Find your solution!

**Cookiegal** · 10-Jul-2009, 03:10 PM **#31**

I'm going to copy and paste the logs for easier viewing. Please don't attach them unless asked to or they are too big to fit into one post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:05 p.m., on 10/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\Tablet.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\Program Files\AVG\AVG8\avgcsrvx.exe
E:\WINDOWS\878RMT.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\QuickTime\QTTask.exe
E:\Program Files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\WINDOWS\system32\Tablet.exe
E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Launchy\Launchy.exe
E:\Program Files\Orbitdownloader\orbitdm.exe
E:\Program Files\Orbitdownloader\orbitnet.exe
E:\Program Files\honestech\honestech TVR\scheduleTV.exe
E:\WINDOWS\system32\WTablet\TabUserW.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - E:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - E:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - E:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - E:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - E:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - E:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [TV Card Remote Control Applet] E:\WINDOWS\878RMT.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PhilipsSA33XXDM] E:\Program Files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe OS_STARTUP
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [googletalk] E:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Orbit.lnk = E:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = E:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ScheduleTV.lnk = E:\Program Files\honestech\honestech TVR\scheduleTV.exe
O4 - Global Startup: TabUserW.exe.lnk = E:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Download by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append Link Target to Existing PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{D86DD133-9159-47B3-B340-588CF0A2828E}: NameServer = 58.28.4.2,58.28.6.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - E:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - E:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: TabletService - Wacom Technology, Corp. - E:\WINDOWS\system32\Tablet.exe

--
End of file - 12168 bytes

**Cookiegal** · 10-Jul-2009, 03:11 PM **#32**

ComboFix 09-07-09.06 - Jeremy Hay 10/07/2009 12:08.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1524 [GMT 12:00]
Running from: c:\my documents\Downloads\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\documents and settings\All Users\documents\setup.exe
e:\windows\system32\Data
e:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KAVSYS

