Solved file:0000 in system 32 folder,regedit not working

[Resolved] file:0000 in system 32 folder,regedit not working

Hi Folks

Some background - went to a webpage to do some reasearch at work (not that sort of website ) - i have sophos antivirus 7.6.5 installed on my system (current version is 7.6.6 - but mines now failing update - since 2/4/09).

Sophos prevented access to the site saying it had dodgey content - due to work screaming upstairs and me being the IT admin i had no choice but to see what was going on, bam - the it admins pc now has a virus..

Initally sophos was detecting files in c:\windows\system32\driversfolder\filename.exe:file0000 (different filenames, always the file:0000 bit at the end) - did a full system scan with sophos, removed 15 odd files from system32 folder - ran full malwarebytes scan in safemode, removed roughly the same again).

Then used hijackthis myself to remove anything that looked obvious - since restarting, sophos isnt detecting anything, but i cant open regedit for example, sophos still wont update, and i cant manually install the latest version is its saying the registry permissions are wrong (hence why i know i cant get in to regedit to try to fix it)

CURRENT HIJACKTHIS LOG BELOW (im using a laptop - my pc is just left in safe mode at the moment, transfering data using mem stick).

Scan saved at 15:41:05, on 21/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
I:\HijackThis\HjThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/small...n&client=dell-usuk&channel=uk-smb&ibd=6080527
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk-smb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk-smb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/small...n&client=dell-usuk&channel=uk-smb&ibd=6080527
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = admagicsoho.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = admagicsoho.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{68BDA895-D967-451E-9DC3-839739E619CD}: NameServer = 192.168.104.225,192.168.101.231
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = admagicsoho.co.uk
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Telephony TapiSrvMDM (TapiSrvMDM) - Unknown owner - C:\WINDOWS\system32\3com_dmit.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

Any help would be appriciated.

Thanks!

 

dds and attach txt files below

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 04/06/2008 10:22:30
System Uptime: 21/04/2009 15:17:44 (0 hours ago)

Motherboard: Dell Inc. | | 0GN723
Processor: Intel(R) Core(TM)2 CPU 6420 @ 2.13GHz | Socket 775 | 2128/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 462 GiB total, 206.809 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP377: 20/04/2009 17:13:33 - System Checkpoint
RP378: 21/04/2009 15:15:49 - Removed Sophos Anti-Virus

==== Installed Programs ======================

#1 DVD Audio Ripper 1.2.44
32 Bit HP BiDi Channel Components Installer
AC-3 ACM Codec
Adobe Acrobat 7.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Creative Suite 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe GoLive CS2
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe InDesign CS2
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Adobe Version Cue CS2
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
BlackBerry Desktop Software 4.2
BlackBerry Device Software v4.7.0 for the BlackBerry 9500 smartphone
BOB Books Version 1.5.0.4
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Compatibility Pack for the 2007 Office system
Creative Centrale
Creative Software Update
Creative ZEN X-Fi User's Guide
Creative ZEN X-Fi Video Converter
Dell Driver Reset Tool
Dell Support Center
Dell System Restore
DivX Web Player
DyynoPlayer 0.8.6f
Flash to Video Encoder
Gadwin PrintScreen
Half-Life 2
HandBrake 0.9.3
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Image Resizer Powertoy for Windows XP
ImgBurn
Intel(R) PRO Network Connections 12.1.12.0
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 12
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Left 4 Dead
Maconomy W 11.0
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mIRC
Mitel Your Assistant 4.1
Mitel Your Assistant Collaboration Module
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
MusicBrainz Picard 0.11
Nero 7 Ultra Edition
neroxml
Nimo Codecs Pack v5.0 (Remove Only)
Olympus Digital Wave Player
PC Inspector File Recovery
PC Inspector smart recovery
PDFCreator
Photosynth 2.0.1519.16
PowerDVD
Prism Video Converter
PSP Video 9 2.25
PunkBuster Services
Quake Live Mozilla Plugin
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio MyDVD DE
Roxio Update Manager
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Skins
Sonic CinePlayer Decoder Pack
Sophos Anti-Virus
Sophos AutoUpdate
Sothink SWF to Video Converter
Steam
Suite Specific
SUPER © Version 2009.bld.35 (Jan 5, 2009)
TmNationsForever
Unreal Tournament 3
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VNC Free Edition 4.1.2
WebFldrs XP
Winamp
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

