win32/crypto virus

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALLL::

Driver::
sofatnet
Wanid3ustem

File::
C:\documents and settings\Wilma\otvdno.bat
c:\documents and settings\Wilma\YXJTHK.exe
c:\documents and settings\Wilma\Wilma.exe
c:\documents and settings\All Users\Application Data\12848124
c:\documents and settings\claire\claire.exe
c:\documents and settings\Graham\Local Settings\Application Data\dybaci.sys
c:\documents and settings\All Users\Application Data\tacihoq.com
c:\windows\system32\yzygepo.pif
c:\windows\imehofuji.bat
c:\windows\system32\ofimyqu.com
c:\program files\Common Files\cajede.sys
c:\windows\ikadesimoc.dat
c:\windows\mezynu.exe
c:\program files\PC_Antispyware2010
c:\documents and settings\All Users\Application Data\rysal.reg
c:\program files\Common Files\nujoz.dl
c:\program files\LimeWire
c:\documents and settings\James\Application Data\LimeWire
C:\43214354.bat
c:\windows\system32\sofatnet.exe
c:\windows\system32\msxm192z.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ter8m"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Belahzur

Log from Combofix below:

ComboFix 09-08-10.06 - Graham 18/08/2009 20:24.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.493 [GMT 1:00]
Running from: c:\documents and settings\Graham\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Graham\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"C:\43214354.bat"
"c:\documents and settings\All Users\Application Data\12848124"
"c:\documents and settings\All Users\Application Data\rysal.reg"
"c:\documents and settings\All Users\Application Data\tacihoq.com"
"c:\documents and settings\claire\claire.exe"
"c:\documents and settings\Graham\Local Settings\Application Data\dybaci.sys"
"c:\documents and settings\James\Application Data\LimeWire"
"c:\documents and settings\Wilma\otvdno.bat"
"c:\documents and settings\Wilma\Wilma.exe"
"c:\documents and settings\Wilma\YXJTHK.exe"
"c:\program files\Common Files\cajede.sys"
"c:\program files\Common Files\nujoz.dl"
"c:\program files\LimeWire"
"c:\program files\PC_Antispyware2010"
"c:\windows\ikadesimoc.dat"
"c:\windows\imehofuji.bat"
"c:\windows\mezynu.exe"
"c:\windows\system32\msxm192z.dll"
"c:\windows\system32\ofimyqu.com"
"c:\windows\system32\sofatnet.exe"
"c:\windows\system32\yzygepo.pif"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\43214354.bat
c:\documents and settings\All Users\Application Data\rysal.reg
c:\documents and settings\All Users\Application Data\tacihoq.com
c:\documents and settings\claire\claire.exe
c:\documents and settings\Graham\Local Settings\Application Data\dybaci.sys
c:\documents and settings\Wilma\otvdno.bat
c:\documents and settings\Wilma\Wilma.exe
c:\documents and settings\Wilma\YXJTHK.exe
c:\program files\Common Files\cajede.sys
c:\program files\Common Files\nujoz.dl
c:\windows\ikadesimoc.dat
c:\windows\imehofuji.bat
c:\windows\Install.txt
c:\windows\mezynu.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\msxm192z.dll
c:\windows\system32\ofimyqu.com
c:\windows\system32\sofatnet.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\system32\yzygepo.pif
c:\windows\TEMP\mpj98108.dll
c:\windows\TEMP\mta80562.dll

c:\windows\system32\grpconv.exe . . . is missing!!