((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 23:44 . 2009-06-29 05:19 327688 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-09 23:44 . 2009-06-29 05:19 2052376 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-09 23:44 . 2009-06-29 05:19 906520 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-09 23:44 . 2009-06-29 05:19 493336 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-07-09 23:44 . 2009-06-29 05:19 3402008 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-09 23:44 . 2009-06-29 05:19 2167576 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-09 23:44 . 2009-06-29 05:19 1204504 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-09 23:43 . 2009-06-29 05:19 337176 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-09 23:43 . 2009-06-29 05:19 829208 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-09 23:43 . 2009-06-29 05:19 3298072 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-09 23:42 . 2009-06-29 05:15 1454360 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-09 23:42 . 2009-06-29 05:15 1085208 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-07 08:55 . 2009-07-07 08:55 -------- d-----w- E:\Arrested Development
2009-07-07 05:54 . 2009-07-07 10:37 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\Canon
2009-07-07 03:00 . 2009-07-08 04:50 -------- d-----w- E:\Dane
2009-07-06 21:54 . 2008-04-14 01:11 21504 ----a-w- e:\windows\system32\drivers\hidserv.dll
2009-07-04 23:41 . 2009-07-04 23:41 -------- d-----w- e:\program files\Trend Micro
2009-07-03 00:10 . 2006-01-15 23:45 360288 ----a-w- e:\windows\system32\drivers\ar5523.sys
2009-07-03 00:10 . 2006-01-15 23:45 360288 ----a-w- e:\windows\system32\ar5523.sys
2009-07-03 00:10 . 2005-07-27 09:16 44160 ----a-w- e:\windows\system32\athfmwdl.sys
2009-07-03 00:10 . 2005-07-27 09:15 149392 ----a-w- e:\windows\system32\drivers\ar5523.bin
2009-07-03 00:10 . 2005-07-27 09:15 149392 ----a-w- e:\windows\system32\ar5523.bin
2009-07-02 12:31 . 2009-07-02 12:31 -------- d-----w- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\AVG Security Toolbar
2009-06-30 12:22 . 2009-06-30 12:22 -------- d-----w- e:\windows\usb-audio.deTascam
2009-06-30 10:28 . 2009-06-30 10:28 -------- d-----w- e:\program files\Common Files\Adobe Systems Shared
2009-06-29 23:17 . 2009-07-04 01:56 -------- d-----w- E:\Audition files
2009-06-29 05:19 . 2009-06-29 05:19 832144 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-29 05:19 . 2009-06-29 05:19 -------- d-----w- e:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-29 05:19 . 2009-06-29 05:19 -------- d-----w- e:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-27 05:18 . 2004-05-20 20:04 79622 ----a-w- e:\windows\system32\EBPMON24.DLL
2009-06-27 05:18 . 2004-02-17 16:10 98304 ----a-w- e:\windows\system32\E_SAGSET.DLL
2009-06-27 05:18 . 2003-07-16 04:14 31744 ----a-w- e:\windows\system32\E_DCINST.DLL
2009-06-27 05:18 . 2003-05-20 17:27 64000 ----a-w- e:\windows\system32\ECBTEG.DLL
2009-06-27 05:18 . 2000-06-06 16:01 34304 ----a-w- e:\windows\system32\EBPCHP.DLL
2009-06-27 05:18 . 2008-04-13 19:47 25856 -c--a-w- e:\windows\system32\dllcache\usbprint.sys
2009-06-27 05:18 . 2008-04-13 19:47 25856 ----a-w- e:\windows\system32\drivers\usbprint.sys
2009-06-27 05:11 . 2009-06-27 05:11 -------- d-----w- e:\program files\Canon
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\ScanSoft
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\documents and settings\All Users\Application Data\SSScanWizard
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\program files\Common Files\ScanSoft Shared
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\program files\ScanSoft
2009-06-27 05:09 . 2002-05-23 15:04 389180 ----a-w- e:\windows\system32\UCS32P.DLL
2009-06-27 05:09 . 2002-09-27 02:56 69632 ----a-w- e:\windows\system32\CNQU70.DLL
2009-06-27 05:09 . 2002-04-12 08:23 339968 ----a-w- e:\windows\system32\N124UFW.dll
2009-06-27 05:09 . 2009-06-27 05:09 -------- d--h--w- E:\CanoScan
2009-06-27 04:34 . 2004-11-30 04:00 286720 ----a-r- e:\windows\878RMT.exe
2009-06-27 04:34 . 2009-06-27 04:34 -------- d-----w- e:\windows\MyInstall
2009-06-27 04:33 . 2009-06-27 04:33 -------- d-----w- e:\program files\honestech
2009-06-27 04:33 . 2001-05-16 04:54 309616 ----a-w- e:\windows\system32\wmv8dmod.dll
2009-06-27 04:33 . 2001-05-11 00:18 420240 ----a-w- e:\windows\system32\mpg4c32.dll
2009-06-27 04:32 . 2005-01-28 04:00 9216 ----a-r- e:\windows\system32\drivers\BtTuner.sys
2009-06-27 04:32 . 2005-01-28 04:00 8448 ----a-r- e:\windows\system32\drivers\BtXbar.sys
2009-06-27 04:32 . 2005-01-28 04:00 196736 ----a-r- e:\windows\system32\drivers\Bt878.sys
2009-06-27 04:30 . 2009-06-27 04:31 -------- d-----w- e:\windows\MustRead
2009-06-27 04:17 . 2009-06-27 04:17 8 ----a-w- e:\windows\system32\nvModes.dat
2009-06-14 12:27 . 2009-06-24 10:33 -------- d-----w- e:\program files\TP-LINK
2009-06-14 12:07 . 2009-06-14 12:07 -------- d-----w- e:\program files\PC Drivers HeadQuarters
2009-06-14 12:07 . 2009-06-14 12:07 -------- d-----w- e:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-06-14 10:42 . 2009-06-14 12:39 146976 ----a-w- e:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-14 10:21 . 2009-06-14 10:21 -------- d-----w- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Linksys_LLC_-_A_Division_
2009-06-14 10:13 . 2009-06-14 10:13 -------- d-----w- e:\program files\WebEx
2009-06-14 10:12 . 2009-06-14 10:14 -------- d-----w- e:\documents and settings\All Users\Application Data\Linksys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 00:14 . 2007-04-17 20:59 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\Orbit
2009-07-10 00:13 . 2007-12-17 20:56 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\WTablet
2009-07-09 23:43 . 2008-06-16 21:02 335752 ----a-w- e:\windows\system32\drivers\avgldx86.sys
2009-07-09 23:40 . 2007-12-14 03:40 -------- d-----w- e:\documents and settings\All Users\Application Data\Google Updater
2009-07-09 04:06 . 2008-02-05 01:27 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\dvdcss
2009-07-08 04:49 . 2007-04-20 09:56 12884 --sha-w- e:\windows\system32\KGyGaAvL.sys
2009-07-07 23:07 . 2008-10-22 21:13 -------- d-----w- e:\documents and settings\LocalService\Application Data\WTablet
2009-07-06 21:55 . 2009-07-06 21:55 0 ---ha-w- e:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-06 21:55 . 2009-07-06 21:55 0 ---ha-w- e:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-03 23:15 . 2009-03-10 12:17 664 ----a-w- e:\windows\system32\d3d9caps.dat
2009-07-03 22:29 . 2007-04-16 04:39 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-06-30 12:10 . 2007-04-16 06:06 26040 ----a-w- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-30 11:33 . 2007-04-16 04:41 -------- d-----w- e:\program files\Common Files\Adobe
2009-06-30 10:29 . 2009-06-30 10:29 -------- d-----w- e:\documents and settings\All Users\Application Data\Adobe Systems
2009-06-30 00:06 . 2008-09-12 04:13 -------- d-----w- e:\program files\Belkin
2009-06-29 05:19 . 2008-06-16 21:02 11952 ----a-w- e:\windows\system32\avgrsstx.dll
2009-06-29 05:19 . 2007-04-23 05:10 27784 ----a-w- e:\windows\system32\drivers\avgmfx86.sys
2009-06-27 05:16 . 2007-04-21 02:14 -------- d-----w- e:\program files\EPSON
2009-06-14 12:07 . 2007-04-17 09:44 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\GetRightToGo
2009-06-14 10:12 . 2007-04-28 02:21 -------- d-----w- e:\program files\Java
2009-05-22 13:39 . 2009-05-20 05:49 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\.purple
2009-05-22 13:28 . 2009-05-22 13:28 2087 ----a-w- e:\documents and settings\Jeremy Hay\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-05-20 05:52 . 2009-05-20 05:52 1065 ----a-w- e:\documents and settings\Jeremy Hay\Application Data\.purple\certificates\x509\tls_peers\gmail.com
2009-05-20 05:49 . 2009-05-20 05:49 2099 ----a-w- e:\documents and settings\Jeremy Hay\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-05-20 05:49 . 2009-05-20 05:49 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\gtk-2.0
2009-05-20 05:47 . 2009-05-20 05:47 -------- d-----w- e:\program files\Common Files\GTK
2009-05-20 05:11 . 2009-05-20 05:11 -------- d-----w- e:\program files\Microsoft
2009-05-20 05:11 . 2009-05-20 05:11 -------- d-----w- e:\program files\Windows Live SkyDrive
2009-05-20 05:11 . 2008-06-03 22:54 -------- d-----w- e:\program files\Windows Live
2009-05-20 05:09 . 2009-05-20 05:09 -------- d-----w- e:\program files\Common Files\Windows Live
2009-05-16 12:40 . 2007-04-16 08:03 -------- d-----w- e:\program files\Creative
2009-05-14 02:15 . 2007-04-17 20:59 -------- d-----w- e:\program files\Orbitdownloader
2009-05-14 02:13 . 2009-03-10 12:46 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\AVGTOOLBAR
2009-05-11 02:53 . 2009-05-11 02:52 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\Creative
2009-05-11 01:48 . 2009-05-11 01:48 -------- d-----w- e:\documents and settings\All Users\Application Data\Creative
2009-05-08 13:14 . 2009-05-08 13:14 1418120 ----a-w- e:\windows\system32\wdfcoinstaller01005.dll
2009-05-08 13:14 . 2009-05-08 13:14 14736 ----a-w- e:\windows\system32\drivers\nuidfltr.sys
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- e:\windows\system32\localspl.dll
2009-05-02 22:28 . 2008-06-16 21:02 108552 ----a-w- e:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- e:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- e:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- e:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- e:\windows\system32\rpcrt4.dll
2007-01-23 02:07 . 2007-06-08 07:45 1847296 ----a-w- e:\program files\mozilla firefox\plugins\Seadragon.dll
2007-06-04 03:18 . 2007-04-20 09:56 56 --sh--r- e:\windows\system32\72E1C1C693.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 04:07 1004800 ----a-w- e:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="e:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-14 68856]
"MsnMsgr"="e:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="e:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TV Card Remote Control Applet"="e:\windows\878RMT.exe" [2004-11-30 286720]
"WinampAgent"="e:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"UpdReg"="e:\windows\UpdReg.EXE" [2000-05-10 90112]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2008-10-04 144792]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"PhilipsSA33XXDM"="e:\program files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe" [2007-08-06 892928]
"Omnipage"="e:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-02 49152]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NeroFilterCheck"="e:\windows\system32\NeroCheck.exe" [2001-07-08 155648]
"IntelliPoint"="e:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"googletalk"="e:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"EPSON Stylus C45 Series"="e:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-13 99840]
"CTSysVol"="e:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"AVG8_TRAY"="e:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"AppleSyncNotifier"="e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-30 111936]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Adobe Acrobat Speed Launcher"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SkyTel"="SkyTel.EXE" - e:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - e:\windows\RTHDCPL.EXE [2006-11-14 16270848]
"P17Helper"="P17.dll" - e:\windows\system32\P17.dll [2006-03-17 81408]
"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2009-02-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - e:\windows\system32\narrator.exe [2008-04-14 53760]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Launchy.lnk - e:\program files\Launchy\Launchy.exe [2007-10-1 274432]
Microsoft Office.lnk - e:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Orbit.lnk - e:\program files\Orbitdownloader\orbitdm.exe [2007-4-18 1690824]
QuickBooks Update Agent.lnk - e:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-4-20 972320]
ScheduleTV.lnk - e:\program files\honestech\honestech TVR\scheduleTV.exe [2009-6-27 307200]
TabUserW.exe.lnk - e:\windows\system32\WTablet\TabUserW.exe [2007-4-17 132656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 05:19 11952 ----a-w- e:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;e:\windows\system32\drivers\avgldx86.sys [17/06/2008 9:02 a.m. 335752]
R1 AvgTdiX;AVG8 Network Redirector;e:\windows\system32\drivers\avgtdix.sys [17/06/2008 9:02 a.m. 108552]
R2 878TVCard;Bt878 TV Card - Video Capture;e:\windows\system32\drivers\Bt878.sys [27/06/2009 4:32 p.m. 196736]
R2 878TVTuner;Bt878 TV Card - TV Tuner;e:\windows\system32\drivers\BtTuner.sys [27/06/2009 4:32 p.m. 9216]
R2 878Xbar;Bt878 TV Card - Crossbar;e:\windows\system32\drivers\BtXbar.sys [27/06/2009 4:32 p.m. 8448]
R2 avg8emc;AVG Free8 E-mail Scanner;e:\progra~1\AVG\AVG8\avgemc.exe [4/07/2008 9:13 a.m. 907032]
R2 avg8wd;AVG8 WatchDog;e:\progra~1\AVG\AVG8\avgwdsvc.exe [4/07/2008 9:12 a.m. 298776]
R3 p17filt;p17filt;e:\windows\system32\drivers\p17filt.sys [20/03/2006 6:34 p.m. 1452032]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;e:\windows\system32\drivers\tascusb2.sys [21/05/2009 3:47 p.m. 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;e:\windows\system32\drivers\tscusb2m.sys [21/05/2009 3:47 p.m. 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;e:\windows\system32\drivers\tscusb2a.sys [21/05/2009 3:47 p.m. 19904]
S3 V0090VID;Creative WebCam Vista Plus;e:\windows\system32\drivers\V0090Vid.sys [31/03/2008 8:17 a.m. 138112]
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 00:34]