21/04/2009 15:19:26, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
21/04/2009 15:06:34, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
21/04/2009 15:04:42, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\inf\unregmp2.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 9.0.0.4503.
21/04/2009 09:50:14, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor
21/04/2009 09:33:37, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
21/04/2009 09:20:45, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
21/04/2009 09:06:07, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVOnAccessControl SAVOnAccessFilter Tcpip
21/04/2009 09:06:07, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
21/04/2009 09:06:07, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
21/04/2009 09:06:07, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
21/04/2009 09:06:07, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
21/04/2009 09:06:07, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
21/04/2009 09:06:07, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
21/04/2009 09:05:40, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
21/04/2009 09:05:29, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
16/04/2009 14:09:02, error: NETLOGON [5719] - No Domain Controller is available for domain ADMAGICSOHO due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
15/04/2009 16:48:47, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
15/04/2009 16:48:43, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
15/04/2009 09:31:52, error: NETLOGON [5719] - No Domain Controller is available for domain ADMAGICSOHO due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================

 

DDS (Ver_09-03-16.01) - NTFSx86 MINIMAL
Run by Administrator at 15:55:34.17 on 21/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1735 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Documents and Settings\Administrator\Desktop\dds\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=6080527
uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk-smb
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=6080527
uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk-smb
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} - hxxp://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {68BDA895-D967-451E-9DC3-839739E619CD} = 192.168.104.225,192.168.101.231
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XUL Cache: {836B56EA-02FF-4B41-88BA-3FDD4F129237} - c:\documents and settings\amurdoch.admagicsoho\local settings\application data\{836B56EA-02FF-4B41-88BA-3FDD4F129237}

============= SERVICES / DRIVERS ===============

R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-6-4 110848]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-6-4 38528]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-9-22 69632]
S2 securentm;securentm;c:\windows\system32\drivers\securentm.sys [2009-4-21 30464]
S2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2008-12-23 172032]
S2 TapiSrvMDM;Telephony TapiSrvMDM;c:\windows\system32\3com_dmit.exe srv --> c:\windows\system32\3com_dmit.exe srv [?]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]

=============== Created Last 30 ================

2009-04-21 15:13 <DIR> --d----- C:\savwsa
2009-04-21 15:12 38,945,240 a------- C:\savw76sasfx.exe
2009-04-21 14:31 30,464 a------- c:\windows\system32\drivers\securentm.sys
2009-04-21 09:58 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-04-21 09:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-21 09:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 09:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-21 09:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-20 16:49 32 a--s---- c:\windows\system32\617123649.dat
2009-04-20 16:49 53,248 ---shr-- c:\windows\system32\3com_dmit.exe
2009-04-17 17:41 2,853 a------- C:\slunew.zip
2009-04-17 13:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\id Software
2009-04-15 16:44 216,064 ---shr-- c:\windows\system32\nbDX.dll
2009-04-15 16:44 169,472 ---shr-- c:\windows\system32\MatroskaDX.ax
2009-04-15 16:44 161,792 ---shr-- c:\windows\system32\RealMediaDX.ax
2009-04-15 16:44 54,784 ---shr-- c:\windows\system32\RLAPEDec.ax
2009-04-15 16:44 37,888 ---shr-- c:\windows\system32\RLMPCDec.ax
2009-04-15 16:44 31,232 ---shr-- c:\windows\system32\msfDX.dll
2009-04-15 16:44 227,328 ---shr-- c:\windows\system32\ac3DX.ax
2009-04-15 16:44 163,328 ---shr-- c:\windows\system32\flvDX.dll
2009-04-15 16:44 123,904 ---shr-- c:\windows\system32\AVCDX.ax
2009-04-15 16:44 <DIR> --d----- c:\program files\eRightSoft
2009-03-25 17:54 <DIR> --d----- c:\program files\iPod
2009-03-25 17:54 <DIR> --d----- c:\program files\iTunes
2009-03-25 17:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-25 17:53 <DIR> --d----- c:\program files\Bonjour
2009-03-25 17:50 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-25 15:50 37 a------- c:\windows\SWFConverter.INI
2009-03-25 15:49 <DIR> --d----- c:\program files\SWF to Video Converter
2009-03-23 11:38 66 a------- c:\windows\#1 DVD Audio Ripper.INI
2009-03-23 11:38 <DIR> --d----- c:\program files\DVD Audio Ripper
2009-03-23 11:22 <DIR> --d----- C:\DVD Ripped