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SOFATNET
-------\Service_sofatnet


((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 19:30 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-18 19:30 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-14 13:58 . 2009-08-14 13:58 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\ABBYY
2009-08-12 15:31 . 2009-08-12 15:31 -------- d-----w- c:\documents and settings\Wilma\Application Data\DivX
2009-08-12 14:37 . 2009-08-12 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\12848124
2009-08-12 14:36 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 22:44 . 2009-08-11 22:44 -------- d-----w- c:\program files\PC_Antispyware2010
2009-08-10 19:15 . 2009-08-10 19:15 -------- d-----w- c:\documents and settings\Graham\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 19:14 . 2009-08-10 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 19:14 . 2009-08-10 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 22:23 . 2009-08-08 22:23 -------- d-----w- c:\program files\Sun
2009-08-08 21:55 . 2009-08-08 22:27 -------- d-----w- c:\documents and settings\Graham\.SunDownloadManager
2009-08-08 21:19 . 2009-08-08 21:19 -------- d-----w- c:\program files\Trend Micro
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 19:41 . 2009-08-04 19:41 -------- d-----w- c:\documents and settings\Graham\Application Data\AVG8
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\MSBuild
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-02 08:15 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-02 08:15 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-02 08:15 . 2009-08-02 08:15 -------- d-----w- C:\09c6fbee40c940fe6129
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-29 17:42 . 2009-07-29 17:42 458 ----a-w- c:\documents and settings\James\joqxij.bat
2009-07-21 18:55 . 2009-07-21 18:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 18:54 . 2009-07-21 18:54 152576 ----a-w- c:\documents and settings\Graham\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 09:09 . 2008-09-03 14:36 47232 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 11:01 . 2008-11-01 19:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-15 00:43 . 2008-09-25 13:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 22:22 . 2005-12-09 09:26 -------- d-----w- c:\program files\Java
2009-08-07 15:05 . 2008-08-09 10:13 -------- d-----w- c:\documents and settings\Graham\Application Data\AdobeUM
2009-08-07 03:36 . 2008-09-11 19:30 -------- d-----w- c:\program files\Dl_cats
2009-08-05 09:01 . 2005-08-16 04:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:34 . 2008-08-08 20:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-04 21:29 . 2008-08-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-03 00:49 . 2009-06-19 14:15 47232 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-23 20:37 . 2008-12-24 20:08 -------- d-----w- c:\documents and settings\Graham\Application Data\BitTorrent
2009-07-17 19:01 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:58 . 2008-09-07 21:55 -------- d-----w- c:\program files\Bonjour
2009-07-17 16:46 . 2008-10-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-07-17 14:53 . 2009-07-17 14:50 -------- d-----w- c:\documents and settings\Graham\Application Data\Temp
2009-07-17 14:52 . 2008-10-18 15:56 -------- d-----w- c:\program files\Kodak
2009-07-13 22:43 . 2005-08-16 04:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 07:08 . 2009-06-27 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-10 17:49 . 2008-08-08 23:24 -------- d-----w- c:\program files\CCleaner
2009-07-06 21:17 . 2008-09-09 21:53 -------- d-----w- c:\program files\LimeWire
2009-07-06 19:29 . 2008-09-09 21:57 -------- d-----w- c:\documents and settings\James\Application Data\LimeWire
2009-06-29 16:12 . 2005-08-16 04:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 04:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 04:18 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2005-08-16 04:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 04:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 15:07 . 2009-06-27 12:00 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2005-08-16 04:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 04:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 04:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-08-16 04:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 04:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 04:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 17:27 . 2008-11-06 22:39 47232 ----a-w- c:\documents and settings\Wilma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-24 23:24 . 2008-05-26 21:18 350208 ------w- c:\windows\system32\mssph.dll
2008-09-03 14:36 . 2008-09-03 14:36 251 ----a-w- c:\program files\wt3d.ini
2005-07-16 05:41 . 2005-12-09 09:38 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-07-16 05:41 . 2005-12-09 09:38 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-07-16 05:41 . 2005-12-09 09:38 160871 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-12_20.01.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-18 19:35 . 2009-08-18 19:35 16384 c:\windows\Temp\Perflib_Perfdata_4e0.dat
+ 2009-08-18 19:33 . 2009-08-18 19:33 16384 c:\windows\Temp\Perflib_Perfdata_474.dat
+ 2009-08-18 19:28 . 2009-08-18 19:28 16384 c:\windows\Temp\Perflib_Perfdata_17d0.dat
+ 2004-08-10 05:00 . 2004-08-10 05:00 44032 c:\windows\system32\EvdoServer.dll
+ 2008-08-24 10:59 . 2009-08-17 04:37 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2009-08-12 19:57 . 2009-08-12 19:57 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-18 19:31 . 2009-08-18 19:31 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-12 19:57 . 2009-08-12 19:57 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-18 19:31 . 2009-08-18 19:31 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2008-08-24 10:59 . 2009-05-04 18:50 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2009-08-18 19:31 . 2009-08-18 19:31 172032 c:\windows\ERDNT\subs\Users\00000008\UsrClass.dat
+ 2009-08-18 19:31 . 2009-08-18 19:31 172032 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-12 19:57 . 2009-08-12 19:57 172032 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-18 19:31 . 2009-08-18 19:31 237568 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-12 19:57 . 2009-08-12 19:57 237568 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-18 19:31 . 2009-08-18 19:31 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-12 19:57 . 2009-08-12 19:57 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-18 19:35 . 2009-06-29 16:12 1159680 c:\windows\Temp\x1c79505.dll
+ 2009-08-18 19:33 . 2009-06-29 16:12 1159680 c:\windows\Temp\mta58299.dll
+ 2009-08-18 19:36 . 2009-06-29 16:12 1159680 c:\windows\Temp\mta13187.dll
+ 2009-08-18 19:36 . 2009-06-29 16:12 1159680 c:\windows\Temp\mta107616.dll
+ 2009-08-18 19:36 . 2009-06-29 16:12 1159680 c:\windows\Temp\mpj80794.dll
+ 2009-08-18 19:31 . 2009-08-18 19:31 3952640 c:\windows\ERDNT\subs\Users\00000007\ntuser.dat
+ 2009-08-18 19:31 . 2009-08-18 19:31 4026368 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT

Part 2:

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-24 342848]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2006-08-04 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-21 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-09 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-04 2000152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-04 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-9 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-04 21:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9323:TCP"= 9323:TCP:EKDiscovery
"9324:TCP"= 9324:TCP:EKDiscovery
"9325:TCP"= 9325:TCP:EKDiscovery
"9326:TCP"= 9326:TCP:EKDiscovery

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/08/2008 21:59 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/08/2008 21:59 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/08/2008 21:59 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/08/2008 21:59 297752]
R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [16/08/2005 05:18 14336]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [10/08/2004 06:00 94720]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [06/04/2009 12:21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [10/04/2009 15:21 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [10/04/2009 15:21 20953]
S3 Ugrmtrmspdel;Ugrmtrmspdel;c:\windows\system32\drivers\cd20xrnt.sys [16/08/2005 22:28 7680]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVDOSERVER
*NewlyCreated* - SOFATNET
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\documents and settings\All Users\Application Data\Kodak\Installer\Registration.exe [2009-07-17 16:24]

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-08-05 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2009-08-16 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyOverride = ;*.local
FF - ProfilePath - c:\documents and settings\Graham\Application Data\Mozilla\Firefox\Profiles\zjxqfrxg.default\
FF - prefs.js: browser.search.selectedEngine - Google

Part 3 :


---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 20:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\FInstall.sys 8 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1696)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dlcccoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchprotocolhost.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\wiawow32.sys
.
**************************************************************************
.
Completion time: 2009-08-18 20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 19:42
ComboFix2.txt 2009-08-12 20:06

Pre-Run: 41,478,348,800 bytes free
Post-Run: 41,599,959,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

416 --- E O F --- 2009-08-12 15:39

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
grpconv.exe

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Belahzur

Log file from SystemLook

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 20:47 on 19/08/2009 by Graham (Administrator - Elevation successful)

No Context: Code:

========== filefind ==========

Searching for "grpconv.exe"
C:\i386\grpconv.exe --a--- 39424 bytes [09:52 09/08/2008] [00:12 14/04/2008] 6DD28A6D99CF7B14B2D1786D143624E0
C:\WINDOWS\$NtServicePackUninstall$\grpconv.exe -----c 39424 bytes [23:34 08/08/2008] [05:00 10/08/2004] 9EE8C35B3391F30A7D088F5C43435AFB
C:\WINDOWS\ServicePackFiles\i386\grpconv.exe ------ 39424 bytes [21:46 08/08/2008] [00:12 14/04/2008] 6DD28A6D99CF7B14B2D1786D143624E0

-=End Of File=-

Now open a new notepad file.
Input this into the notepad file:

FCopy::
C:\i386\grpconv.exe | c:\windows\system32\proquota.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Belahzur

Log file from Combofix : part 1

ComboFix 09-08-19.0C - Graham 20/08/2009 21:08.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.465 [GMT 1:00]
Running from: c:\documents and settings\Graham\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Graham\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Graham\Desktop\PC_Antispyware2010.lnk
c:\documents and settings\Graham\Start Menu\Programs\PC_Antispyware2010
c:\documents and settings\Graham\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk
c:\documents and settings\Graham\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk
c:\program files\PC_Antispyware2010
c:\program files\PC_Antispyware2010\AVEngn.dll
c:\program files\PC_Antispyware2010\data\daily.cvd
c:\program files\PC_Antispyware2010\htmlayout.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg
c:\program files\PC_Antispyware2010\pthreadVC2.dll
c:\program files\PC_Antispyware2010\wscui.cpl
c:\windows\Install.txt
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\i386\grpconv.exe

.
--------------- FCopy ---------------

c:\i386\grpconv.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.

2009-08-20 20:13 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-08-20 20:13 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-08-20 19:59 . 2009-08-20 19:59 -------- d-----w- c:\documents and settings\James2
2009-08-18 19:30 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\proquota.exe
2009-08-18 19:30 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-14 13:58 . 2009-08-14 13:58 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\ABBYY
2009-08-12 15:31 . 2009-08-12 15:31 -------- d-----w- c:\documents and settings\Wilma\Application Data\DivX
2009-08-12 14:37 . 2009-08-12 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\12848124
2009-08-12 14:36 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 19:15 . 2009-08-10 19:15 -------- d-----w- c:\documents and settings\Graham\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 19:14 . 2009-08-10 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 19:14 . 2009-08-10 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 22:23 . 2009-08-08 22:23 -------- d-----w- c:\program files\Sun
2009-08-08 21:55 . 2009-08-08 22:27 -------- d-----w- c:\documents and settings\Graham\.SunDownloadManager
2009-08-08 21:19 . 2009-08-08 21:19 -------- d-----w- c:\program files\Trend Micro
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 19:41 . 2009-08-04 19:41 -------- d-----w- c:\documents and settings\Graham\Application Data\AVG8
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\MSBuild
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-02 08:15 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-02 08:15 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-02 08:15 . 2009-08-02 08:15 -------- d-----w- C:\09c6fbee40c940fe6129
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-29 17:42 . 2009-07-29 17:42 458 ----a-w- c:\documents and settings\James\joqxij.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 11:01 . 2008-11-01 19:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-15 00:43 . 2008-09-25 13:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 22:22 . 2005-12-09 09:26 -------- d-----w- c:\program files\Java
2009-08-07 15:05 . 2008-08-09 10:13 -------- d-----w- c:\documents and settings\Graham\Application Data\AdobeUM
2009-08-07 03:36 . 2008-09-11 19:30 -------- d-----w- c:\program files\Dl_cats
2009-08-05 09:01 . 2005-08-16 04:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:34 . 2008-08-08 20:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-04 21:29 . 2008-08-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-03 00:49 . 2009-06-19 14:15 47232 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-23 20:37 . 2008-12-24 20:08 -------- d-----w- c:\documents and settings\Graham\Application Data\BitTorrent
2009-07-21 18:55 . 2009-07-21 18:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 18:54 . 2009-07-21 18:54 152576 ----a-w- c:\documents and settings\Graham\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-17 19:01 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:58 . 2008-09-07 21:55 -------- d-----w- c:\program files\Bonjour
2009-07-17 16:46 . 2008-10-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-07-17 14:53 . 2009-07-17 14:50 -------- d-----w- c:\documents and settings\Graham\Application Data\Temp
2009-07-17 14:52 . 2008-10-18 15:56 -------- d-----w- c:\program files\Kodak
2009-07-13 22:43 . 2005-08-16 04:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 07:08 . 2009-06-27 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-10 17:49 . 2008-08-08 23:24 -------- d-----w- c:\program files\CCleaner
2009-07-06 21:17 . 2008-09-09 21:53 -------- d-----w- c:\program files\LimeWire
2009-07-06 19:29 . 2008-09-09 21:57 -------- d-----w- c:\documents and settings\James\Application Data\LimeWire
2009-06-29 16:12 . 2005-08-16 04:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 04:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 04:18 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2005-08-16 04:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 04:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 15:07 . 2009-06-27 12:00 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2005-08-16 04:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 04:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 04:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-08-16 04:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 04:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 04:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 17:27 . 2008-11-06 22:39 47232 ----a-w- c:\documents and settings\Wilma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-24 23:24 . 2008-05-26 21:18 350208 ------w- c:\windows\system32\mssph.dll
2008-09-03 14:36 . 2008-09-03 14:36 251 ----a-w- c:\program files\wt3d.ini
2005-07-16 05:41 . 2005-12-09 09:38 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-07-16 05:41 . 2005-12-09 09:38 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-07-16 05:41 . 2005-12-09 09:38 160871 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-12_20.01.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 21:56 . 2009-08-19 21:56 16384 c:\windows\Temp\Perflib_Perfdata_7c8.dat
+ 2009-08-19 21:53 . 2009-08-19 21:53 16384 c:\windows\Temp\Perflib_Perfdata_550.dat
+ 2004-08-10 05:00 . 2004-08-10 05:00 44032 c:\windows\system32\EvdoServer.dll
+ 2008-08-24 10:59 . 2009-08-17 04:37 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe

Part 2 :

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-24 342848]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2006-08-04 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-21 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-09 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-04 2000152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-04 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-9 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-04 21:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9323:TCP"= 9323:TCP:EKDiscovery
"9324:TCP"= 9324:TCP:EKDiscovery
"9325:TCP"= 9325:TCP:EKDiscovery
"9326:TCP"= 9326:TCP:EKDiscovery

R?2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [16/08/2005 05:18 14336]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/08/2008 21:59 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/08/2008 21:59 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/08/2008 21:59 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/08/2008 21:59 297752]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [06/04/2009 12:21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [10/04/2009 15:21 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [10/04/2009 15:21 20953]
S3 Ugrmtrmspdel;Ugrmtrmspdel;c:\windows\system32\drivers\cd20xrnt.sys [16/08/2005 22:28 7680]
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\documents and settings\All Users\Application Data\Kodak\Installer\Registration.exe [2009-07-17 16:24]

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-08-19 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2009-08-16 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.

Part 3 :

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyOverride = ;*.local
FF - ProfilePath - c:\documents and settings\Graham\Application Data\Mozilla\Firefox\Profiles\zjxqfrxg.default\
FF - prefs.js: browser.search.selectedEngine - Google

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 21:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2009-08-20 21:16
ComboFix-quarantined-files.txt 2009-08-20 20:16
ComboFix2.txt 2009-08-18 19:42
ComboFix3.txt 2009-08-12 20:06

Pre-Run: 41,306,157,056 bytes free
Post-Run: 41,529,004,032 bytes free

325 --- E O F --- 2009-08-12 15:39

Hello.
More malware came back. :l

Now open a new notepad file.
Input this into the notepad file:

Driver::
EvdoServer

File::
c:\documents and settings\James\joqxij.bat

Folder::
c:\documents and settings\All Users\Application Data\12848124

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Belahzur

Output from combofix :

ComboFix 09-08-20.07 - Graham 21/08/2009 21:29.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.523 [GMT 1:00]
Running from: c:\documents and settings\Graham\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Graham\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\James\joqxij.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\12848124
c:\documents and settings\All Users\Application Data\12848124\12848124
c:\documents and settings\James\joqxij.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EVDOSERVER
-------\Service_EvdoServer


((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-20 20:13 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-08-20 20:13 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-08-20 19:59 . 2009-08-20 19:59 -------- d-----w- c:\documents and settings\James2
2009-08-18 19:30 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\proquota.exe
2009-08-18 19:30 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-14 13:58 . 2009-08-14 13:58 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\ABBYY
2009-08-12 15:31 . 2009-08-12 15:31 -------- d-----w- c:\documents and settings\Wilma\Application Data\DivX
2009-08-12 14:36 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 19:15 . 2009-08-10 19:15 -------- d-----w- c:\documents and settings\Graham\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 19:14 . 2009-08-10 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 19:14 . 2009-08-10 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 22:23 . 2009-08-08 22:23 -------- d-----w- c:\program files\Sun
2009-08-08 21:55 . 2009-08-08 22:27 -------- d-----w- c:\documents and settings\Graham\.SunDownloadManager
2009-08-08 21:19 . 2009-08-08 21:19 -------- d-----w- c:\program files\Trend Micro
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 19:41 . 2009-08-04 19:41 -------- d-----w- c:\documents and settings\Graham\Application Data\AVG8
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\MSBuild
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-02 08:15 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-02 08:15 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-02 08:15 . 2009-08-02 08:15 -------- d-----w- C:\09c6fbee40c940fe6129
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 09:09 . 2008-09-03 14:36 47232 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 11:01 . 2008-11-01 19:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-15 00:43 . 2008-09-25 13:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 22:22 . 2005-12-09 09:26 -------- d-----w- c:\program files\Java
2009-08-07 15:05 . 2008-08-09 10:13 -------- d-----w- c:\documents and settings\Graham\Application Data\AdobeUM
2009-08-07 03:36 . 2008-09-11 19:30 -------- d-----w- c:\program files\Dl_cats
2009-08-05 09:01 . 2005-08-16 04:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:34 . 2008-08-08 20:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-04 21:34 . 2009-08-21 20:41 2061592 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-08-04 21:34 . 2009-08-21 20:38 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-04 21:34 . 2008-08-08 20:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-04 21:33 . 2009-08-21 20:41 3476760 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-08-04 21:33 . 2009-08-21 20:41 2000152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-08-04 21:33 . 2009-08-21 20:41 1213720 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe
2009-08-04 21:33 . 2009-08-21 20:38 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-04 21:33 . 2009-08-21 20:38 1126168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-04 21:29 . 2008-08-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-03 00:49 . 2009-06-19 14:15 47232 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-23 20:37 . 2008-12-24 20:08 -------- d-----w- c:\documents and settings\Graham\Application Data\BitTorrent
2009-07-21 18:55 . 2009-07-21 18:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 18:54 . 2009-07-21 18:54 152576 ----a-w- c:\documents and settings\Graham\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-17 19:01 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:58 . 2008-09-07 21:55 -------- d-----w- c:\program files\Bonjour
2009-07-17 16:46 . 2008-10-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-07-17 14:53 . 2009-07-17 14:50 -------- d-----w- c:\documents and settings\Graham\Application Data\Temp
2009-07-17 14:52 . 2008-10-18 15:56 -------- d-----w- c:\program files\Kodak
2009-07-13 22:43 . 2005-08-16 04:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 07:08 . 2009-06-27 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-10 17:49 . 2008-08-08 23:24 -------- d-----w- c:\program files\CCleaner
2009-07-06 21:17 . 2008-09-09 21:53 -------- d-----w- c:\program files\LimeWire
2009-07-06 19:29 . 2008-09-09 21:57 -------- d-----w- c:\documents and settings\James\Application Data\LimeWire
2009-06-29 16:12 . 2005-08-16 04:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 04:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 04:18 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2005-08-16 04:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 04:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 15:07 . 2009-06-27 12:00 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2005-08-16 04:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 04:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 04:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-08-16 04:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 04:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 04:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 17:27 . 2008-11-06 22:39 47232 ----a-w- c:\documents and settings\Wilma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-24 23:24 . 2008-05-26 21:18 350208 ------w- c:\windows\system32\mssph.dll
2008-09-03 14:36 . 2008-09-03 14:36 251 ----a-w- c:\program files\wt3d.ini
2005-07-16 05:41 . 2005-12-09 09:38 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-07-16 05:41 . 2005-12-09 09:38 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-07-16 05:41 . 2005-12-09 09:38 160871 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-12_20.01.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-21 20:37 . 2009-08-21 20:37 16384 c:\windows\Temp\Perflib_Perfdata_22c.dat
+ 2004-08-10 05:00 . 2004-08-10 05:00 44032 c:\windows\system32\EvdoServer.dll
+ 2008-08-24 10:59 . 2009-08-17 04:37 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
.

Part 2 :

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-24 342848]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2006-08-04 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-21 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-09 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-21 2007832]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-04 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-9 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-04 21:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9323:TCP"= 9323:TCP:EKDiscovery
"9324:TCP"= 9324:TCP:EKDiscovery
"9325:TCP"= 9325:TCP:EKDiscovery
"9326:TCP"= 9326:TCP:EKDiscovery

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/08/2008 21:59 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/08/2008 21:59 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/08/2008 21:59 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/08/2008 21:59 297752]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [06/04/2009 12:21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [10/04/2009 15:21 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [10/04/2009 15:21 20953]
S3 Ugrmtrmspdel;Ugrmtrmspdel;c:\windows\system32\drivers\cd20xrnt.sys [16/08/2005 22:28 7680]
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\documents and settings\All Users\Application Data\Kodak\Installer\Registration.exe [2009-07-17 16:24]

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-08-19 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2009-08-16 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.

Part 3 :


------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyOverride = ;*.local
FF - ProfilePath - c:\documents and settings\Graham\Application Data\Mozilla\Firefox\Profiles\zjxqfrxg.default\
FF - prefs.js: browser.search.selectedEngine - Google

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 21:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3940)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dlcccoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-08-21 21:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 20:44
ComboFix2.txt 2009-08-20 20:16
ComboFix3.txt 2009-08-18 19:42
ComboFix4.txt 2009-08-12 20:06

Pre-Run: 42,717,425,664 bytes free
Post-Run: 46,997,958,656 bytes free

346 --- E O F --- 2009-08-12 15:39

I see that you are running BitTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If BitTorrent is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

• BitTorrent
  

Run another scan with Malwarebytes and post the log back here.

Belahzur

I have uninstalled bit-torrent and re run malwarebytes, see log:

Malwarebytes' Anti-Malware 1.40
Database version: 2593
Windows 5.1.2600 Service Pack 3

22/08/2009 20:13:56
mbam-log-2009-08-22 (20-13-09).txt

Scan type: Quick Scan
Objects scanned: 125699
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\EvdoServer.dll (Trojan.Agent) -> No action taken.

Hello, you have an old database of Malwarebytes, please update it and run another scan, also make sure you click on the remove selected button.

Belahzur

Updated Malwarebytes and reran.

Malwarebytes' Anti-Malware 1.40
Database version: 2681
Windows 5.1.2600 Service Pack 3

23/08/2009 07:46:44
mbam-log-2009-08-23 (07-46-44).txt

Scan type: Quick Scan
Objects scanned: 129421
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EvdoServer.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Belahzur.

The machine is fine now, I have just run AVG and no threats - that's fanstatic. Many thanks.