2009-07-10 e:\windows\Tasks\Google Software Updater.job
- e:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-14 07:28]

2009-07-08 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-616249376-725345543-1004Core.job
- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:44]

2009-07-09 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-616249376-725345543-1004UA.job
- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:44]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Steam - (no file)
HKLM-Run-LELA - e:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
HKLM-Run-removecpl - RemoveCpl.exe
HKLM-Run-CTXFIREG - CTxfiReg.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Append Link Target to Existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: {D86DD133-9159-47B3-B340-588CF0A2828E} = 58.28.4.2,58.28.6.2
FF - ProfilePath - e:\documents and settings\Jeremy Hay\Application Data\Mozilla\Firefox\Profiles\b32aab5b.default\
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1641676&SearchSource=2&q=
FF - component: e:\documents and settings\Jeremy Hay\Application Data\Mozilla\Firefox\Profiles\b32aab5b.default\extensions\piclens@cooliris. com\components\coolirisstub.dll
FF - component: e:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 2.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 3.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 35.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: e:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: e:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\nppsynth.dll
FF - plugin: e:\windows\system32\Photosynth\nppsynth.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 12:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TV Card Remote Control Applet = e:\windows\878RMT.exe?????????????????????????????????????????????????????? ?????????????????????????????????????????????????????6?B~!?B~A???????T???q? @?A????8????@?X???????????????d???A???Bt878 TV Card Remote Control Receiver?@?????????W?SN????:?A~}(@??akC?(@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-616249376-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:b1,65,8a,74,54,9e,f7,87,0b,9b,0e,ba,0b,c2,81,e1,6d,26,be,55, fe,
90,62,37,95,e4,02,70,48,11,c5,54,0d,56,ea,cb,87,69,98,0e,a1,3e,6b,c5,cd,5b, \
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:06,24,62,cd,bf,cf,1c,af,2a,20,02,ed,16,ea,eb,ea,b7,7d,5b,e1,0 9,
bd,5e,7b,c9,72,93,ab,bd,ef,68,e9,2f,36,c1,fb,23,61,94,1a,bc,37,9d,c2,fa,a4, \

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscripti ons\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscripti ons\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:06,24,62,cd,bf,cf,1c,af,2a,20,02,ed,16,ea,eb,ea,b7,7d,5b,e1,0 9,
bd,5e,7b,c9,72,93,ab,bd,ef,68,e9,2f,36,c1,fb,23,61,94,1a,bc,37,9d,c2,fa,a4, \
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3136)
e:\program files\ScanSoft\OmniPageSE\ophook32.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\windows\system32\nvsvc32.exe
e:\windows\system32\Tablet.exe
e:\program files\AVG\AVG8\avgrsx.exe
e:\progra~1\AVG\AVG8\avgnsx.exe
e:\program files\AVG\AVG8\avgcsrvx.exe
e:\windows\system32\rundll32.exe
e:\windows\system32\Tablet.exe
e:\program files\Orbitdownloader\orbitnet.exe
e:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-10 12:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 00:19

Pre-Run: 101,787,332,608 bytes free
Post-Run: 116,984,266,752 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

310 --- E O F --- 2009-07-06 21:55

**Cookiegal** · 10-Jul-2009, 03:21 PM **#33**

Open Notepad and copy and paste the text in the code box below into it:

Code:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

RegNull::
[HKEY_USERS\S-1-5-21-220523388-616249376-725345543-1004\Software\SecuROM\License information*]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\Ø•€|ÿÿÿÿ •€|ù•A~ *]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~ *]

Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Springymajig · 10-Jul-2009, 08:34 PM **#34**

Before I post the next logs... I'm a little worried I might have done something wrong :s

When I dragged the script on to combofix, it said there's a new version of Combofix available, would you like to update.

I said no because I was worried that the script would not work on the newer version...

The thing is, that message box about being connected to the internet didn't appear at all...

Anyway... I post the logs in seperate posts below...

Springymajig · 10-Jul-2009, 08:35 PM **#35**

This is the new combofix log:

ComboFix 09-07-09.06 - Jeremy Hay 11/07/2009 12:17.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1523 [GMT 12:00]
Running from: c:\my documents\Downloads\Combo-Fix.exe
Command switches used :: e:\documents and settings\Jeremy Hay\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-07-09 23:44 . 2009-06-29 05:19 327688 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-09 23:44 . 2009-06-29 05:19 2052376 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-09 23:44 . 2009-06-29 05:19 906520 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-09 23:44 . 2009-06-29 05:19 493336 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-07-09 23:44 . 2009-06-29 05:19 3402008 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-09 23:44 . 2009-06-29 05:19 2167576 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-09 23:44 . 2009-06-29 05:19 1204504 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-09 23:43 . 2009-06-29 05:19 337176 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-09 23:43 . 2009-06-29 05:19 829208 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-09 23:43 . 2009-06-29 05:19 3298072 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-09 23:42 . 2009-06-29 05:15 1454360 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-09 23:42 . 2009-06-29 05:15 1085208 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-07 08:55 . 2009-07-07 08:55 -------- d-----w- E:\Arrested Development
2009-07-07 05:54 . 2009-07-10 00:58 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\Canon
2009-07-07 03:00 . 2009-07-08 04:50 -------- d-----w- E:\Dane
2009-07-06 21:54 . 2008-04-14 01:11 21504 ----a-w- e:\windows\system32\drivers\hidserv.dll
2009-07-04 23:41 . 2009-07-04 23:41 -------- d-----w- e:\program files\Trend Micro
2009-07-03 00:10 . 2006-01-15 23:45 360288 ----a-w- e:\windows\system32\drivers\ar5523.sys
2009-07-03 00:10 . 2006-01-15 23:45 360288 ----a-w- e:\windows\system32\ar5523.sys
2009-07-03 00:10 . 2005-07-27 09:16 44160 ----a-w- e:\windows\system32\athfmwdl.sys
2009-07-03 00:10 . 2005-07-27 09:15 149392 ----a-w- e:\windows\system32\drivers\ar5523.bin
2009-07-03 00:10 . 2005-07-27 09:15 149392 ----a-w- e:\windows\system32\ar5523.bin
2009-07-02 12:31 . 2009-07-02 12:31 -------- d-----w- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\AVG Security Toolbar
2009-06-30 12:22 . 2009-06-30 12:22 -------- d-----w- e:\windows\usb-audio.deTascam
2009-06-30 10:28 . 2009-06-30 10:28 -------- d-----w- e:\program files\Common Files\Adobe Systems Shared
2009-06-29 23:17 . 2009-07-04 01:56 -------- d-----w- E:\Audition files
2009-06-29 05:19 . 2009-06-29 05:19 832144 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-29 05:19 . 2009-06-29 05:19 -------- d-----w- e:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-29 05:19 . 2009-06-29 05:19 -------- d-----w- e:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-27 05:18 . 2004-05-20 20:04 79622 ----a-w- e:\windows\system32\EBPMON24.DLL
2009-06-27 05:18 . 2004-02-17 16:10 98304 ----a-w- e:\windows\system32\E_SAGSET.DLL
2009-06-27 05:18 . 2003-07-16 04:14 31744 ----a-w- e:\windows\system32\E_DCINST.DLL
2009-06-27 05:18 . 2003-05-20 17:27 64000 ----a-w- e:\windows\system32\ECBTEG.DLL
2009-06-27 05:18 . 2000-06-06 16:01 34304 ----a-w- e:\windows\system32\EBPCHP.DLL
2009-06-27 05:18 . 2008-04-13 19:47 25856 -c--a-w- e:\windows\system32\dllcache\usbprint.sys
2009-06-27 05:18 . 2008-04-13 19:47 25856 ----a-w- e:\windows\system32\drivers\usbprint.sys
2009-06-27 05:11 . 2009-06-27 05:11 -------- d-----w- e:\program files\Canon
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\ScanSoft
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\documents and settings\All Users\Application Data\SSScanWizard
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\program files\Common Files\ScanSoft Shared
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\program files\ScanSoft
2009-06-27 05:09 . 2002-05-23 15:04 389180 ----a-w- e:\windows\system32\UCS32P.DLL
2009-06-27 05:09 . 2002-09-27 02:56 69632 ----a-w- e:\windows\system32\CNQU70.DLL
2009-06-27 05:09 . 2002-04-12 08:23 339968 ----a-w- e:\windows\system32\N124UFW.dll
2009-06-27 05:09 . 2009-06-27 05:09 -------- d--h--w- E:\CanoScan
2009-06-27 04:34 . 2004-11-30 04:00 286720 ----a-r- e:\windows\878RMT.exe
2009-06-27 04:34 . 2009-06-27 04:34 -------- d-----w- e:\windows\MyInstall
2009-06-27 04:33 . 2009-06-27 04:33 -------- d-----w- e:\program files\honestech
2009-06-27 04:33 . 2001-05-16 04:54 309616 ----a-w- e:\windows\system32\wmv8dmod.dll
2009-06-27 04:33 . 2001-05-11 00:18 420240 ----a-w- e:\windows\system32\mpg4c32.dll
2009-06-27 04:32 . 2005-01-28 04:00 9216 ----a-r- e:\windows\system32\drivers\BtTuner.sys
2009-06-27 04:32 . 2005-01-28 04:00 8448 ----a-r- e:\windows\system32\drivers\BtXbar.sys
2009-06-27 04:32 . 2005-01-28 04:00 196736 ----a-r- e:\windows\system32\drivers\Bt878.sys
2009-06-27 04:30 . 2009-06-27 04:31 -------- d-----w- e:\windows\MustRead
2009-06-27 04:17 . 2009-06-27 04:17 8 ----a-w- e:\windows\system32\nvModes.dat
2009-06-14 12:27 . 2009-06-24 10:33 -------- d-----w- e:\program files\TP-LINK
2009-06-14 12:07 . 2009-06-14 12:07 -------- d-----w- e:\program files\PC Drivers HeadQuarters
2009-06-14 12:07 . 2009-06-14 12:07 -------- d-----w- e:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-06-14 10:42 . 2009-06-14 12:39 146976 ----a-w- e:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-14 10:21 . 2009-06-14 10:21 -------- d-----w- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Linksys_LLC_-_A_Division_
2009-06-14 10:13 . 2009-06-14 10:13 -------- d-----w- e:\program files\WebEx
2009-06-14 10:12 . 2009-06-14 10:14 -------- d-----w- e:\documents and settings\All Users\Application Data\Linksys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 00:09 . 2007-04-17 20:59 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\Orbit
2009-07-11 00:09 . 2007-12-17 20:56 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\WTablet
2009-07-09 23:43 . 2008-06-16 21:02 335752 ----a-w- e:\windows\system32\drivers\avgldx86.sys
2009-07-09 23:40 . 2007-12-14 03:40 -------- d-----w- e:\documents and settings\All Users\Application Data\Google Updater
2009-07-09 04:06 . 2008-02-05 01:27 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\dvdcss
2009-07-08 04:49 . 2007-04-20 09:56 12884 --sha-w- e:\windows\system32\KGyGaAvL.sys
2009-07-07 23:07 . 2008-10-22 21:13 -------- d-----w- e:\documents and settings\LocalService\Application Data\WTablet
2009-07-06 21:55 . 2009-07-06 21:55 0 ---ha-w- e:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-06 21:55 . 2009-07-06 21:55 0 ---ha-w- e:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-03 23:15 . 2009-03-10 12:17 664 ----a-w- e:\windows\system32\d3d9caps.dat
2009-07-03 22:29 . 2007-04-16 04:39 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-06-30 12:10 . 2007-04-16 06:06 26040 ----a-w- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-30 11:33 . 2007-04-16 04:41 -------- d-----w- e:\program files\Common Files\Adobe
2009-06-30 10:29 . 2009-06-30 10:29 -------- d-----w- e:\documents and settings\All Users\Application Data\Adobe Systems
2009-06-30 00:06 . 2008-09-12 04:13 -------- d-----w- e:\program files\Belkin
2009-06-29 05:19 . 2008-06-16 21:02 11952 ----a-w- e:\windows\system32\avgrsstx.dll
2009-06-29 05:19 . 2007-04-23 05:10 27784 ----a-w- e:\windows\system32\drivers\avgmfx86.sys
2009-06-27 05:16 . 2007-04-21 02:14 -------- d-----w- e:\program files\EPSON
2009-06-14 12:07 . 2007-04-17 09:44 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\GetRightToGo
2009-06-14 10:12 . 2007-04-28 02:21 -------- d-----w- e:\program files\Java
2009-05-22 13:39 . 2009-05-20 05:49 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\.purple
2009-05-22 13:28 . 2009-05-22 13:28 2087 ----a-w- e:\documents and settings\Jeremy Hay\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-05-20 05:52 . 2009-05-20 05:52 1065 ----a-w- e:\documents and settings\Jeremy Hay\Application Data\.purple\certificates\x509\tls_peers\gmail.com
2009-05-20 05:49 . 2009-05-20 05:49 2099 ----a-w- e:\documents and settings\Jeremy Hay\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-05-20 05:49 . 2009-05-20 05:49 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\gtk-2.0
2009-05-20 05:47 . 2009-05-20 05:47 -------- d-----w- e:\program files\Common Files\GTK
2009-05-20 05:11 . 2009-05-20 05:11 -------- d-----w- e:\program files\Microsoft
2009-05-20 05:11 . 2009-05-20 05:11 -------- d-----w- e:\program files\Windows Live SkyDrive
2009-05-20 05:11 . 2008-06-03 22:54 -------- d-----w- e:\program files\Windows Live
2009-05-20 05:09 . 2009-05-20 05:09 -------- d-----w- e:\program files\Common Files\Windows Live
2009-05-16 12:40 . 2007-04-16 08:03 -------- d-----w- e:\program files\Creative
2009-05-14 02:15 . 2007-04-17 20:59 -------- d-----w- e:\program files\Orbitdownloader
2009-05-14 02:13 . 2009-03-10 12:46 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\AVGTOOLBAR
2009-05-08 13:14 . 2009-05-08 13:14 1418120 ----a-w- e:\windows\system32\wdfcoinstaller01005.dll
2009-05-08 13:14 . 2009-05-08 13:14 14736 ----a-w- e:\windows\system32\drivers\nuidfltr.sys
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- e:\windows\system32\localspl.dll
2009-05-02 22:28 . 2008-06-16 21:02 108552 ----a-w- e:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- e:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- e:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- e:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- e:\windows\system32\rpcrt4.dll
2007-01-23 02:07 . 2007-06-08 07:45 1847296 ----a-w- e:\program files\mozilla firefox\plugins\Seadragon.dll
2007-06-04 03:18 . 2007-04-20 09:56 56 --sh--r- e:\windows\system32\72E1C1C693.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-10_00.14.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 00:08 . 2009-07-11 00:08 16384 e:\windows\Temp\Perflib_Perfdata_550.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 04:07 1004800 ----a-w- e:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="e:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-14 68856]
"MsnMsgr"="e:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="e:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TV Card Remote Control Applet"="e:\windows\878RMT.exe" [2004-11-30 286720]
"WinampAgent"="e:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"UpdReg"="e:\windows\UpdReg.EXE" [2000-05-10 90112]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2008-10-04 144792]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"PhilipsSA33XXDM"="e:\program files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe" [2007-08-06 892928]
"Omnipage"="e:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-02 49152]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NeroFilterCheck"="e:\windows\system32\NeroCheck.exe" [2001-07-08 155648]
"IntelliPoint"="e:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"googletalk"="e:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"EPSON Stylus C45 Series"="e:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-13 99840]
"CTSysVol"="e:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"AVG8_TRAY"="e:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"AppleSyncNotifier"="e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-30 111936]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Adobe Acrobat Speed Launcher"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SkyTel"="SkyTel.EXE" - e:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - e:\windows\RTHDCPL.EXE [2006-11-14 16270848]
"P17Helper"="P17.dll" - e:\windows\system32\P17.dll [2006-03-17 81408]
"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2009-02-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - e:\windows\system32\narrator.exe [2008-04-14 53760]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Launchy.lnk - e:\program files\Launchy\Launchy.exe [2007-10-1 274432]
Microsoft Office.lnk - e:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Orbit.lnk - e:\program files\Orbitdownloader\orbitdm.exe [2007-4-18 1690824]
QuickBooks Update Agent.lnk - e:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-4-20 972320]
ScheduleTV.lnk - e:\program files\honestech\honestech TVR\scheduleTV.exe [2009-6-27 307200]
TabUserW.exe.lnk - e:\windows\system32\WTablet\TabUserW.exe [2007-4-17 132656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 05:19 11952 ----a-w- e:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;e:\windows\system32\drivers\avgldx86.sys [17/06/2008 9:02 a.m. 335752]
R1 AvgTdiX;AVG8 Network Redirector;e:\windows\system32\drivers\avgtdix.sys [17/06/2008 9:02 a.m. 108552]
R2 878TVCard;Bt878 TV Card - Video Capture;e:\windows\system32\drivers\Bt878.sys [27/06/2009 4:32 p.m. 196736]
R2 878TVTuner;Bt878 TV Card - TV Tuner;e:\windows\system32\drivers\BtTuner.sys [27/06/2009 4:32 p.m. 9216]
R2 878Xbar;Bt878 TV Card - Crossbar;e:\windows\system32\drivers\BtXbar.sys [27/06/2009 4:32 p.m. 8448]
R2 avg8emc;AVG Free8 E-mail Scanner;e:\progra~1\AVG\AVG8\avgemc.exe [4/07/2008 9:13 a.m. 907032]
R2 avg8wd;AVG8 WatchDog;e:\progra~1\AVG\AVG8\avgwdsvc.exe [4/07/2008 9:12 a.m. 298776]
R3 p17filt;p17filt;e:\windows\system32\drivers\p17filt.sys [20/03/2006 6:34 p.m. 1452032]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;e:\windows\system32\drivers\tascusb2.sys [21/05/2009 3:47 p.m. 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;e:\windows\system32\drivers\tscusb2m.sys [21/05/2009 3:47 p.m. 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;e:\windows\system32\drivers\tscusb2a.sys [21/05/2009 3:47 p.m. 19904]
S3 V0090VID;Creative WebCam Vista Plus;e:\windows\system32\drivers\V0090Vid.sys [31/03/2008 8:17 a.m. 138112]
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 00:34]