==================== Find3M ====================

2009-04-17 13:29 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-17 13:29 107,832 a------- c:\windows\system32\PnkBstrB.exe
2009-04-17 13:29 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-04-17 13:29 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 16:56 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 15:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-06 00:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-25 23:58 3,565,568 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-02-25 23:58 3,565,568 a------- c:\windows\system32\dllcache\ati2mtag.sys
2009-02-25 22:42 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-02-25 22:41 325,120 a------- c:\windows\system32\dllcache\ati2dvag.dll
2009-02-25 22:41 325,120 a------- c:\windows\system32\ati2dvag.dll
2009-02-25 22:30 11,841,536 a------- c:\windows\system32\atioglxx.dll
2009-02-25 22:30 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-02-25 22:29 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-02-25 22:29 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-02-25 22:29 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-02-25 22:29 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-02-25 22:27 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-02-25 22:26 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-02-25 22:16 3,817,984 a------- c:\windows\system32\dllcache\ati3duag.dll
2009-02-25 22:16 3,817,984 a------- c:\windows\system32\ati3duag.dll
2009-02-25 22:09 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-02-25 21:59 2,670,080 a------- c:\windows\system32\dllcache\ativvaxx.dll
2009-02-25 21:59 2,670,080 a------- c:\windows\system32\ativvaxx.dll
2009-02-25 21:58 3,107,788 a------- c:\windows\system32\ativva5x.dat
2009-02-25 21:58 887,724 a------- c:\windows\system32\ativva6x.dat
2009-02-25 21:44 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-02-25 21:40 475,136 a------- c:\windows\system32\atikvmag.dll
2009-02-25 21:38 126,976 a------- c:\windows\system32\atiadlxx.dll
2009-02-25 21:38 17,408 a------- c:\windows\system32\atitvo32.dll
2009-02-25 21:37 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-02-25 21:35 290,816 a------- c:\windows\system32\atiok3x2.dll
2009-02-25 21:32 45,056 a------- c:\windows\system32\aticalrt.dll
2009-02-25 21:32 45,056 a------- c:\windows\system32\aticalcl.dll
2009-02-25 21:32 626,688 a------- c:\windows\system32\dllcache\ati2cqag.dll
2009-02-25 21:32 626,688 a------- c:\windows\system32\ati2cqag.dll
2009-02-25 21:30 3,227,648 a------- c:\windows\system32\aticaldd.dll
2009-02-25 16:15 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-02-20 09:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 09:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 09:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 09:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 09:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-20 09:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 13:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 13:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 13:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 13:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 13:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 12:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 12:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 12:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 12:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 11:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 11:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 20:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 20:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-01-26 18:55 182,995 a------- c:\windows\system32\atiicdxx.dat
2005-09-05 06:12 389,120 a------- c:\program files\pwsafe.exe
2006-05-03 11:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 15:55:57.93 ===============

 

Hi and welcome



Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Just to keep this up to date - i managed to reset the registry permissions using a microsoft tool, which then let me open regedit, and subsiquently install the latest sophos antivirus which i did a couple of runs of (it removed a few odds and sods), just prepairing to run combofix now and will update with the logs.

Thanks
for your help.

 

Good deal, post the logs when you can.

 

Ok, logs below - HJT first, combofix to follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:37:28, on 01/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Creative\Software Update 3\SoftU.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\HijackThis\lame.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SoftAuto.exe] "C:\Program Files\Creative\Software Update 3\SoftAuto.exe "
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O15 - Trusted IP range: 127.0.0.1
O15 - Trusted IP range: 192.168.120.241
O15 - Trusted IP range: 192.168.101.235
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = admagicsoho.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = admagicsoho.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{68BDA895-D967-451E-9DC3-839739E619CD}: NameServer = 192.168.104.225,192.168.101.231
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = admagicsoho.co.uk
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\amurdoch.ADMAGICSOHO\My Documents\My Pictures\phonelist.JPG

--
End of file - 7379 bytes

 

also something to note - sophos hasnt warned me of anything - however firefox is ultra slow now browsing and is frequently maxing out the cpu - PC generally feels sluggish - cheers for the help.

ComboFix 09-04-30.05 - amurdoch 01/05/2009 14:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2310 [GMT 1:00]
Running from: c:\documents and settings\amurdoch.ADMAGICSOHO\Desktop\cmbo12345.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\AMURDO~1.ADM\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0002\~de7b92.tmp
c:\docume~1\AMURDO~1.ADM\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0002\~df394b.tmp
c:\docume~1\AMURDO~1.ADM\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0004\~df394b.tmp
c:\documents and settings\amurdoch.ADMAGICSOHO\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0002\~de7b92.tmp
c:\documents and settings\amurdoch.ADMAGICSOHO\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0002\~df394b.tmp
c:\documents and settings\amurdoch.ADMAGICSOHO\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0004\~df394b.tmp
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-05-01 08:46 . 2009-05-01 08:51 -------- d-----w C:\Cmbo
2009-04-24 08:57 . 2009-04-24 08:57 8 ----a-w c:\windows\system32\nvModes.dat
2009-04-24 08:55 . 2009-04-24 08:55 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-04-24 08:47 . 2009-04-24 08:47 -------- d-----w c:\windows\system32\AGEIA
2009-04-24 08:47 . 2009-04-24 08:47 -------- d-----w c:\program files\AGEIA Technologies
2009-04-24 08:47 . 2009-04-24 08:47 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 08:46 . 2009-04-24 08:46 -------- d-----w c:\windows\nview
2009-04-24 08:46 . 2009-03-27 09:03 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-04-24 08:46 . 2009-03-27 07:14 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-23 15:17 . 2009-04-23 15:17 -------- d-----w c:\program files\EA Games
2009-04-22 11:37 . 2009-04-22 11:37 -------- d-----w c:\program files\NO1 DVD Audio Ripper
2009-04-22 08:29 . 2009-03-23 15:13 130104 ----a-w c:\windows\system32\sdccoinstaller.dll
2009-04-22 08:28 . 2009-04-22 08:28 -------- d-----w c:\program files\Common Files\Cisco Systems
2009-04-22 08:28 . 2008-08-21 13:23 23552 ----a-w c:\windows\system32\SophosBootTasks.exe
2009-04-22 08:13 . 2009-04-22 08:13 -------- d-----w c:\documents and settings\Administrator\Application Data\ATI
2009-04-22 08:13 . 2009-04-22 08:13 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\ATI
2009-04-21 14:13 . 2009-01-05 11:41 38528 ----a-w c:\windows\system32\drivers\savonaccessfilter.sys
2009-04-21 14:13 . 2008-05-23 07:38 14976 ----a-w c:\windows\system32\drivers\SophosBootDriver.sys
2009-04-21 14:13 . 2009-01-05 11:41 110848 ----a-w c:\windows\system32\drivers\savonaccesscontrol.sys
2009-04-21 14:13 . 2009-04-21 14:13 -------- d-----w C:\savwsa
2009-04-21 08:58 . 2009-04-21 08:58 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-21 08:38 . 2009-04-21 08:38 -------- d-----w c:\documents and settings\amurdoch.ADMAGICSOHO\Application Data\Malwarebytes
2009-04-21 08:38 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-21 08:38 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 08:38 . 2009-04-21 08:38 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-21 08:38 . 2009-04-21 08:38 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-21 08:33 . 2009-04-21 08:33 -------- d-----w c:\documents and settings\amurdoch.ADMAGICSOHO\Local Settings\Application Data\{836B56EA-02FF-4B41-88BA-3FDD4F129237}
2009-04-20 15:49 . 2009-04-21 08:26 32 --s-a-w c:\windows\system32\617123649.dat
2009-04-17 16:41 . 2009-04-17 16:41 2853 ----a-w C:\slunew.zip
2009-04-17 12:29 . 2009-04-17 12:29 -------- d-----w c:\documents and settings\All Users\Application Data\id Software
2009-04-16 05:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 05:51 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 05:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 05:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 05:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 05:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 05:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 05:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 05:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 05:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 05:51 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 05:51 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 16:59 . 2008-11-06 11:07 -------- d-----w c:\program files\NCH Software
2009-04-28 14:48 . 2009-01-30 15:43 -------- d-----w c:\program files\BOB Books
2009-04-24 08:29 . 2009-03-20 10:30 -------- d-----w c:\program files\ATI Technologies
2009-04-24 08:27 . 2009-01-26 10:12 -------- d-----w c:\program files\Steam
2009-04-22 08:28 . 2008-06-04 13:17 -------- d-----w c:\program files\Sophos
2009-04-22 08:27 . 2008-05-26 17:05 87144 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 12:29 . 2008-07-10 16:50 22328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-17 12:29 . 2008-07-10 16:50 22328 ----a-w c:\documents and settings\amurdoch.ADMAGICSOHO\Application Data\PnkBstrK.sys
2009-04-17 12:29 . 2008-07-10 16:49 107832 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-17 12:29 . 2008-07-10 16:49 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-17 12:29 . 2008-07-10 16:49 2246144 ----a-w c:\windows\system32\pbsvc.exe
2009-04-02 08:26 . 2008-06-16 09:25 -------- d-----w c:\program files\Winamp
2009-03-25 16:54 . 2009-03-25 16:54 -------- d-----w c:\program files\iTunes
2009-03-25 16:54 . 2009-03-25 16:54 -------- d-----w c:\program files\iPod
2009-03-25 16:54 . 2008-06-27 09:52 -------- d-----w c:\program files\Common Files\Apple
2009-03-25 16:53 . 2009-03-25 16:53 -------- d-----w c:\program files\Bonjour
2009-03-25 16:52 . 2008-06-16 14:21 -------- d-----w c:\program files\QuickTime
2009-03-25 14:52 . 2009-03-25 14:49 -------- d-----w c:\program files\SWF to Video Converter
2009-03-20 17:11 . 2009-03-20 16:53 -------- d-----w c:\program files\Audacity
2009-03-20 10:37 . 2009-03-20 10:37 0 ----a-w c:\windows\ativpsrm.bin
2009-03-20 10:30 . 2008-05-26 16:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-16 15:03 . 2009-01-16 15:11 -------- d-----w c:\program files\Creative
2009-03-10 15:56 . 2009-03-10 15:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-10 15:56 . 2008-05-26 16:49 -------- d-----w c:\program files\Java
2009-03-06 14:22 . 2008-06-04 09:55 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 23:59 . 2009-03-25 16:50 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 . 2008-06-27 09:52 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-25 22:58 . 2008-06-04 09:52 3565568 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-25 21:41 . 2008-04-14 00:11 325120 ------w c:\windows\system32\ati2dvag.dll
2009-02-25 21:16 . 2008-04-14 00:11 3817984 ------w c:\windows\system32\ati3duag.dll
2009-02-25 20:59 . 2008-04-14 00:11 2670080 ------w c:\windows\system32\ativvaxx.dll
2009-02-25 20:32 . 2008-04-14 00:11 626688 ------w c:\windows\system32\ati2cqag.dll
2009-02-25 15:58 . 2009-01-26 17:01 256 ----a-w c:\windows\system32\pool.bin
2009-02-20 08:10 . 2008-06-04 09:55 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2008-06-04 09:55 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2008-06-04 09:55 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-06-04 09:55 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2008-06-04 09:55 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-06-04 09:55 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-06-04 09:55 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2008-06-04 09:55 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-06-04 09:55 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 16:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-06-04 09:55 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-06-04 09:55 56832 ----a-w c:\windows\system32\secur32.dll
2005-09-05 05:12 . 2008-09-01 14:06 389120 ----a-w c:\program files\pwsafe.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SoftAuto.exe "= "c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"RTHDCPL "= "RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-22 16132608]
"nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2008-12-23 245760]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\amurdoch.ADMAGICSOHO\My Documents\My Pictures\phonelist.JPG
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@= "service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk
backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"mW[íµˆÖ¾`=µÃº¾Ëœv%S8’ÿÙêé>grl>*Ã\†Ã=Ÿà۱Þ "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe "=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe "=
"c:\\Program Files\\Call of Duty\\CoDMP.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe "=
"c:\\WINDOWS\\system32\\userinit.exe "=
"c:\\WINDOWS\\RTHDCPL.EXE "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2008-05-23 14976]
S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2009-01-05 110848]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2009-01-05 38528]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2008-09-22 69632]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2008-08-21 98304]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
TCP: {68BDA895-D967-451E-9DC3-839739E619CD} = 192.168.104.225,192.168.101.231
FF - ProfilePath - c:\documents and settings\amurdoch.ADMAGICSOHO\Application Data\Mozilla\Firefox\Profiles\qbo38qz0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 14:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(836)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2780)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\rundll32.exe
c:\program files\Creative\Software Update 3\SoftU.exe
.
**************************************************************************
.
Completion time: 2009-05-01 14:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 13:23

