.dll
17:59:16 | Registered: C:\WINDOWS\system32\mydocs.dll
17:59:17 | Registered: C:\WINDOWS\system32\mstime.dll
17:59:17 | Registered: C:\WINDOWS\system32\netcfgx.dll
17:59:17 | DllInstalled: C:\WINDOWS\system32\netplwiz.dll
17:59:17 | Registered: C:\WINDOWS\system32\netplwiz.dll
17:59:17 | Registered: C:\WINDOWS\system32\netman.dll
17:59:17 | Registered: C:\WINDOWS\system32\netshell.dll
17:59:17 | Registered: C:\WINDOWS\system32\ntmsevt.dll
17:59:18 | Registered: C:\WINDOWS\system32\ntmsmgr.dll
17:59:18 | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll
17:59:18 | Registered: C:\WINDOWS\system32\ntmssvc.dll
17:59:18 | DllInstalled: C:\WINDOWS\system32\occache.dll
17:59:18 | Registered: C:\WINDOWS\system32\occache.dll
17:59:18 | Registered: C:\WINDOWS\system32\ole32.dll
17:59:18 | Registered: C:\WINDOWS\system32\oleaut32.dll
17:59:18 | Registered: C:\WINDOWS\system32\oleacc.dll
17:59:19 | Registered: C:\WINDOWS\system32\olepro32.dll
17:59:19 | DllInstalled: C:\WINDOWS\system32\photowiz.dll
17:59:19 | Registered: C:\WINDOWS\system32\photowiz.dll
17:59:19 | Registered: C:\WINDOWS\system32\pngfilt.dll
17:59:19 | Registered: C:\WINDOWS\system32\remotepg.dll
17:59:19 | Registered: C:\WINDOWS\system32\rpcrt4.dll
17:59:19 | Registered: C:\WINDOWS\system32\rshx32.dll
17:59:19 | Registered: C:\WINDOWS\system32\sendmail.dll
17:59:19 | Registered: C:\WINDOWS\system32\slayerxp.dll
17:59:21 | DllInstalled: C:\WINDOWS\system32\shdocvw.dll
18:00:56 | Error during registration of C:\WINDOWS\system32\shdocvw.dll - version: 6.00.2900.3533. The error returned is: Error accessing the OLE registry.
(-2147319780)
18:00:56 | Registered: C:\WINDOWS\system32\shell32.dll
18:00:59 | DllInstalled: C:\WINDOWS\system32\shell32.dll
18:00:59 | Registered: C:\WINDOWS\system32\shmedia.dll
18:00:59 | DllInstalled: C:\WINDOWS\system32\shimgvw.dll
18:00:59 | Registered: C:\WINDOWS\system32\shimgvw.dll
18:00:59 | DllInstalled: C:\WINDOWS\system32\shsvcs.dll
18:01:00 | Registered: C:\WINDOWS\system32\shsvcs.dll
18:01:00 | Registered: C:\WINDOWS\system32\srclient.dll
18:01:00 | Unregistered: C:\WINDOWS\system32\stobject.dll
18:01:00 | Registered: C:\WINDOWS\system32\stobject.dll
18:01:00 | DllInstalled: C:\WINDOWS\system32\themeui.dll
18:01:00 | Registered: C:\WINDOWS\system32\themeui.dll
18:01:00 | Registered: C:\WINDOWS\system32\twext.dll
18:01:01 | DllInstalled: C:\WINDOWS\system32\urlmon.dll
18:01:01 | Registered: C:\WINDOWS\system32\urlmon.dll
18:01:01 | Registered: C:\WINDOWS\system32\userenv.dll
18:01:01 | DllInstalled: C:\WINDOWS\system32\webcheck.dll
18:01:01 | Registered: C:\WINDOWS\system32\webcheck.dll
18:01:02 | Registered: C:\WINDOWS\system32\webvw.dll
18:01:02 | Registered: C:\WINDOWS\system32\winhttp.dll
18:01:02 | DllInstalled: C:\WINDOWS\system32\wininet.dll
18:01:02 | Registered: C:\WINDOWS\system32\zipfldr.dll
18:01:02 | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
18:01:02 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
18:01:02 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
18:01:04 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
18:01:05 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
18:01:05 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
18:01:05 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
18:01:05 | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
18:01:06 | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
18:01:06 | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
18:01:06 | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
18:01:07 | Registered: C:\Program Files\Common Files\system\Ole DB\msdmeng.dll
18:01:07 | Registered: C:\Program Files\Common Files\system\Ole DB\msdmine.dll
18:01:07 | Registered: C:\Program Files\Common Files\system\Ole DB\msmdcb80.dll
18:01:07 | Registered: C:\Program Files\Common Files\system\Ole DB\msmdgd80.dll
18:01:08 | Registered: C:\Program Files\Common Files\system\Ole DB\msolap80.dll
18:01:08 | Registered: C:\Program Files\Common Files\system\Ole DB\msolui80.dll
18:01:08 | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
18:01:08 | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
18:01:08 | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
18:01:09 | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
18:01:09 | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll

Do e-mail him and send him the log; it may be useful for him.


Hmm.


Open up a case with Microsoft and see if they can see why you cannot access the site.

OK, thanks, I've done both of those and I'll let you know what I hear back from either or both.

I've now heard back from microsoft and have manually downloaded and installed SP3. There was a problem during the installation with a file called dumprep.exe but I don't know what that might mean. I can't delete, rename, move or open it - which is a similar symptom to what I had before when I couldn't access spybotsd and similar.

Still can't access windows update site so waiting to hear if they suggest anything else.

MBAM found two more worm.agents yesterday in System Volume Information. Successfully quarantined.

???

Hmmm. Let me know if you hear anything else from Microsoft.


What browser are you using to try to access Windows Update? Try it in Firefox with IETAB. Or if you're using Firefox, try it in Internet Explorer.

I normally use Firefox but when I attempted to access the site (update.microsoft.com/windowsupdate) I got a message saying that I must be running IE5 or later, so since then I've tried using IE5.

Whichever way, I still can't get access.

I hadn't heard of IETAB, but have added it to Firefox to try. But the same thing happens - gets to the site, says it's checking my computer, then diverts to error page.

Hi,

IE5 is very old; try downloading IE8 to see if it will work with it. If not, keep trying with Microsoft's support and let me know what they tell you.

Chris, I want to ask you please to not close this thread. I have to be away from 23rd October until 1st November so will not be able to post again until then.

MS have so far been unable to resolve things. The initial contact offered 3 suggestions to restore access to Windows update but none of them worked and I have now heard nothing further for the last 3 days so I have no idea what's going on. I'm still really confused as to what nasties are lingering on my PC that still seem to be causing residual problems. At least Avira and MBAM haven't reported any gremlins lately.

I'll update you again on the 1st; thanks for your help and patience so far.

BTW, I've upgraded to IE8 but still the same problem with Windows update access.

Hi,

Sure I'll leave the topic open for you.


This isn't an issue of malware still on your system. This is a residual issue as a result of damage caused by the malware (cleaning malware doesn't guarantee that all of the damage can be repaired, especially in today's world). Keep trying with Microsoft; see if they'll offer any other suggestions.

-screen317

Hello again,

Not getting much resolved so far with microsoft. Every few days or so I'll hear something, and I'm quite puzzled/confused about what's going on. I did successfully install SP3 but still couldn't access windows update. Then I was told that the registry value CSDVersion in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows should be "0". So I changed it from 300 to 0, after which Windows reported that it wasn't up to date and needed SP2. Now I've been asked to reinstall SP2 and that's where I currently am up to.

Seems to me that there's a problem with "dumprep.exe" because this has cropped up whilst installing both SP3 and SP2 - the setup wizard couldn't copy the file, and I had to continue the wetup without the file being copied. I can't manually either rename, open, copy or delete the file. This is a similar problem I had a while back when the malware had effectively disabled some files and programs. Do you know - if I can find a way to delete it, is this a file that Windows will automatically recreate?

One further question - One of the tools you used with me (Avenger) is not completely gone from my computer. There is an Avenger folder, and also a subfolder which it appears is empty but when I try to delete it Windows says the folder is not empty and won't delete it. Any suggestions?

I take your point that my current issue is not really a malware problem but residual after-effects - so if you think it's time to close this topic down then that's fine. Many, many thanks again for all your help.

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  CODE
  :filefind
  dumprep.exe
  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

OK, done that, and here's the logfile....

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:51 on 08/11/2009 by Compaq_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "dumprep.exe"
C:\WINDOWS\SDOLD\Download\cf8ec753e88561d2ddb53e183dc05c3e\dumprep.exe --a--- 10752 bytes [17:42 03/09/2008] [00:12 14/04/2008] 8E16BF5600797E678EA97051CF93E6BF
C:\WINDOWS\ServicePackFiles\i386\dumprep.exe ------ 10752 bytes [10:44 17/10/2009] [04:42 14/04/2008] 8E16BF5600797E678EA97051CF93E6BF
C:\WINDOWS\system32\dumprep.exe --a--- 10752 bytes [12:00 04/08/2004] [00:56 04/08/2004] (Unable to calculate MD5)

-=End Of File=-

Hi,

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:




Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


-screen317

Hi,

Thanks again. I tried to download and use ComboFix again but the link to it from BleepingComputer didn't work. I've come now to try again a few hours later and seen a message that CF has been taken offline for a while.

Anyway, in the meantime I've been transferred to a different support guy at microsoft and things seem to be moving. He's sent me a clean copy of dumprep.exe. At first the existing copy wouldn't allow itself to be replaced but then when I tried again it worked - no idea why.

So i now have a hassle-free installation of SP3, and Windows Update appears to be working fine. The only problem left (if it is a problem) is that every time I reboot Windows Update wants me to download and install its malicious software removal tool. My undertsanding is that this should be a once-a-month job, so it may be that there is still something not quite right.

The other question I have from a couple of posts ago is how to get rid of the residual Avenger folder(s) still on my system.

Although I didn't run CF, here's a new log from HJT ....

Bye for now


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:32:28, on 11/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccess.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} (ePenClientSpec.ucEPenClientspec) - http://downloads.exam2score.com/ePenClientSpec.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8502 bytes

Hi,

Glad to hear things are better..

Regarding the Malicious Software Removal Tool, just set the update to ignore. It's doubtful you have any malicious software left after the cleanup we did. If you would really like to investigate it further, continue with your Microsoft support ticket and they may have a solution for you. Regarding the Avenger folder, please do the following:

??

My apologies... posted prematurely.

Please download OTC by OldTimer and save it to your Desktop.

• Double-click OTC.exe
• Click the CleanUp! button.
• Select Yes when the Begin cleanup Process? prompt appears.
• If you are prompted to reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes. If it doesn't, delete it by yourself.

See if the folder is gone now.

-screen317

Nope, sorry, that hasn't shifted it. I've also tried the Unlocker utility I've mentioned before but that hasn't deleted it either. So there's still a folder called Avenger, and a subfolder called krcbu1sn which appears to be empty but which apparently isn't.

Screenshot attached

Click to view attachment

Hi,

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Try deleting it again.

-screen317

No, that hasn't shifted it either - same result, same error message.

The Windows issues do now seem to be resolved, so if we can shift these folders then I think all will finally be well.

In Safe Mode, try Unlocker on the subfolders. Let me know if any in particular throw up errors.