2009-07-11 e:\windows\Tasks\Google Software Updater.job
- e:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-14 07:28]

2009-07-08 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-616249376-725345543-1004Core.job
- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:44]

2009-07-10 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-616249376-725345543-1004UA.job
- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:44]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Append Link Target to Existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: {D86DD133-9159-47B3-B340-588CF0A2828E} = 58.28.4.2,58.28.6.2
FF - ProfilePath - e:\documents and settings\Jeremy Hay\Application Data\Mozilla\Firefox\Profiles\b32aab5b.default\
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1641676&SearchSource=2&q=
FF - component: e:\documents and settings\Jeremy Hay\Application Data\Mozilla\Firefox\Profiles\b32aab5b.default\extensions\piclens@cooliris. com\components\coolirisstub.dll
FF - component: e:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 2.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 3.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 35.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: e:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: e:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\nppsynth.dll
FF - plugin: e:\windows\system32\Photosynth\nppsynth.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 12:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TV Card Remote Control Applet = e:\windows\878RMT.exe?????????????????????????????????????????????????????? ?????????????????????????????????????????????????????6?B~!?B~????????T???q? @??????8????@?X???????????????d???????Bt878 TV Card Remote Control Receiver?@?????????W?SN????:?A~}(@??=???(@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:06,24,62,cd,bf,cf,1c,af,2a,20,02,ed,16,ea,eb,ea,b7,7d,5b,e1,0 9,
bd,5e,7b,c9,72,93,ab,bd,ef,68,e9,2f,36,c1,fb,23,61,94,1a,bc,37,9d,c2,fa,a4, \

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscripti ons\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscripti ons\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:06,24,62,cd,bf,cf,1c,af,2a,20,02,ed,16,ea,eb,ea,b7,7d,5b,e1,0 9,
bd,5e,7b,c9,72,93,ab,bd,ef,68,e9,2f,36,c1,fb,23,61,94,1a,bc,37,9d,c2,fa,a4, \
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3652)
e:\program files\ScanSoft\OmniPageSE\ophook32.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-11 12:26
ComboFix-quarantined-files.txt 2009-07-11 00:26
ComboFix2.txt 2009-07-10 00:19

