I have been hit with a trojan called Win32-Agent-HDR this was in the Local Settings\Temp.Interrnet.Also in my C:\are two others named Recycler and System Volume Information,Iam not able to delete these two folders because it wil not allow me accsess.Also on every file and folder it has put in a Thumbs file and every time I delete these Thumbs they return later.Every time I empty the Recycle Bin it turns up in the Recycler folder and the System Vol.Info.shows as empty but it does contain files but they are hidden.Also Avast now treats these folders as normal so they don`t show as a virus. Any help please.Regards.John.PS.The trojan (Win32-Agent-HDR) has been removed.

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

• Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

2007-05-29 16:20      2210    --a------    C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-06-07 16:23      32    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\Quarantine\ppqdb.dat.vir
2007-06-07 16:23      32    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\Quarantine\ppqsdb.dat.vir


Folder PATH listing
Volume serial number is A0A8-9E92
C:\QOOBOX
\---Quarantine
    +---C
    |   \---WINDOWS
    |       |   wr.txt.vir
    |       |   
    |       \---DOWNLO~1
    |           \---Quarantine
    |                   ppqdb.dat.vir
    |                   ppqsdb.dat.vir
    |                   
    \---Registry_backups

Is this right,having trouble pasting HJT log,too many words.john

ComboFix 07-06-11.3 - C:\Documents and Settings\John\My Documents\ComboFix.exe
“John” - 2007-06-11 15:53:17 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\DOWNLO~1.\Quarantine
C:\WINDOWS\DOWNLO~1.\Quarantine\ppqdb.dat
C:\WINDOWS\DOWNLO~1.\Quarantine\ppqsdb.dat
C:\WINDOWS\wr.txt

HJT.Part-1
((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))