Pre-Run: 257,336,537,088 bytes free
Post-Run: 258,444,759,040 bytes free

321 --- E O F --- 2009-04-29 02:00

 

Welcome back

Let's close a vulnerability and security hole.

Your version of Adobe is out of date.

You can obtain the latest version of Adobe Reader from [color= "red"]here[/color], and the latest version of Flash Player from [color= "red"]here[/color].
For more information and links to Adobe updates and downloads click [color= "red"]here[/color].

***************************

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================


I can see MBAM is onboard.
I'd like to get the program updated and run a quick scan.


Double-click Malwarebytes' Anti-Malware icon to open the program.
Click on the Update Tab

• * If an update is found, it will download and install the latest version.
  * Once the program has loaded, select Perform quick scan, then click Scan.
  * When the scan is complete, click OK, then Show Results to view the results.
  * Be sure that everything is checked, and click Remove Selected.
  * When completed, a log will open in Notepad. Please save it to a convenient location.
  * You can also access the log by doing the following:
  
  o Click on the Malwarebytes' Anti-Malware icon to launch the program.
  o Click on the Logs tab.
  o Click on the log at the bottom of those listed to highlight it.
  o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

***********************


NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
MBAM log
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.


How's your computer now?

 

Glad we could help.

Since this issue appears resolved ... this Topic is closed.