Inactive Help! Virus from hell....

[Inactive] Help! Virus from hell....

Hi,

While happily surfing the net, my computer suddenly became infected with an evil invention called spyware protect 2009. After trying (in vain) to get rid of this beastie by searching for it and following the lame websites offering to sell me software, I found this place.

The virus seems to have made things as difficult as possible for me, by blocking all useful downloads and generally being a pain in the a*se.

I have access to another computer and have downloaded the software and posted the logs below.

Any help greatly appreciated

DDS (Ver_09-01-19.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 07/05/2005 16:24:05
System Uptime: 24/01/2009 17:26:09 (0 hours ago)

Motherboard: MSI | | MS-6712
Processor: AMD Athlon(tm) XP 2600+ | Socket-A | 1921/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 4.405 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 115 GiB total, 4.482 GiB free.
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

ACE-HIGH MP3 WAV WMA OGG Converter
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Advanced Uninstaller PRO - Version 9
Alive MP3 WAV Converter 3.8.0.9
µTorrent
Counter-Strike
DivX
DivX Player
DivX Total Pack
DivX Web Player
eMule Plus 1.2d
Free PDF Text Reader
getPlus(R)
Half-Life(R) 2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
hp instant support
hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 6100 series
InterVideo WinDVD4
Java(TM) 6 Update 11
Kerio Personal Firewall
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C Runtime
Microsoft Visual C++ 2005 Redistributable
MIKSOFT Mobile AMR converter
Mozilla Firefox (2.0.0.20)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 7 Ultra Edition
NVIDIA Drivers
PC Tools Internet Security 2009
QuickTime
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
SoulSeek Client 156c
Steam(TM)
System Requirements Lab
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update Service
VIA Rhine-Family Fast Ethernet Adapter
VideoLAN VLC media player 0.8.6a
WebFldrs XP
Winamp (remove only)
WinAVI Video Converter
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver

==== Event Viewer Messages From Past Week ========

20/01/2009 11:52:56, error: Service Control Manager [7000] - The EIO service failed to start due to the following error: The system cannot find the file specified.
18/01/2009 15:34:40, error: WPDMTPDriver [15300] - MTP WPD Driver has failed to start. Error 0x80070005.
23/01/2009 17:02:46, error: Service Control Manager [7034] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s).
23/01/2009 20:02:32, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
23/01/2009 20:02:58, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
23/01/2009 20:02:58, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
23/01/2009 20:02:58, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
23/01/2009 20:02:58, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
23/01/2009 20:02:58, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 AvgLdx86 AvgMfx86 Fips IPSec MRxSmb NetBIOS NetBT pctfw2 RasAcd Rdbss Tcpip WS2IFSL
23/01/2009 20:03:05, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

==== End Of File ===========================


DDS (Ver_09-01-19.01) - NTFSx86
Run by jules at 17:27:29.18 on 24/01/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.767.508 [GMT 0:00]

AV: Internet Security Anti-Virus *On-access scanning disabled* (Updated)
FW: Kerio Personal Firewall *disabled*
FW: Internet Security Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\sysguard.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\jules\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
mStart Page = about:blank
mSearch Bar =
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant =
uCustomizeSearch =
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BHO: {c9c42510-9b21-41c1-9dcd-8382a2d07c61} - c:\windows\system32\iehelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe "
uRun: [sysguard] c:\windows\sysguard.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Open with &ZipScan - c:\progra~1\zipsca~1\zs_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by121w.bay121.mail.live.com/mail/resources/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177024403984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {8A61098D-612B-4EF2-943D-64E920684061} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jules\applic~1\mozilla\firefox\profiles\aip3ezbi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-1-23 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-1-23 38208]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-3-21 270336]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-1-23 160808]
S3 atidgllk;atidgllk;\??\c:\program files\asus\smartdoctor\atidgllk.sys --> c:\program files\asus\smartdoctor\atidgllk.sys [?]
S3 FWAuth;FWAuth Driver;c:\windows\system32\drivers\FWAuthDriver.sys [2009-1-23 58152]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-3 31592]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-23 40872]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-23 66984]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-23 81320]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools internet security\pctsAuxs.exe [2009-1-23 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools internet security\pctsSvc.exe [2009-1-23 1079208]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-1-23 33088]
S3 ThreatFire;ThreatFire;c:\program files\pc tools internet security\tfengine\tfservice.exe service --> c:\program files\pc tools internet security\tfengine\TFService.exe service [?]

=============== Created Last 30 ================

2009-01-23 19:12 <DIR> --d----- c:\docume~1\jules\applic~1\PCToolsFirewallPlus
2009-01-23 19:12 <DIR> --d----- c:\docume~1\jules\applic~1\PCToolsSpamMonitorPlus
2009-01-23 18:29 160,808 a------- c:\windows\system32\drivers\pctfw2.sys
2009-01-23 18:28 51,520 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-01-23 18:28 38,208 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-01-23 18:28 33,088 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-01-23 18:28 12,608 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-01-23 18:28 93,952 a------- c:\windows\system32\drivers\pctfw.sys
2009-01-23 18:28 58,152 a------- c:\windows\system32\drivers\FWAuthDriver.sys
2009-01-23 18:28 81,320 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-23 18:28 66,984 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-23 18:28 40,872 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-23 18:28 29,608 a------- c:\windows\system32\drivers\kcom.sys
2009-01-23 18:28 <DIR> --d----- c:\program files\common files\PC Tools
2009-01-23 18:28 <DIR> --d----- c:\program files\PC Tools Internet Security
2009-01-23 18:28 <DIR> --d----- c:\docume~1\jules\applic~1\PC Tools
2009-01-23 18:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-01-23 16:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-23 14:45 266,248 a------- c:\windows\sysguard.exe
2009-01-23 14:45 9,216 a------- c:\windows\system32\iehelper.dll
2009-01-19 23:02 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-19 23:02 1,409 a------- c:\windows\QTFont.for
2009-01-13 16:42 208,896 a------- c:\windows\system32\nvudisp.exe
2009-01-13 16:42 88,566 a------- c:\windows\system32\nvapps.xml
2009-01-13 16:42 17,056 a------- c:\windows\system32\nvdisp.nvu
2009-01-13 16:42 <DIR> --d----- c:\windows\nview
2009-01-13 16:42 208,896 a------- c:\windows\system32\NVUNINST.EXE
2009-01-13 15:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Innovative Solutions
2009-01-13 15:29 42,496 a------- c:\windows\system32\AdvUninstCPL.cpl
2009-01-13 15:29 <DIR> --d----- c:\program files\Innovative Solutions
2009-01-06 18:21 <DIR> --d----- c:\program files\WinAVI Video Converter
2009-01-06 15:08 40,960 a------- c:\windows\system32\DGPNorm.ocx
2009-01-06 15:08 <DIR> --d----- c:\program files\ACE-HIGH MP3 WAV WMA OGG Converter

==================== Find3M ====================

2009-01-13 16:38 7,480 a------- c:\windows\system32\d3d9caps.dat
2008-12-11 11:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-07 23:01 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 17:29:21.71 ===============

 

I downloaded combofix from another computer, and installed it on the infected one. Here is the log:

ComboFix 09-01-21.04 - jules 2009-01-25 17:56:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.560 [GMT 0:00]
Running from: g:\julian\123.exe
AV: Internet Security Anti-Virus *On-access scanning disabled* (Updated)
FW: Internet Security Firewall *disabled*
FW: Kerio Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\desktopA.sys
c:\windows\system32\drivers\TDSSkcyg.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\ojpffsmo.ini
c:\windows\system32\rttss.ini
c:\windows\system32\TDSScvus.dll
c:\windows\system32\TDSSeyih.dll
c:\windows\system32\TDSSffqr.dll
c:\windows\system32\TDSSmihi.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoruj.dll
c:\windows\system32\TDSSptxo.dll
c:\windows\system32\TDSStwtv.log
c:\windows\system32\TDSSvivy.dat
c:\windows\system32\TDSSypdm.log
c:\windows\system32\twex.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.

2009-01-23 19:12 . 2009-01-23 19:12 <DIR> d-------- c:\documents and settings\jules\Application Data\PCToolsSpamMonitorPlus
2009-01-23 19:12 . 2009-01-23 19:12 <DIR> d-------- c:\documents and settings\jules\Application Data\PCToolsFirewallPlus
2009-01-23 18:29 . 2009-01-23 20:04 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-23 18:29 . 2008-08-25 12:36 160,808 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-23 18:28 . 2009-01-23 20:04 <DIR> d-------- c:\program files\PC Tools Internet Security
2009-01-23 18:28 . 2009-01-23 18:28 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-23 18:28 . 2009-01-23 18:28 <DIR> d-------- c:\documents and settings\jules\Application Data\PC Tools
2009-01-23 18:28 . 2009-01-23 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-23 18:28 . 2008-07-17 17:53 93,952 --a------ c:\windows\system32\drivers\pctfw.sys
2009-01-23 18:28 . 2008-08-25 12:36 81,320 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-23 18:28 . 2008-08-25 12:36 66,984 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-23 18:28 . 2008-08-25 12:36 58,152 --a------ c:\windows\system32\drivers\FWAuthDriver.sys
2009-01-23 18:28 . 2008-06-06 12:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys
2009-01-23 18:28 . 2008-08-25 12:36 40,872 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-23 18:28 . 2008-06-06 12:15 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys
2009-01-23 18:28 . 2008-06-06 12:15 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys
2009-01-23 18:28 . 2008-07-03 19:06 29,608 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-23 18:28 . 2008-06-06 12:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys
2009-01-23 16:57 . 2009-01-24 17:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-23 14:45 . 2009-01-23 14:45 266,248 --a------ c:\windows\sysguard.exe
2009-01-23 14:44 . 2009-01-23 14:44 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-19 23:02 . 2009-01-19 23:02 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-19 23:02 . 2009-01-19 23:02 1,409 --a------ c:\windows\QTFont.for
2009-01-13 16:42 . 2009-01-13 16:44 <DIR> d-------- c:\windows\nview
2009-01-13 16:42 . 2006-10-22 15:06 208,896 --a------ c:\windows\system32\NVUNINST.EXE
2009-01-13 16:42 . 2006-10-22 12:22 208,896 --a------ c:\windows\system32\nvudisp.exe
2009-01-13 16:42 . 2009-01-25 17:42 88,566 --a------ c:\windows\system32\nvapps.xml
2009-01-13 16:42 . 2006-10-22 12:22 17,056 --a------ c:\windows\system32\nvdisp.nvu
2009-01-13 15:29 . 2009-01-13 15:29 <DIR> d-------- c:\program files\Innovative Solutions
2009-01-13 15:29 . 2009-01-13 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Innovative Solutions
2009-01-13 15:29 . 2006-11-22 11:35 42,496 --a------ c:\windows\system32\AdvUninstCPL.cpl
2009-01-13 15:10 . 2009-01-13 15:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2009-01-06 18:21 . 2009-01-06 18:21 <DIR> d-------- c:\program files\WinAVI Video Converter
2009-01-06 15:08 . 2009-01-06 15:10 <DIR> d-------- c:\program files\ACE-HIGH MP3 WAV WMA OGG Converter
2009-01-06 15:08 . 2001-08-08 21:00 40,960 --a------ c:\windows\system32\DGPNorm.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 18:30 --------- d-----w c:\documents and settings\jules\Application Data\uTorrent
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\dvdcss
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\BearShare
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\ATI
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\.BitTornado
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\.ABC
2009-01-13 16:25 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-13 15:47 --------- d-----w c:\program files\Gabest
2009-01-13 15:47 --------- d-----w c:\program files\BadgerIT
2009-01-13 15:45 --------- d-----w c:\program files\Real
2009-01-13 15:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-13 15:39 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 15:39 --------- d-----w c:\program files\iRiver
2009-01-13 15:36 --------- d-----w c:\program files\bobyte
2009-01-10 11:29 --------- d-----w c:\program files\eMule
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 16:58 --------- d-----w c:\program files\uTorrent
2008-12-07 23:02 --------- d-----w c:\documents and settings\jules\Application Data\SystemRequirementsLab
2008-12-07 23:01 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-07 23:01 --------- d-----w c:\program files\Java
2008-12-24 15:11 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-24 15:11 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-24 15:11 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-24 15:11 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-24 15:11 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"sysguard "= "c:\windows\sysguard.exe" [2009-01-23 266248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SoundMan "= "SOUNDMAN.EXE" [2006-03-01 c:\windows\soundman.exe]
"nwiz "= "nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2004-06-16 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2004-06-16 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32 "= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\utorrent\\utorrent.exe "=
"c:\\Program Files\\Kerio\\Personal Firewall 4\\kpf4gui.exe "=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-01-23 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-01-23 38208]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-03-21 270336]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-23 160808]
S3 atidgllk;atidgllk;\??\c:\program files\ASUS\SmartDoctor\atidgllk.sys --> c:\program files\ASUS\SmartDoctor\atidgllk.sys [?]
S3 FWAuth;FWAuth Driver;c:\windows\system32\drivers\FWAuthDriver.sys [2009-01-23 58152]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-07-03 31592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Internet Security\pctsAuxs.exe [2009-01-23 356920]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-01-23 33088]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools Internet Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Internet Security\TFEngine\TFService.exe service [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d83e044-a871-11db-808b-000c76b508e7}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-17 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1189422125.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2004-06-16 17:06]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll
ShellExecuteHooks-{8A61098D-612B-4EF2-943D-64E920684061} - (no file)
Notify-AtiExtEvent - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
mStart Page = about:blank
mSearch Bar =
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Open with &ZipScan - c:\progra~1\ZIPSCA~1\zs_ie.htm
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\jules\Application Data\Mozilla\Firefox\Profiles\aip3ezbi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-25 18:00:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1072)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2009-01-25 18:02:32
ComboFix-quarantined-files.txt 2009-01-25 18:02:07
ComboFix2.txt 2007-06-10 09:27:04

Pre-Run: 8,599,560,192 bytes free
Post-Run: 8,899,080,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

193 --- E O F --- 2009-01-16 00:04:27

 

Hi potatosalad, and welcome to WindowsBBS

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Collect::[22]
c:\windows\sysguard.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "sysguard "=-
DDS::
mSearch Bar = 
RegNull::
[HKEY_USERS\S-1-5-21-823518204-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Please note that I have instructed CFScript to collect a file. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned file. If the upload fails you will be be presented with instructions for uploading it manually. Please do so and let me know the results. This will assist the author in adding the files for removal in future updates. Thanks!



Next, please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

 

Hi noahdfear, thanks for the help

Here is the new log:

ComboFix 09-01-21.04 - jules 2009-01-28 13:25:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.503 [GMT 0:00]
Running from: c:\documents and settings\jules\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jules\Desktop\CFScript.txt
AV: Internet Security Anti-Virus *On-access scanning disabled* (Updated)
FW: Internet Security Firewall *disabled*
FW: Kerio Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sysguard.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-23 19:12 . 2009-01-23 19:12 <DIR> d-------- c:\documents and settings\jules\Application Data\PCToolsSpamMonitorPlus
2009-01-23 19:12 . 2009-01-23 19:12 <DIR> d-------- c:\documents and settings\jules\Application Data\PCToolsFirewallPlus
2009-01-23 18:29 . 2009-01-23 20:04 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-23 18:29 . 2008-08-25 12:36 160,808 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-23 18:28 . 2009-01-23 20:04 <DIR> d-------- c:\program files\PC Tools Internet Security
2009-01-23 18:28 . 2009-01-23 18:28 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-23 18:28 . 2009-01-23 18:28 <DIR> d-------- c:\documents and settings\jules\Application Data\PC Tools
2009-01-23 18:28 . 2009-01-23 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-23 18:28 . 2008-07-17 17:53 93,952 --a------ c:\windows\system32\drivers\pctfw.sys
2009-01-23 18:28 . 2008-08-25 12:36 81,320 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-23 18:28 . 2008-08-25 12:36 66,984 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-23 18:28 . 2008-08-25 12:36 58,152 --a------ c:\windows\system32\drivers\FWAuthDriver.sys
2009-01-23 18:28 . 2008-06-06 12:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys
2009-01-23 18:28 . 2008-08-25 12:36 40,872 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-23 18:28 . 2008-06-06 12:15 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys
2009-01-23 18:28 . 2008-06-06 12:15 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys
2009-01-23 18:28 . 2008-07-03 19:06 29,608 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-23 18:28 . 2008-06-06 12:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys
2009-01-23 16:57 . 2009-01-24 17:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-23 14:44 . 2009-01-23 14:44 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-19 23:02 . 2009-01-19 23:02 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-19 23:02 . 2009-01-19 23:02 1,409 --a------ c:\windows\QTFont.for
2009-01-13 16:42 . 2009-01-13 16:44 <DIR> d-------- c:\windows\nview
2009-01-13 16:42 . 2006-10-22 15:06 208,896 --a------ c:\windows\system32\NVUNINST.EXE
2009-01-13 16:42 . 2006-10-22 12:22 208,896 --a------ c:\windows\system32\nvudisp.exe
2009-01-13 16:42 . 2009-01-28 13:20 88,566 --a------ c:\windows\system32\nvapps.xml
2009-01-13 16:42 . 2006-10-22 12:22 17,056 --a------ c:\windows\system32\nvdisp.nvu
2009-01-13 15:29 . 2009-01-13 15:29 <DIR> d-------- c:\program files\Innovative Solutions
2009-01-13 15:29 . 2009-01-13 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Innovative Solutions
2009-01-13 15:29 . 2006-11-22 11:35 42,496 --a------ c:\windows\system32\AdvUninstCPL.cpl
2009-01-13 15:10 . 2009-01-13 15:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2009-01-06 18:21 . 2009-01-06 18:21 <DIR> d-------- c:\program files\WinAVI Video Converter
2009-01-06 15:08 . 2009-01-06 15:10 <DIR> d-------- c:\program files\ACE-HIGH MP3 WAV WMA OGG Converter
2009-01-06 15:08 . 2001-08-08 21:00 40,960 --a------ c:\windows\system32\DGPNorm.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 18:30 --------- d-----w c:\documents and settings\jules\Application Data\uTorrent
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\dvdcss
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\BearShare
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\ATI
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\.BitTornado
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\.ABC
2009-01-13 16:25 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-13 15:47 --------- d-----w c:\program files\Gabest
2009-01-13 15:47 --------- d-----w c:\program files\BadgerIT
2009-01-13 15:45 --------- d-----w c:\program files\Real
2009-01-13 15:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-13 15:39 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 15:39 --------- d-----w c:\program files\iRiver
2009-01-13 15:36 --------- d-----w c:\program files\bobyte
2009-01-10 11:29 --------- d-----w c:\program files\eMule
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 16:58 --------- d-----w c:\program files\uTorrent
2008-12-07 23:02 --------- d-----w c:\documents and settings\jules\Application Data\SystemRequirementsLab
2008-12-07 23:01 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-07 23:01 --------- d-----w c:\program files\Java
.

((((((((((((((((((((((((((((( snapshot@2009-01-25_18.01.12.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-28 13:20:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SoundMan "= "SOUNDMAN.EXE" [2006-03-01 c:\windows\soundman.exe]
"nwiz "= "nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2004-06-16 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2004-06-16 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32 "= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\utorrent\\utorrent.exe "=
"c:\\Program Files\\Kerio\\Personal Firewall 4\\kpf4gui.exe "=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-01-23 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-01-23 38208]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-03-21 270336]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-23 160808]
S3 atidgllk;atidgllk;\??\c:\program files\ASUS\SmartDoctor\atidgllk.sys --> c:\program files\ASUS\SmartDoctor\atidgllk.sys [?]
S3 FWAuth;FWAuth Driver;c:\windows\system32\drivers\FWAuthDriver.sys [2009-01-23 58152]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-07-03 31592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Internet Security\pctsAuxs.exe [2009-01-23 356920]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-01-23 33088]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools Internet Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Internet Security\TFEngine\TFService.exe service [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d83e044-a871-11db-808b-000c76b508e7}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-17 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1189422125.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2004-06-16 17:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
mStart Page = about:blank
mSearch Bar =
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Open with &ZipScan - c:\progra~1\ZIPSCA~1\zs_ie.htm
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\jules\Application Data\Mozilla\Firefox\Profiles\aip3ezbi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 13:28:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1096)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2009-01-28 13:29:52
ComboFix-quarantined-files.txt 2009-01-28 13:29:36
ComboFix2.txt 2009-01-25 18:02:33
ComboFix3.txt 2007-06-10 09:27:04

Pre-Run: 8,843,276,288 bytes free
Post-Run: 8,825,425,920 bytes free

162 --- E O F --- 2009-01-16 00:04:27

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, January 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 28, 2009 12:01:38
Records in database: 1720195
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 92194
Threat name: 10
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 02:56:50


File name / Threat name / Threats count
C:\Documents and Settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0.for.Adobe.Photoshop.Keygen.Only-SCOTCH.zip Infected: Trojan.Win32.Genome.jcj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\__.zip Infected: Backdoor.Win32.TDSS.bkw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\iehelper.dll.vir Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.dw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\TDSScvus.dll.vir Infected: Rootkit.Win32.TDSS.dbg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\TDSSeyih.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\TDSSoruj.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\TDSSptxo.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\QooBox\Quarantine\[22]-Submit_2009-01-28@13.25.zip Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.dw 1
C:\VundoFix Backups\awtqn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.wi 1
F:\Documents and Settings\jj\My Documents\program downloads\hijackthis\backups\backup-20050402-213011-393 Infected: Exploit.HTML.Mht 1
F:\WINDOWS\system32\dеxplore.exe Infected: not-a-virus:AdWare.Win32.PurityScan.bc 1

The selected area was scanned.

 

Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Folder::
C:\Documents and Settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen
C:\VundoFix Backups
File::
F:\Documents and Settings\jj\My Documents\program downloads\hijackthis\backups\backup-20050402-213011-393
F:\WINDOWS\system32\dеxplore.exe
RegNull::
[HKEY_USERS\S-1-5-21-823518204-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
DDS::
mSearch Bar = 

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

 

Here's the latest log:

ComboFix 09-01-21.04 - jules 2009-01-30 12:47:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.503 [GMT 0:00]
Running from: c:\documents and settings\jules\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jules\Desktop\CFScript.txt
AV: Internet Security Anti-Virus *On-access scanning disabled* (Updated)
FW: Internet Security Firewall *disabled*
FW: Kerio Personal Firewall *disabled*
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
f:\documents and settings\jj\My Documents\program downloads\hijackthis\backups\backup-20050402-213011-393
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen
c:\documents and settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0.for.Adobe.Photoshop-FOSI.rar
c:\documents and settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0.for.Adobe.Photoshop.Keygen.Only-SCOTCH.zip
c:\documents and settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0 + Keygen\file_id.diz
c:\documents and settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0 + Keygen\fo-ase10.zip
c:\documents and settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0 + Keygen\fo-ase10\file_id.diz
c:\documents and settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0 + Keygen\fo-ase10\fo-ase10.exe
c:\documents and settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0 + Keygen\fo-ase10\fosi.nfo
c:\documents and settings\jules\My Documents\emule\Alien.Skin.Exposure.v1.0 + Keygen\Alien.Skin.Exposure.v1.0 + Keygen\fo-ase10\ptp.nfo
C:\VundoFix Backups
c:\vundofix backups\addmorefiles.txt
c:\vundofix backups\awtqn.dll.bad
c:\vundofix backups\hjllm.ini.bad
c:\vundofix backups\nqtwa.bak1.bad
c:\vundofix backups\nqtwa.ini.bad
f:\documents and settings\jj\My Documents\program downloads\hijackthis\backups\backup-20050402-213011-393

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-23 19:12 . 2009-01-23 19:12 <DIR> d-------- c:\documents and settings\jules\Application Data\PCToolsSpamMonitorPlus
2009-01-23 19:12 . 2009-01-23 19:12 <DIR> d-------- c:\documents and settings\jules\Application Data\PCToolsFirewallPlus
2009-01-23 18:29 . 2009-01-23 20:04 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-23 18:29 . 2008-08-25 12:36 160,808 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-23 18:28 . 2009-01-23 20:04 <DIR> d-------- c:\program files\PC Tools Internet Security
2009-01-23 18:28 . 2009-01-23 18:28 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-23 18:28 . 2009-01-23 18:28 <DIR> d-------- c:\documents and settings\jules\Application Data\PC Tools
2009-01-23 18:28 . 2009-01-23 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-23 18:28 . 2008-07-17 17:53 93,952 --a------ c:\windows\system32\drivers\pctfw.sys
2009-01-23 18:28 . 2008-08-25 12:36 81,320 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-23 18:28 . 2008-08-25 12:36 66,984 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-23 18:28 . 2008-08-25 12:36 58,152 --a------ c:\windows\system32\drivers\FWAuthDriver.sys
2009-01-23 18:28 . 2008-06-06 12:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys
2009-01-23 18:28 . 2008-08-25 12:36 40,872 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-23 18:28 . 2008-06-06 12:15 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys
2009-01-23 18:28 . 2008-06-06 12:15 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys
2009-01-23 18:28 . 2008-07-03 19:06 29,608 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-23 18:28 . 2008-06-06 12:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys
2009-01-23 16:57 . 2009-01-24 17:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-23 14:44 . 2009-01-23 14:44 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-19 23:02 . 2009-01-19 23:02 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-19 23:02 . 2009-01-19 23:02 1,409 --a------ c:\windows\QTFont.for
2009-01-13 16:42 . 2009-01-13 16:44 <DIR> d-------- c:\windows\nview
2009-01-13 16:42 . 2006-10-22 15:06 208,896 --a------ c:\windows\system32\NVUNINST.EXE
2009-01-13 16:42 . 2006-10-22 12:22 208,896 --a------ c:\windows\system32\nvudisp.exe
2009-01-13 16:42 . 2009-01-30 12:40 88,566 --a------ c:\windows\system32\nvapps.xml
2009-01-13 16:42 . 2006-10-22 12:22 17,056 --a------ c:\windows\system32\nvdisp.nvu
2009-01-13 15:29 . 2009-01-13 15:29 <DIR> d-------- c:\program files\Innovative Solutions
2009-01-13 15:29 . 2009-01-13 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Innovative Solutions
2009-01-13 15:29 . 2006-11-22 11:35 42,496 --a------ c:\windows\system32\AdvUninstCPL.cpl
2009-01-13 15:10 . 2009-01-13 15:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2009-01-06 18:21 . 2009-01-06 18:21 <DIR> d-------- c:\program files\WinAVI Video Converter
2009-01-06 15:08 . 2009-01-06 15:10 <DIR> d-------- c:\program files\ACE-HIGH MP3 WAV WMA OGG Converter
2009-01-06 15:08 . 2001-08-08 21:00 40,960 --a------ c:\windows\system32\DGPNorm.ocx
2008-12-09 16:58 . 2008-12-09 16:58 <DIR> d-------- c:\program files\uTorrent
2008-12-09 16:58 . 2009-01-23 18:30 <DIR> d-------- c:\documents and settings\jules\Application Data\uTorrent
2008-12-07 23:02 . 2008-12-07 23:02 <DIR> d-------- c:\documents and settings\jules\Application Data\SystemRequirementsLab
2008-12-07 23:01 . 2008-12-07 23:01 <DIR> d-------- c:\windows\Sun
2008-12-07 23:01 . 2008-12-07 23:01 <DIR> d-------- c:\program files\Java
2008-12-07 23:01 . 2008-12-07 23:01 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-07 23:01 . 2008-12-07 23:01 73,728 --a------ c:\windows\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\dvdcss
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\BearShare
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\ATI
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\.BitTornado
2009-01-13 16:25 --------- d-----w c:\documents and settings\jules\Application Data\.ABC
2009-01-13 16:25 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-13 15:47 --------- d-----w c:\program files\Gabest
2009-01-13 15:47 --------- d-----w c:\program files\BadgerIT
2009-01-13 15:45 --------- d-----w c:\program files\Real
2009-01-13 15:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-13 15:39 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 15:39 --------- d-----w c:\program files\iRiver
2009-01-13 15:36 --------- d-----w c:\program files\bobyte
2009-01-10 11:29 --------- d-----w c:\program files\eMule
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 10:20 667,648 --s-a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-25_18.01.12.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-30 12:40:23 16,384 ----atw c:\windows\temp\Perflib_Perfdata_c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SoundMan "= "SOUNDMAN.EXE" [2006-03-01 c:\windows\soundman.exe]
"nwiz "= "nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2004-06-16 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2004-06-16 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32 "= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\utorrent\\utorrent.exe "=
"c:\\Program Files\\Kerio\\Personal Firewall 4\\kpf4gui.exe "=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-01-23 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-01-23 38208]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-03-21 270336]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-23 160808]
S3 atidgllk;atidgllk;\??\c:\program files\ASUS\SmartDoctor\atidgllk.sys --> c:\program files\ASUS\SmartDoctor\atidgllk.sys [?]
S3 FWAuth;FWAuth Driver;c:\windows\system32\drivers\FWAuthDriver.sys [2009-01-23 58152]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-07-03 31592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Internet Security\pctsAuxs.exe [2009-01-23 356920]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-01-23 33088]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools Internet Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Internet Security\TFEngine\TFService.exe service [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d83e044-a871-11db-808b-000c76b508e7}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-17 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1189422125.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2004-06-16 17:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
mStart Page = about:blank
mSearch Bar =
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Open with &ZipScan - c:\progra~1\ZIPSCA~1\zs_ie.htm
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\jules\Application Data\Mozilla\Firefox\Profiles\aip3ezbi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 12:48:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1072)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2009-01-30 12:50:31
ComboFix-quarantined-files.txt 2009-01-30 12:50:12
ComboFix2.txt 2009-01-28 13:29:55
ComboFix3.txt 2009-01-25 18:02:33
ComboFix4.txt 2007-06-10 09:27:04

Pre-Run: 8,712,196,096 bytes free
Post-Run: 8,753,795,072 bytes free

197 --- E O F --- 2009-01-16 00:04:27

 

Highlight and copy the contents of the code box below.

Code:

reg save  "HKU\S-1-5-21-823518204-854245398-725345543-1003\Software\Microsoft\SystemCertificates"  "%userprofile%\desktop\peek.hiv "
exit
cls

Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
The command will process quickly and the command window will close on it's own.
A file named peek.hiv will be created on the desktop.
Please upload that file to my submission channel for analysis.