Pre-Run: 116,924,264,448 bytes free
Post-Run: 116,885,901,312 bytes free

274 --- E O F --- 2009-07-06 21:55

Springymajig · 10-Jul-2009, 08:35 PM **#36**

And this is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:15 p.m., on 11/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\878RMT.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\QuickTime\QTTask.exe
E:\Program Files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\WINDOWS\system32\ctfmon.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\Tablet.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\WINDOWS\system32\Tablet.exe
E:\Program Files\AVG\AVG8\avgcsrvx.exe
E:\Program Files\Launchy\Launchy.exe
E:\Program Files\Orbitdownloader\orbitdm.exe
E:\Program Files\honestech\honestech TVR\scheduleTV.exe
E:\WINDOWS\system32\WTablet\TabUserW.exe
E:\Program Files\Orbitdownloader\orbitnet.exe
E:\WINDOWS\system32\wscntfy.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\WINDOWS\explorer.exe
E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - E:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - E:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - E:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - E:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - E:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - E:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [TV Card Remote Control Applet] E:\WINDOWS\878RMT.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PhilipsSA33XXDM] E:\Program Files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe OS_STARTUP
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [googletalk] E:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Orbit.lnk = E:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = E:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ScheduleTV.lnk = E:\Program Files\honestech\honestech TVR\scheduleTV.exe
O4 - Global Startup: TabUserW.exe.lnk = E:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Download by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append Link Target to Existing PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{D86DD133-9159-47B3-B340-588CF0A2828E}: NameServer = 58.28.4.2,58.28.6.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - E:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - E:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: TabletService - Wacom Technology, Corp. - E:\WINDOWS\system32\Tablet.exe

--
End of file - 12077 bytes

**Cookiegal** · 11-Jul-2009, 01:59 PM **#37**

No, that's OK. I should have removed that part as we weren't submitting any files for analysis.

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Springymajig · 12-Jul-2009, 07:13 AM **#38**

It said no malicious software items were detected.

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

12/07/2009 11:10:04 p.m.
mbam-log-2009-07-12 (23-10-04).txt

Scan type: Quick Scan
Objects scanned: 96542
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**Cookiegal** · 12-Jul-2009, 05:55 PM **#39**

OK, that's good.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

JRE 6 Update 13

Instructions for Kaspersky scan:

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure the following is checked.
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Springymajig · 13-Jul-2009, 06:30 AM **#40**

That took a while but it found nothing either.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 13, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 13, 2009 04:36:06
Records in database: 2464688
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 369005
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 05:31:01

No malware has been detected. The scan area is clean.

The selected area was scanned.

**Cookiegal** · 14-Jul-2009, 08:10 PM **#41**

Please post a new HijackThis log and tell me what problems remain.

Springymajig · 14-Jul-2009, 11:44 PM **#42**

Well...

First of all, thanks a lot for helping out with removing that malware, I really appreciate it.

Secondly, I don't seem to be having any problems with the network. At least not today...

Forgive me for not jumping for joy but every time I think it's fixed, it stops working a couple of days later. So before I hit that "solved" button, I'm gonna wait a few days and hope that the network continues to work...

Springymajig · 15-Jul-2009, 05:53 AM **#43**

Oh boy... that didn't last long.

So yeah... the network was working fine for most of today... I kept nervously checking from time to time to see if they'd still ping each other and then suddenly it stopped working.

Neither computer can ping each other, not by name or IP number. Back to square one.

Here is the Hijackthis log for PC2, which is the one we've been removing malware from:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:23 p.m., on 15/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\Tablet.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\Program Files\AVG\AVG8\avgcsrvx.exe
E:\WINDOWS\system32\Tablet.exe
E:\WINDOWS\878RMT.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\QuickTime\QTTask.exe
E:\Program Files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Launchy\Launchy.exe
E:\Program Files\Orbitdownloader\orbitdm.exe
E:\Program Files\honestech\honestech TVR\scheduleTV.exe
E:\Program Files\Orbitdownloader\orbitnet.exe
E:\WINDOWS\system32\WTablet\TabUserW.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\Program Files\Winamp\winamp.exe
E:\WINDOWS\system32\CTPdeSrv.exe
E:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
E:\DOCUME~1\JEREMY~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
E:\DOCUME~1\JEREMY~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
E:\WINDOWS\explorer.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - E:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - E:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - E:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - E:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - E:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - E:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [TV Card Remote Control Applet] E:\WINDOWS\878RMT.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PhilipsSA33XXDM] E:\Program Files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe OS_STARTUP
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [googletalk] E:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Orbit.lnk = E:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = E:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ScheduleTV.lnk = E:\Program Files\honestech\honestech TVR\scheduleTV.exe
O4 - Global Startup: TabUserW.exe.lnk = E:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Download by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append Link Target to Existing PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{D86DD133-9159-47B3-B340-588CF0A2828E}: NameServer = 58.28.4.2,58.28.6.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - E:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - E:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: TabletService - Wacom Technology, Corp. - E:\WINDOWS\system32\Tablet.exe

--
End of file - 12293 bytes

Springymajig · 15-Jul-2009, 05:54 AM **#44**

And here's the Hijackthis log from the other PC:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:47 p.m., on 15/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\honestech\honestech TVR\scheduleTV.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [Auto EPSON Stylus C45 Series on BANSHEE] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P39 "Auto EPSON Stylus C45 Series on BANSHEE" /O19 "\\BANSHEE\Printer12" /M "Stylus C45"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: ScheduleTV.lnk = C:\Program Files\honestech\honestech TVR\scheduleTV.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4B1286C-9B06-4123-9E31-4708C8A10C31}: NameServer = 58.28.4.2,58.28.6.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8621 bytes

**Cookiegal** · 15-Jul-2009, 07:40 PM **#45**

Please remove ComboFix by dragging it to the recycle bin and grab the latest version and then run a new scan and post the log please.

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Tag Cloud
access audio black screen blue screen boot bsod connection crash desktop driver dvd email error excel excel 2003 firefox hard drive hardware hdmi internet itunes keyboard laptop malware monitor motherboard network networking outlook problem ram recovery router screen slow sound spyware tdlwsp.dll trojan upgrade vba video virus vista vundo windows windows 7 windows vista windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for: