Hi,
I’m new to AVAST. Hopefully someone can help me! I recently had the ‘general antivirus’ trojan, which I removed. My computer is now slow and I’m having difficulties with Internet Explorer. If I google something and click on a link, it redirects me to a completely random site. I can only avoid this is by ‘open link in new window’. My antivirus (provided by my BB supplier) isn’t picking up any viruses and I’ve also tried malware bytes, CCleaner, AdAware, etc to no avail.

I’ll post my hijackthis in a sec. Any help would be much appreciated as this is driving me insane!!

Cheers.

Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Users\John\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Virgin Broadband\PCguard\RPS.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [Broadbandadvisor.exe] “C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe” /AUTORUN
O4 - HKLM..\Run: [Google Quick Search Box] “C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe” /autorun
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Adobe ARM] “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKCU..\Run: [CTSyncU.exe] “C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe”
O4 - HKCU..\Run: [swg] “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU..\Run: [PCLG] “C:\ProgramData\811de55\PC811d.exe” /s
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - Startup: Dropbox.lnk = C:\Users\John\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: Google Sidewiki… - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - http://launcher.station.sony.com/weblauncher/plugin/1.0.3.93/SOEWebInstaller.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1228688230_2679befa0132618993ca7864ad15ca13&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9659db5b11510) (gupdate1c9659db5b11510) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Virgin Broadband PCguard (Radialpoint Security Services) - Radialpoint SafeCare Inc. - C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
O23 - Service: Virgin Broadband PCguard SafeConnectAgent (RadialpointSafeConnectAgent) - Sana Security - C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

–
End of file - 10631 bytes

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run quick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

Hi there is nothing showing on Hijackthis. However, lets kill the malware any way. MBAM can not kill this one

Two programmes to run

Download TDSSKiller and save it to your Desktop.

[*]Extract the file and run it.
[*]Once completed it will create a log in your [b]C:[/b] drive
[*]Please post the contents of that log

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks Essexboy - much appreciated.

Here’s the tdsskiller log:

23:02:29:516 28992 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
23:02:29:517 28992 ================================================================================
23:02:29:517 28992 SystemInfo:

23:02:29:517 28992 OS Version: 6.0.6001 ServicePack: 1.0
23:02:29:517 28992 Product type: Workstation
23:02:29:517 28992 ComputerName: HOME-LAPTOP
23:02:29:517 28992 UserName: John
23:02:29:517 28992 Windows directory: C:\Windows
23:02:29:517 28992 Processor architecture: Intel x86
23:02:29:517 28992 Number of processors: 2
23:02:29:517 28992 Page size: 0x1000
23:02:29:574 28992 Boot type: Normal boot
23:02:29:574 28992 ================================================================================
23:02:30:967 28992 UnloadDriverW: NtUnloadDriver error 2
23:02:30:967 28992 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:02:58:207 28992 wfopen_ex: Trying to open file C:\Windows\system32\config\system
23:02:58:260 28992 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:02:58:260 28992 wfopen_ex: Trying to KLMD file open
23:02:58:261 28992 wfopen_ex: File opened ok (Flags 2)
23:02:58:283 28992 wfopen_ex: Trying to open file C:\Windows\system32\config\software
23:02:58:305 28992 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:02:58:305 28992 wfopen_ex: Trying to KLMD file open
23:02:58:306 28992 wfopen_ex: File opened ok (Flags 2)
23:02:58:307 28992 Initialize success
23:02:58:307 28992
23:02:58:307 28992 Scanning Services …
23:03:01:106 28992 GetAdvancedServicesInfo: Raw services enum returned 447 services
23:03:01:112 28992
23:03:01:112 28992 Scanning Kernel memory …
23:03:01:113 28992 Devices to scan: 1
23:03:01:113 28992
23:03:01:113 28992 Driver Name: atapi
23:03:01:113 28992 IRP_MJ_CREATE : 8586ACA1
23:03:01:113 28992 IRP_MJ_CREATE_NAMED_PIPE : 8586ACA1
23:03:01:113 28992 IRP_MJ_CLOSE : 8586ACA1
23:03:01:113 28992 IRP_MJ_READ : 8586ACA1
23:03:01:113 28992 IRP_MJ_WRITE : 8586ACA1
23:03:01:113 28992 IRP_MJ_QUERY_INFORMATION : 8586ACA1
23:03:01:113 28992 IRP_MJ_SET_INFORMATION : 8586ACA1
23:03:01:113 28992 IRP_MJ_QUERY_EA : 8586ACA1
23:03:01:113 28992 IRP_MJ_SET_EA : 8586ACA1
23:03:01:113 28992 IRP_MJ_FLUSH_BUFFERS : 8586ACA1
23:03:01:113 28992 IRP_MJ_QUERY_VOLUME_INFORMATION : 8586ACA1
23:03:01:113 28992 IRP_MJ_SET_VOLUME_INFORMATION : 8586ACA1
23:03:01:113 28992 IRP_MJ_DIRECTORY_CONTROL : 8586ACA1
23:03:01:114 28992 IRP_MJ_FILE_SYSTEM_CONTROL : 8586ACA1
23:03:01:114 28992 IRP_MJ_DEVICE_CONTROL : 8586ACA1
23:03:01:114 28992 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8586ACA1
23:03:01:114 28992 IRP_MJ_SHUTDOWN : 8586ACA1
23:03:01:114 28992 IRP_MJ_LOCK_CONTROL : 8586ACA1
23:03:01:114 28992 IRP_MJ_CLEANUP : 8586ACA1
23:03:01:114 28992 IRP_MJ_CREATE_MAILSLOT : 8586ACA1
23:03:01:114 28992 IRP_MJ_QUERY_SECURITY : 8586ACA1
23:03:01:114 28992 IRP_MJ_SET_SECURITY : 8586ACA1
23:03:01:114 28992 IRP_MJ_POWER : 8586ACA1
23:03:01:114 28992 IRP_MJ_SYSTEM_CONTROL : 8586ACA1
23:03:01:114 28992 IRP_MJ_DEVICE_CHANGE : 8586ACA1
23:03:01:114 28992 IRP_MJ_QUERY_QUOTA : 8586ACA1
23:03:01:114 28992 IRP_MJ_SET_QUOTA : 8586ACA1
23:03:01:114 28992 Driver “atapi” infected by TDSS rootkit!
23:03:01:218 28992 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
23:03:01:218 28992 File “C:\Windows\system32\drivers\atapi.sys” infected by TDSS rootkit … 23:03:01:219 28992 Processing driver file: C:\Windows\system32\drivers\atapi.sys
23:03:06:791 28992 vfvi6
23:03:07:252 28992 dsvbh1
23:03:16:063 28992 fdfb1
23:03:16:063 28992 Backup copy found, using it…
23:03:16:857 28992 will be cured on next reboot
23:03:16:857 28992 Reboot required for cure complete…
23:03:16:972 28992 Cure on reboot scheduled successfully
23:03:16:972 28992
23:03:16:972 28992 Completed
23:03:16:972 28992
23:03:16:972 28992 Results:
23:03:16:972 28992 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
23:03:16:972 28992 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:03:16:973 28992 File objects infected / cured / cured on reboot: 1 / 0 / 1
23:03:16:973 28992
23:03:16:973 28992 fclose_ex: Trying to close file C:\Windows\system32\config\system
23:03:16:974 28992 fclose_ex: Trying to close file C:\Windows\system32\config\software
23:03:16:974 28992 UnloadDriverW: NtUnloadDriver error 1
23:03:16:974 28992 KLMD_Unload: UnloadDriverW(klmd21) error 1
23:03:16:976 28992 MyDeleteFileW: MyNtCreateFile (C:\Windows\system32\drivers\klmd.sys) error 32
23:03:16:976 28992 KLMD_Unload: MyDeleteFileW(C:\Windows\system32\drivers\klmd.sys) error 32
23:03:16:976 28992 KLMD(ARK) unloaded successfully

I did the combofix and got the log file, however when I tried to open Internet Explorer to log in to AVAST and post the log file, I got a message “Illegal operation - this registry file is marked for deletion”. The same when I tried to log in through safari and google chrome. Is there any way I can get around this to post the log file for you? NB. I’m using my work internet access to post this!

Have you resatarted the computer - as TDSSKiller removed the miscreant and combofix probably found the trigger

Thanks very much essexboy - that’s worked. Here’s the combofix log, everything seems fine now. Do you reckon it has removed all the infections??

ComboFix 10-03-15.04 - John 16/03/2010 6:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.983 [GMT 0:00]
Running from: c:\users\John\Desktop\ComboFix.exe
AV: PCguard Anti-Virus On-access scanning enabled (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall enabled {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
SP: PCguard Anti-Spyware enabled (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
SP: Windows Defender enabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:$recycle.bin\S-1-5-21-2504813295-3130201690-886361440-1001
c:\windows\dbplugin.exe
c:\windows\dbplugin.ocx
c:\windows\eSellerateEngine.dll
c:\windows\npdbplug.dll
c:\windows\npdbplug.xpt
c:\windows\system32\oem11.inf

c:\windows\system32\drivers\tskA325.tmp . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-16 06:43 . 2010-03-16 06:48 -------- d-----w- c:\users\John\AppData\Local\temp
2010-03-16 06:43 . 2010-03-16 06:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-16 06:43 . 2010-03-16 06:43 -------- d-----w- c:\users\Boo\AppData\Local\temp
2010-03-16 03:01 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-16 03:01 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-16 03:01 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-15 23:02 . 2010-03-15 23:02 36488 ----a-w- c:\windows\system32\drivers\klmd.sys
2010-03-15 21:39 . 2010-03-15 21:39 -------- d-----w- c:\program files\Trend Micro
2010-03-10 22:52 . 2010-03-11 20:15 -------- dc-h–w- c:\programdata~1
2010-03-10 21:45 . 2010-03-10 22:32 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-10 21:36 . 2010-03-10 21:36 -------- d-----w- c:\users\John\AppData\Local\Threat Expert
2010-03-10 12:15 . 2010-03-10 13:05 -------- dc-h–w- c:\programdata~0
2010-03-10 12:13 . 2010-03-11 20:14 -------- d-----w- c:\programdata\Lavasoft
2010-03-10 11:14 . 2010-03-11 06:37 -------- d-----w- c:\program files\Malwarebytes’ Anti-Malware
2010-03-10 10:36 . 2010-03-10 10:38 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-03-10 09:22 . 2010-03-10 09:22 -------- d-----w- c:\users\John\Office Genuine Advantage
2010-03-09 20:32 . 2010-03-09 20:43 -------- d-----w- c:\programdata\RegCure
2010-03-09 20:32 . 2010-03-09 20:43 -------- d-----w- c:\program files\RegCure
2010-03-08 20:08 . 2010-03-08 20:08 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-03-07 14:04 . 2010-03-07 14:04 -------- d-----w- c:\windows\Sun
2010-03-05 22:55 . 2010-03-05 22:55 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2010-03-05 22:55 . 2010-03-05 22:55 -------- d-----w- c:\programdata\Malwarebytes
2010-02-26 21:57 . 2010-02-26 21:57 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-24 02:28 . 2010-01-23 09:44 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 02:27 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 02:27 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 02:27 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 02:27 . 2010-01-25 12:48 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 02:27 . 2010-01-25 08:35 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 02:27 . 2010-01-25 08:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 02:27 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 02:27 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 02:27 . 2010-01-25 12:45 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-16 23:15 . 2010-02-16 23:15 -------- d-----w- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 06:44 . 2009-10-27 21:11 970052 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-16 06:44 . 2009-10-27 21:11 72767776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-16 06:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-16 00:40 . 2008-12-14 11:27 -------- d-----w- c:\programdata\Google Updater
2010-03-16 00:36 . 2008-01-21 02:23 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-16 00:26 . 2010-03-16 00:26 21560 ----a-w- c:\windows\system32\drivers\tskA325.tmp
2010-03-14 19:47 . 2009-06-17 09:57 -------- d-----w- c:\program files\Safari
2010-03-12 06:58 . 2010-01-20 09:13 -------- d-----w- c:\users\John\AppData\Roaming\Dropbox
2010-03-11 22:13 . 2008-06-25 12:47 1356 ----a-w- c:\users\John\AppData\Local\d3d9caps.dat
2010-03-11 21:36 . 2008-06-25 13:03 -------- d–h–w- c:\program files\InstallShield Installation Information
2010-03-11 21:32 . 2009-07-10 22:29 -------- d-----w- c:\users\John\AppData\Roaming\Teleca
2010-03-11 21:32 . 2009-07-10 22:16 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-03-11 21:18 . 2009-10-29 14:45 -------- d-----w- c:\program files\Tronjiworld
2010-03-11 20:31 . 2008-08-16 19:06 -------- d-----w- c:\users\John\AppData\Roaming\Samsung
2010-03-11 20:31 . 2009-07-27 18:47 -------- d-----w- c:\program files\Spotify
2010-03-11 20:30 . 2008-07-16 21:10 -------- d-----w- c:\program files\Samsung
2010-03-10 11:56 . 2009-07-27 18:47 -------- d-----w- c:\users\John\AppData\Roaming\Spotify
2010-03-08 20:17 . 2008-12-07 22:16 -------- d-----w- c:\program files\Java
2010-02-24 10:04 . 2008-06-29 21:38 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-24 09:16 . 2009-10-03 00:42 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 07:04 . 2008-06-25 12:47 85384 ----a-w- c:\users\John\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 06:59 . 2009-07-20 21:40 85384 ----a-w- c:\users\Boo\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-16 23:16 . 2009-11-25 13:41 -------- d-----w- c:\program files\iTunes
2010-02-16 23:15 . 2008-07-17 19:35 -------- d-----w- c:\program files\Common Files\Apple
2010-02-05 20:34 . 2008-06-29 21:37 -------- d-----w- c:\program files\Google
2010-02-01 16:50 . 2010-02-01 16:50 -------- d-----w- c:\program files\Sony Online Entertainment
2010-01-30 07:43 . 2010-01-30 07:43 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-01-30 02:35 . 2010-01-07 13:39 -------- d-----w- c:\programdata\811de55
2010-01-20 09:13 . 2010-01-20 09:13 13515048 ----a-w- c:\users\John\Dropbox 0.7.97.exe
2010-01-05 16:56 . 2010-01-05 16:56 336 ----a-w- c:\users\Boo\AppData\Local\d3d8caps.dat
2009-12-28 12:35 . 2010-02-10 11:36 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-10 11:36 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32 . 2010-02-10 11:36 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32 . 2010-02-10 11:36 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32 . 2010-02-10 11:36 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32 . 2010-02-10 11:36 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31 . 2010-02-10 11:36 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31 . 2010-02-10 11:36 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28 . 2010-02-10 11:36 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:28 . 2010-02-10 11:36 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-18 13:05 . 2010-01-22 10:09 833024 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 13:01 . 2010-01-22 10:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:14 . 2010-01-22 10:09 26624 ----a-w- c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@=“{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}”
[HKEY_CLASSES_ROOT\CLSID{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@=“{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}”
[HKEY_CLASSES_ROOT\CLSID{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@=“{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}”
[HKEY_CLASSES_ROOT\CLSID{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTSyncU.exe”=“c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe” [2007-07-17 868352]
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-12-14 39408]
“ehTray.exe”=“c:\windows\ehome\ehTray.exe” [2008-01-21 125952]
“WMPNSCFG”=“c:\program files\Windows Media Player\WMPNSCFG.exe” [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Windows Defender”=“c:\program files\Windows Defender\MSASCui.exe” [2008-01-21 1008184]
“IgfxTray”=“c:\windows\system32\igfxtray.exe” [2008-02-15 141848]
“HotKeysCmds”=“c:\windows\system32\hkcmd.exe” [2008-02-15 166424]
“Persistence”=“c:\windows\system32\igfxpers.exe” [2008-02-15 133656]
“Broadcom Wireless Manager UI”=“c:\windows\system32\WLTRAY.exe” [2007-12-08 3444736]
“Apoint”=“c:\program files\DellTPad\Apoint.exe” [2007-10-25 167936]
“TkBellExe”=“c:\program files\Common Files\Real\Update_OB\realsched.exe” [2008-06-30 185632]
“Google Desktop Search”=“c:\program files\Google\Google Desktop Search\GoogleDesktop.exe” [2009-11-04 30192]
“WPCUMI”=“c:\windows\system32\WpcUmi.exe” [2006-11-02 176128]
“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2008-12-07 136600]
“AppleSyncNotifier”=“c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe” [2009-08-13 177440]
“Broadbandadvisor.exe”=“c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe” [2009-01-29 2303216]
“Google Quick Search Box”=“c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe” [2009-07-17 122368]
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe” [2009-11-10 417792]
“iTunesHelper”=“c:\program files\iTunes\iTunesHelper.exe” [2010-01-22 141608]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2009-12-18 40368]
“Adobe ARM”=“c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [2009-12-11 948672]

c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Dropbox.lnk - c:\users\John\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“EnableUIADesktopToggle”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“aux”=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@=“FSFilter System Recovery”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=“Service”

R2 gupdate1c9659db5b11510;Google Update Service (gupdate1c9659db5b11510);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 133104]
R3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-11-04 30192]
R3 lgmcbus;LGE Mobile driver (WDM);c:\windows\system32\DRIVERS\lgmcbus.sys [2008-01-09 83584]
R3 lgmcmdfl;LGE Mobile USB WMC Modem Filter;c:\windows\system32\DRIVERS\lgmcmdfl.sys [2008-01-09 14976]
R3 lgmcmdm;LGE Mobile USB WMC Modem Driver;c:\windows\system32\DRIVERS\lgmcmdm.sys [2008-01-09 110464]
R3 lgmcmgmt;LGE Mobile USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\lgmcmgmt.sys [2008-01-09 104448]
R3 lgmcnd5;LGE Mobile USB WMC Ethernet ELDA (NDIS);c:\windows\system32\DRIVERS\lgmcnd5.sys [2008-01-09 25344]
R3 lgmcobex;LGE Mobile USB WMC OBEX Interface;c:\windows\system32\DRIVERS\lgmcobex.sys [2008-01-09 100480]
R3 lgmcunic;LGE Mobile USB WMC Ethernet ELDA (WDM);c:\windows\system32\DRIVERS\lgmcunic.sys [2008-01-09 109952]
R3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-09-22 910600]
R3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [2009-10-27 175184]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-26 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-01-11 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-01-11 345832]
S2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-09-22 693512]
S2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe RadialpointSafeConnectAgent
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-01-11 972008]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-06 111616]
S3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_VISTA\SafeConnectDriver.sys [2008-11-14 161304]
S3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_VISTA\SafeConnectFilter.sys [2008-11-14 29720]
S3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_VISTA\SafeConnectShim.sys [2008-11-14 29248]

.
Contents of the ‘Scheduled Tasks’ folder

2010-03-16 c:\windows\Tasks\Google Software Updater.job

• c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-29 12:20]

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

• c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 09:50]

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

• c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 09:50]

2010-03-16 c:\windows\Tasks\User_Feed_Synchronization-{FEA26F12-4382-46AD-80C6-F00AAEBA778B}.job

• c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
  .
  .

------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Google Sidewiki… - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
.

• • • • ORPHANS REMOVED - - - -

HKCU-Run-PCLG - c:\programdata\811de55\PC811d.exe
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-klmdb.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 06:56
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi]
“ImagePath”=“system32\drivers\tskA325.tmp”
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

• • • • • • • ‘Explorer.exe’(6880)
              c:\program files\Trusteer\Rapport\bin\rooksbas.dll
              c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
              .
              ------------------------ Other Running Processes ------------------------
              .
              c:\program files\Virgin Broadband\PCguard\Fws.exe
              c:\windows\System32\WLTRYSVC.EXE
              c:\windows\System32\bcmwltry.exe
              c:\windows\system32\WLANExt.exe
              c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
              c:\program files\Bonjour\mDNSResponder.exe
              c:\program files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
              c:\program files\Raxco\PerfectDisk2008\PD91AgentS1.exe
              c:\windows\system32\RacAgent.exe
              .

.
Completion time: 2010-03-16 07:03:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-16 07:03

Pre-Run: 26,922,516,480 bytes free
Post-Run: 27,329,769,472 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=3 Sets=1,2,3,20

• • End Of File - - 9697667FF7C12AF446FA764C8DE51153

Yep looks better I would like to do one other scan to check that all is gone

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

How’s this looking??

http://www.mediafire.com/?iiekmimlyuj

Not bad

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY ->  ~1 -> C:\ProgramData\~1
NY ->  TEMP -> C:\ProgramData\TEMP
NY ->  ~0 -> C:\ProgramData\~0
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

THEN

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Files\Folders moved on Reboot…
C:\Users\John\AppData\Local\Temp\Low\Google Toolbar\GoogleToolbarWelcome.log moved successfully.
File\Folder C:\Users\John\AppData\Local\Temp~DF511.tmp not found!
File\Folder C:\Users\John\AppData\Local\Temp~DF51D.tmp not found!
File\Folder C:\Users\John\AppData\Local\Temp~DFD5D1.tmp not found!
File\Folder C:\Users\John\AppData\Local\Temp~DFD607.tmp not found!
C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\John\AppData\Roaming\Trusteer\Rapport\user\logs\koan.3224.log moved successfully.
C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZC3VN6G7\index[2].htm moved successfully.

Registry entries deleted on Reboot…

Do you have the MBAM log please

Sorry, I had a 730 (0)(0) error code when I tried to install it. I managed to get around it though, here’s the log:

Malwarebytes’ Anti-Malware 1.44
Database version: 3884
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

18/03/2010 22:32:11
mbam-log-2010-03-18 (22-32-11).txt

Scan type: Quick Scan
Objects scanned: 119470
Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

What problems do you have now ?

Everything seems fine to me! Thanks very much for all of your help, I really appreciate it. Do you reckon it is totally clean now?

It can never be guaranteed 100% - but lack of symptoms is a good indicator

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

VISTA
To manually create a new Restore Point
[*]Go to Control Panel and select System and Maintenance
[*]Select System
[*]On the left select Advance System Settings and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create
Now we can purge the infected ones

[*]Go back to the System and Maintenance page
[*]Select Performance Information and Tools
[*]On the left select Open Disk Cleanup
[*]Select Files from all users and accept the warning if you get one
[*]In the drop down box select your main drive i.e. C
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete
You are now done

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe