Wireless disabled due to Virus

i still can not access the internet but

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

Are removed from Hijack This.

Hello. I want to use OTMoveIt again and remove some leftovers.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :services
  mferkdk
  McAfeeFramework
  
  :files
  c:\program files\mcafee
  C:\Program Files\Common Files\Symantec Shared
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== SERVICES/DRIVERS ==========

Service\Driver mferkdk deleted successfully.
Service\Driver McAfeeFramework not found.
Service\Driver key McAfeeFramework deleted successfully.
========== FILES ==========
c:\program files\McAfee\Common Framework\Microsoft.VC80.CRT moved successfully.
Folder move failed. c:\program files\McAfee\Common Framework\0409 scheduled to be moved on reboot.
Folder move failed. c:\program files\McAfee\Common Framework scheduled to be moved on reboot.
Folder move failed. c:\program files\McAfee scheduled to be moved on reboot.
C:\Program Files\Common Files\Symantec Shared\SPManifests moved successfully.
C:\Program Files\Common Files\Symantec Shared\CCPD-LC moved successfully.
C:\Program Files\Common Files\Symantec Shared moved successfully.

OTM by OldTimer - Version 2.1.0.1 log created on 06102009_120103

Files moved on Reboot...
c:\program files\McAfee\Common Framework\0409 moved successfully.
c:\program files\McAfee\Common Framework moved successfully.
c:\program files\McAfee moved successfully.

Registry entries deleted on Reboot...

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

ran avira posted report below.



Avira AntiVir Personal
Report file date: Wednesday, June 10, 2009 12:29

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : david
Computer name : DAVE

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 13:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 12:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 19:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 22:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 01:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 16:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 18:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 01:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 20:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 01:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 18:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 19:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 16:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: Wednesday, June 10, 2009 12:29

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'LaunchPad.exe' - '1' Module(s) have been scanned
Scan process 'HPQTOA~1.EXE' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'HP Wireless Assistant.exe' - '1' Module(s) have been scanned
Scan process 'pctsTray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'hpqwmiex.exe' - '1' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '1' Module(s) have been scanned
Scan process 'pctsSvc.exe' - '1' Module(s) have been scanned
Scan process 'pctsAuxs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
41 processes with 41 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '51' files ).



End of the scan: Wednesday, June 10, 2009 12:29
Used time: 00:11 Minute(s)

The scan has been done completely.

0 Scanned directories
457 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
457 Files not concerned
3 Archives were scanned
0 Warnings
0 Notes

This looks fine now. How's the machine running?

I still do not access to the internet, any further help would be greatly appreciated. Thank you

Hello.
A new infection has risen over the past 2 days, and now I look back I question your logs again, one file stands out slightly suspicious. We may need to go even deeper using a rootkit scanner.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
ws2_32.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 14:36 on 11/06/2009 by david (Administrator - Elevation successful)

========== filefind ==========

Searching for "ws2_32.dll"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll --a--- 82432 bytes [17:55 21/09/2008] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\system32\dllcache\ws2_32.dll --a--- 82944 bytes [22:27 02/06/2009] [15:00 10/08/2004] BCFD249150061F29941893CD0F8FE620
C:\WINDOWS\system32\ws2_32.dll ------ 82944 bytes [15:00 10/08/2004] [15:00 10/08/2004] BCFD249150061F29941893CD0F8FE620

-=End Of File=-

Hello.
This infection you have here is quite new and can be fixed, but you may want to read here first:
http://miekiemoes.blogspot.com/2009/06/searchengine-redirects-it-could-be.html

Before we can replace the file, we need to get Combofix to install the recovery console and do it's run before we can replace the file.

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (Avira)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

I will have to post in two sections.

ComboFix 09-06-11.05 - david 06/11/2009 15:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.593 [GMT -4:00]
Running from: G:\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\amanda\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\amanda\Application Data\twain_32\user.ds
c:\documents and settings\david\Application Data\wiaserva.log
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\windows\kb913800.exe
c:\windows\system32\_000000_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\Temp\19534943.exe
D:\Desktop.ini

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\system volume information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP423\A0026221.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Legacy_WIN32X


((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-10 16:25 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-10 16:25 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-10 16:25 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-10 16:25 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\program files\Avira
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\Sonic
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\PC Tools
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- c:\program files\Common Files\BitDefender
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- C:\4304f949750ce894fde4cc20
2009-06-09 11:57 . 2009-06-09 17:19 -------- d-s---w- C:\ComboFix1
2009-06-08 17:11 . 2004-08-10 15:00 4096 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\david\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 13:46 . 2009-06-09 17:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 12:53 . 2009-06-11 19:45 117760 ----a-w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 12:52 . 2009-06-09 17:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-08 12:52 . 2009-06-08 12:52 -------- d-----w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com
2009-06-08 12:51 . 2009-06-08 12:51 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-05 13:43 . 2009-06-05 13:43 -------- d-----w- c:\documents and settings\david\Application Data\MSNInstaller
2009-06-05 00:21 . 2009-06-05 00:21 -------- d-----w- c:\documents and settings\david\Application Data\Leadertech
2009-06-04 23:31 . 2008-06-11 01:22 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-06-04 23:31 . 2008-06-02 19:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-06-04 23:31 . 2008-06-02 19:19 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-06-04 23:31 . 2008-06-02 19:19 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-06-04 23:30 . 2009-06-09 17:19 -------- d-----w- c:\program files\Spyware Doctor
2009-06-04 14:01 . 2004-05-11 13:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-06-04 14:01 . 2003-11-19 17:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-06-04 14:01 . 2000-07-15 09:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-06-03 14:03 . 2009-06-09 17:18 -------- d-----w- C:\AV-CLS
2009-06-03 13:45 . 2009-06-11 19:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 13:22 . 2009-06-03 13:22 -------- d-----w- c:\program files\Enigma Software Group
2009-06-02 22:27 . 2004-08-10 15:00 82944 ----a-w- c:\windows\system32\dllcache\ws2_32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 19:37 . 2006-08-29 08:20 -------- d-----w- c:\documents and settings\david\Application Data\U3
2009-06-10 15:56 . 2006-04-13 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-10 03:27 . 2006-09-20 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-10 03:27 . 2006-09-20 02:38 -------- d-----w- c:\program files\Viewpoint
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\program files\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-20 02:40 -------- d-----w- c:\documents and settings\david\Application Data\Aim
2009-06-09 17:18 . 2006-09-20 02:38 -------- d-----w- c:\program files\AIM
2009-06-09 17:18 . 2006-10-28 02:45 -------- d-----w- c:\program files\DivX
2009-06-09 17:18 . 2007-08-15 03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-04 18:53 . 2006-04-13 13:56 110416 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 15:35 . 2006-04-13 13:44 -------- d-----w- c:\program files\Quickensetup
2009-06-04 15:35 . 2006-04-13 13:17 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 14:29 . 2008-11-04 16:19 -------- d-----w- c:\documents and settings\david\Application Data\GetRightToGo
2009-06-04 13:48 . 2006-04-13 12:47 -------- d-----w- c:\program files\HPQ
2009-06-04 13:47 . 2007-08-06 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-04 11:58 . 2008-12-01 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-04 11:42 . 2007-08-15 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-02 21:52 . 2006-10-27 02:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-31 01:41 . 2008-09-29 01:16 -------- d-----w- c:\documents and settings\amanda\Application Data\U3
2006-10-28 03:10 . 2006-10-28 03:10 56 --sh--r- c:\windows\system32\260588ACD5.sys
2006-10-28 03:10 . 2006-10-28 03:10 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[-] 2004-08-10 15:00 82944 BCFD249150061F29941893CD0F8FE620 c:\windows\system32\ws2_32.dll
[-] 2004-08-10 15:00 82944 BCFD249150061F29941893CD0F8FE620 c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-07-16 1166216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/10/2009 12:25 PM 108289]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/4/2009 7:30 PM 356920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 15:45
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"=expand:"iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3051"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!saswinlogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\CF21889.exe
c:\progra~1\HPQ\shared\HPQTOA~1.EXE
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-11 15:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 19:49

Pre-Run: 31,715,454,976 bytes free
Post-Run: 32,138,301,440 bytes free

434 --- E O F --- 2009-06-04 13:06

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

FCOPY::
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll | c:\windows\system32\ws2_32.dll
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll | c:\windows\system32\dllcache\ws2_32.dll

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\avg8
c:\documents and settings\All Users\Application Data\McAfee

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-06-11.05 - david 06/11/2009 17:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.512 [GMT -4:00]
Running from: G:\ComboFix.exe
Command switches used :: G:\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\avg8
c:\documents and settings\All Users\Application Data\McAfee
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\avg8\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\scan.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avildr.log
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\history.xml
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000001.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000005.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000006.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000007.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000008.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000009.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000010.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000011.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000012.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000013.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000014.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000015.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000016.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000017.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000018.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000019.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000020.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000021.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000022.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000023.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000024.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000025.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000026.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000027.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000028.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000029.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\srm.idx
c:\documents and settings\All Users\Application Data\avg8\update\backup\avi7.avg
c:\documents and settings\All Users\Application Data\avg8\update\backup\incavi.avm
c:\documents and settings\All Users\Application Data\avg8\update\backup\microavi.avg
c:\documents and settings\All Users\Application Data\avg8\update\backup\miniavi.avg
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat.xcd
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb2.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat.xcd
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Agent.ini
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\catalog.z
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Compiled.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\AUENGINEMETA\AUEngineContentDetection.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\ENCPTCNT6000\EceptCntDet.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\MASECORE2000\Mase_Det.Mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\MPEMSBCK1000\MPEMSBCKDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\MPEPRDCK1000\MPEPRDCKDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\MPESVRUP1000\MPESVRUPDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\MPEVIRCK1000\MPEVIRCKDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\PATCHTMP1000\PatchTmpDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\PATCHTMP2000\PatchTmpDet.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\PUPDAT__1000\PUPDet.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\SPAMSAFE1000\SK_det.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8600\VSE850Det.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8700\VSE870Det.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANDAT1000\V2datdet.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANENG1000\Engine\0000\engmin.zip
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANENG1000\Engine\0000\V2enginstall.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VSCANENG1000\V2EngDet.mcs
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_DAVE.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_DAVE.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_FAMILY.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_FAMILY.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_LAPTOP.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_LAPTOP.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_LAPTOP_backup.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\FrameworkLog.xsl
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_DAVE.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_FAMILY.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_LAPTOP.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\FrameworkManifest.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\InstallMain.McS
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\McScript.bak
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\McScript.log
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Precompiled.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Server.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\serverDefault.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\SiteList.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\SiteMapList.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\SiteStat.xml
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\SrPubKey.bin
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Task\{A14CD6FC-3BA8-4703-87BF-E3247CE382F5}.ini
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Task\TaskInternalData\{A14CD6FC-3BA8-4703-87BF-E3247CE382F5}.ini
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\UpdateHistory.ini
c:\documents and settings\All Users\Application Data\McAfee\Common Framework\UpdateMain.McS

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll --> c:\windows\system32\ws2_32.dll
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll --> c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-10 16:25 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-10 16:25 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-10 16:25 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-10 16:25 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\program files\Avira
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\Sonic
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\PC Tools
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- c:\program files\Common Files\BitDefender
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- C:\4304f949750ce894fde4cc20
2009-06-09 11:57 . 2009-06-09 17:19 -------- d-s---w- C:\ComboFix1
2009-06-08 17:11 . 2004-08-10 15:00 4096 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\david\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 13:46 . 2009-06-09 17:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 12:53 . 2009-06-11 21:56 117760 ----a-w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 12:52 . 2009-06-09 17:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-08 12:52 . 2009-06-08 12:52 -------- d-----w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com
2009-06-08 12:51 . 2009-06-08 12:51 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-05 13:43 . 2009-06-05 13:43 -------- d-----w- c:\documents and settings\david\Application Data\MSNInstaller
2009-06-05 00:21 . 2009-06-05 00:21 -------- d-----w- c:\documents and settings\david\Application Data\Leadertech
2009-06-04 23:31 . 2008-06-11 01:22 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-06-04 23:31 . 2008-06-02 19:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-06-04 23:31 . 2008-06-02 19:19 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-06-04 23:31 . 2008-06-02 19:19 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-06-04 23:30 . 2009-06-09 17:19 -------- d-----w- c:\program files\Spyware Doctor
2009-06-04 14:01 . 2004-05-11 13:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-06-04 14:01 . 2003-11-19 17:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-06-04 14:01 . 2000-07-15 09:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-06-03 14:03 . 2009-06-09 17:18 -------- d-----w- C:\AV-CLS
2009-06-03 13:45 . 2009-06-11 21:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 13:22 . 2009-06-03 13:22 -------- d-----w- c:\program files\Enigma Software Group
2009-06-02 22:27 . 2004-08-10 07:00 82944 ----a-w- c:\windows\system32\dllcache\ws2_32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 19:37 . 2006-08-29 08:20 -------- d-----w- c:\documents and settings\david\Application Data\U3
2009-06-10 15:56 . 2006-04-13 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\program files\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-20 02:40 -------- d-----w- c:\documents and settings\david\Application Data\Aim
2009-06-09 17:18 . 2006-09-20 02:38 -------- d-----w- c:\program files\AIM
2009-06-09 17:18 . 2006-10-28 02:45 -------- d-----w- c:\program files\DivX
2009-06-09 17:18 . 2007-08-15 03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-04 18:53 . 2006-04-13 13:56 110416 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 15:35 . 2006-04-13 13:44 -------- d-----w- c:\program files\Quickensetup
2009-06-04 15:35 . 2006-04-13 13:17 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 14:29 . 2008-11-04 16:19 -------- d-----w- c:\documents and settings\david\Application Data\GetRightToGo
2009-06-04 13:48 . 2006-04-13 12:47 -------- d-----w- c:\program files\HPQ
2009-06-04 11:42 . 2007-08-15 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-02 21:52 . 2006-10-27 02:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-31 01:41 . 2008-09-29 01:16 -------- d-----w- c:\documents and settings\amanda\Application Data\U3
2006-10-28 03:10 . 2006-10-28 03:10 56 --sh--r- c:\windows\system32\260588ACD5.sys
2006-10-28 03:10 . 2006-10-28 03:10 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-07-16 1166216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/10/2009 12:25 PM 108289]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/4/2009 7:30 PM 356920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 17:56
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????h?T??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.