2007-06-11 15:51 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-10 17:36 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-10 17:35 d-------- C:\Program Files\SUPERAntiSpyware
2007-06-10 17:35 d-------- C:\DOCUME~1\John\APPLIC~1\SUPERAntiSpyware.com
2007-06-10 17:06 14 --a------ C:\DOCUME~1\John\getfile.dat
2007-06-10 16:49 14 --a------ C:\WINDOWS\system32\getfile.dat
2007-06-08 16:51 d-------- C:\Program Files\a-squared Free
2007-06-08 16:51 d-------- C:\Program Files\a-squared
2007-06-08 16:36 d–h----- C:\WINDOWS\PIF
2007-06-08 16:36 d-------- C:\Program Files\Enigma Software Group
2007-06-07 22:00 d–hs---- C:\RECYCLER
2007-06-06 21:17 831,488 --------- C:\WINDOWS\UNMRW.exe
2007-06-06 21:17 7,582 --------- C:\WINDOWS\system32\drivers\incdrm.sys
2007-05-30 19:51 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-30 16:55 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-29 17:10 d-------- C:\WINDOWS\SxsCaPendDel
2007-05-29 16:46 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-05-26 20:47 217 --a------ C:\WINDOWS\rayiou.exe
2007-05-15 01:39 65,045 --a------ C:\WINDOWS\b138.exe
2007-05-14 17:56 14,155,776 --a------ C:\DOCUME~1\John\ntuser.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-10 20:43:09 -------- d-----w C:\DOCUME~1\John\APPLIC~1\uTorrent
2007-06-10 16:35:13 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-08 15:36:48 -------- d-----w C:\Program Files\RegScrubXP
2007-06-06 20:28:39 155,648 ------w C:\WINDOWS\system32\NeroCheck.exe
2007-06-06 20:17:45 -------- d-----w C:\Program Files\Ahead
2007-06-05 13:16:53 -------- d-----w C:\Program Files\Movie Maker
2007-06-05 13:16:46 -------- d-----w C:\Program Files\gPhotoShow
2007-06-05 13:15:39 -------- d-----w C:\Program Files\QuickTime
2007-06-05 13:15:38 -------- d-----w C:\Program Files\Wallpaper Show
2007-06-05 13:14:52 -------- d-----w C:\Program Files\Windows Live Toolbar
2007-06-05 13:14:50 -------- d-----w C:\Program Files\MagicISO
2007-06-05 13:14:45 -------- d-----w C:\Program Files\Messenger
2007-06-03 22:05:30 -------- d-----w C:\DOCUME~1\John\APPLIC~1\Help
2007-06-01 20:05:40 -------- d-----w C:\Program Files\Climate Change Experiment
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-26 20:15:11 -------- d-----w C:\Program Files\Registry Repair 9in1 - RegScrubXP, CCleaner, Free Error Cleaner, RegSeeker, Easy Cleaner, Free Windows Registry Repair, Tweak Now Registry Cleaner and more!
2007-04-23 16:53:52 -------- d-----w C:\Program Files\Jasc Software Inc
2007-04-22 21:15:31 -------- d-----w C:\DOCUME~1\John\APPLIC~1\Windows Desktop Search
2007-04-22 21:14:14 -------- d-----w C:\Program Files\Windows Desktop Search
2007-04-22 16:33:58 -------- d-----w C:\Program Files\Microsoft Office Enterprise 2007
2007-04-22 16:27:06 -------- d-----w C:\Program Files\Microsoft Works
2007-04-22 16:26:14 -------- d-----w C:\Program Files\MSBuild
2007-04-19 15:53:30 -------- d-----w C:\Program Files\microsoft frontpage
2007-04-18 18:28:03 -------- d-----w C:\Program Files\utorrent
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-14 18:59:02 -------- d-----w C:\Program Files\LizardTech
2007-04-14 18:59:01 -------- d–h–w C:\Program Files\InstallShield Installation Information
2007-04-12 18:22:37 -------- d-----w C:\Program Files\Planet Orbits ScreenSaver 2
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2001-08-18 12:00:00 94,784 --sh–w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh–w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sh–w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sh–w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sh–w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sh–w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 07:56:44 553,472 --sh–w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sh–w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sh–w C:\WINDOWS\system32\regsvr32.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll [2006-10-26 12:28]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-07 00:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 15:56]
{F97DA966-F09D-4cab-BF29-75A0026986EA}=C:\PROGRA~1\BEARSH~2\BEARSH~1\MediaBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“nwiz”=“nwiz.exe” [2005-10-10 22:49 C:\WINDOWS\system32\nwiz.exe]
“InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2002-07-26 06:31]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 16:42]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2005-10-27 14:06]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-07 00:46]
“OpiStat”=“C:\Program Files\OpiStat\OpiStat\OpiStat.exe” [2006-04-11 01:45]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-04-06 11:15]
“Desktop Tool”=“C:\Program Files\Alcatel One Touch PC Suite 2\DesktopTool\DesktopTool.exe” [2003-12-09 18:40]
“NielsenOnline”=“C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe” [2006-04-19 07:26]
“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2006-10-15 19:36]
“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 00:47]
“winupd32”=“winupd32.exe”
“BDMCon”=“C:\Program Files\Softwin\BitDefender8\bdmcon.exe” [2005-06-20 12:10]
“BDNewsAgent”=“c:\program files\softwin\bitdefender8\bdnagent.exe” [2005-05-09 12:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [2007-01-19 13:54]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 08:56]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2005-05-31 01:04]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
“winupd32”=winupd32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{B5A7F190-DDA6-4420-B3BA-52453494E6CD}”=“C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL” [2006-10-27 00:48]
“{56F9679E-7826-4C84-81F3-532071A8BCC5}”=“C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll” [2007-02-05 15:39]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“C:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
DNSQueryTimeouts 122480

Contents of the ‘Scheduled Tasks’ folder
2007-06-10 21:32:01 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 16:01:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

? [3040]

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

Completion time: 2007-06-11 16:02:27
C:\ComboFix-quarantined-files.txt … 2007-06-11 16:02

--- E O F ---

HJT.Part-2.

There is a limit in the amount of text you can paste into a post, you can copy and paste it in two posts (or more if needs be).

I guess you have now found that out ;D posting away like a wild thing ;D

Yes this is all new to me,it took some time but I think that I got it right.Is this the info.you require.John.

Checking my system files and folders I seem to have a lot of “Ghost” files(not as clear as the other files and folders)I am not sure if this is normal or not,also I found a log file in c:\docs & settings\allusers\ntuser.dat.log text doc.1kb).regf. . „ÐÃÐÇ




d s e t t i n g s \ a l l u s e r s \ n t u s e r . d a t Backdoor:Win32/Sdbot Backdoor:Win32/Sdbot Backdoor:Win32/Sdbot Backdoor:Win32/Sdbot Backdoor:Win32/Sdbot Backdoor:Win32/SdbotSî¤DIRTÿàþâ\ D e v i c e \ H a r d d i s k V o l u m e 1 \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ n t u s e r . d a t A T t ÿ I think that the file mentioned Win32/sdbot was deleted on a deep scan when this virus first struck.Does this help in any way.John.

Files that appear as slightly faded, usually indicate that they have the attribute hidden, this is often a tactic of malware to hide files from view. This is also used for a number of legitimate system files that windows doesn’t want you to mess with, so care has to be exercised as not all hidden files will be malicious.

When you use the explorer, Tools, Folder Options, View and check the ‘Show hidden files and folders’ option, this is how they appear in explorer to indicate they would otherwise be hidden.

This is easy to test, right click on an ordinary file and select properties, check the Hidden option and click Apply, now you will see the icon beside the file name fade, uncheck the Hidden option and click Apply again and it will change to a normal display.

Understood now the big question is my system still infected or am I being paranoid??.John. ???

Well hopefully essexboy will be back to analyse your combofix log that he asked for.

However checking the files that have been newly created and see if you recognise them and if not google the file names to see if you can get more info on them and scan suspect files.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

These two look suspect, a google search is inconclusive (but suspect IMHO) on them and I would suggest using VirusTotal or Jotti.
((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))
2007-05-26 20:47 217 --a------ C:\WINDOWS\rayiou.exe
2007-05-15 01:39 65,045 --a------ C:\WINDOWS\b138.exe

To be sure, I suggest:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
   If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

6. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

My apologies for the delay but I forgot to put notify on this thread.

You appear to have a trojan but as to the variety I can’t be quite sure without an Hijackthis log.

You have 2 suspect reg entries for run commands which indicate a possible smitfraud type infection plus a downloader. I will not touch the registry lines until I see a log, but as for the downloader

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\b138.exe

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Could you reply with the OTMoveit log and a Hijackthis log

PS I am now set to notify

My apologies for the delay but I have been ill,I have implemented the suggestions from Thursday and there were two more Trojans found they were both downloaders all seems fine now.I have run all the virus software and updated all of them and so far so good Avast is on guard and has reported nothing.Many thanks for your help and advice if I have any more problems(not)then I know where to come.Regards.John.PS.The Trojans were Generic Win32/SDBots.Does this seem right. ???

If you could just post a Hijackthis log then I can confirm that you are clean

Logfile of HijackThis v1.99.1
Scan saved at 20:39:20, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\OpiStat\OpiStat\OpiStat.exe
C:\Program Files\Alcatel One Touch PC Suite 2\DesktopTool\DesktopTool.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn4\YTBSDK.exe
C:\Program Files\utorrent\utorrent.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: XBTP02634 Class - {F97DA966-F09D-4cab-BF29-75A0026986EA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
O4 - HKLM..\Run: [OpiStat] C:\Program Files\OpiStat\OpiStat\OpiStat.exe
O4 - HKLM..\Run: [Desktop Tool] “C:\Program Files\Alcatel One Touch PC Suite 2\DesktopTool\DesktopTool.exe”
O4 - HKLM..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [winupd32] winupd32.exe
O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender8\bdmcon.exe”
O4 - HKLM..\Run: [BDNewsAgent] “c:\program files\softwin\bitdefender8\bdnagent.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM..\RunServices: [winupd32] winupd32.exe
O4 - HKLM..\RunOnce: [SpybotSnD] “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” /autocheck /autofix /autoclose
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O

O4 - Startup: Registration Brothers In Arms.LNK = F:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .fpx: C:\Program Files\Internet Explorer\PLUGINS\NPRVRT32.dll
O12 - Plugin for .ivr: C:\Program Files\Internet Explorer\PLUGINS\NPRVRT32.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5554A026-7282-4C11-A8F1-652D0599CD02} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/OpiStat_preinstaller_activex_en_4.60.63.0_MEGAPANEL_EUROPE_SILENT.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

[list]Nearly there the dodgy reg entries I saw are just that

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKLM..\Run: [winupd32] winupd32.exe
O4 - HKLM..\RunServices: [winupd32] winupd32.exe

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\winupd32.exe
C:\WINDOWS\winupd32.exe
C:\winupd32.exe

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

RUN Superantispyware

[*]On the first page select Check for Updates
[*]On completion select SCAN YOUR COMPUTER
[*]On the next page select COMPLETE SCAN and tick ALL your drives
[*]The next stage will take a while as your entire drive(s), memory and registry are scanned
[*]When it has completed click NEXT
[*]The next screen shows the problems found click OK
[*]On the next screen place a tick against all items and select NEXT
[*]Now to get the log Go to the PREFERENCES button on the right bottom
[*]Select the STATISTICS/LOG tab
[*]Highlight the scan just completed and click VIEW LOG
[*]This will open a notepad text file copy and paste this to your next reply

Then please follow up with a new Hijackthis and OTMoveit. You have an IRC trojan

I’m not an expert on HijackThis… essexboy is.
But you can check the automatic analysis of your HijackThis log here.

You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:

1. If you don’t recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you’re sure it’s a malware item, you can remove it as posted bellow.

2. If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button ‘Fix checked’.

Hope it helps in anyway.