W32.Tidserv & Backdoor.Tidserv!inf Help please

Hello.
Don't try deleting "Recycler", that is the legit folder, the malware is called "resycled", there is an s instead of the c, don't mistake them otherwise it could cause problems.
We just need to repair some things.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

AWF::
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\MouseWare\system\bak\EM_EXEC.EXE
c:\program files\CA\eTrust PestPatrol\bak\PPActiveDetection.exe
c:\program files\QUICKENW\bak\QAGENT.EXE
c:\program files\QuickTime\bak\qttask.exe
c:\program files\Keymaestro\Multimedia Keyboard\bak\MMKeybd.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\D-Tools\bak\daemon.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\V]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38a4d306-b2d6-11dc-ab4e-00e0988595d9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5395a160-2a47-11d9-a4a7-806d6172696f}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

ComboFix 09-01-01.02 - Parents 2009-01-03 16:43:21.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1519 [GMT 0:00]
Running from: c:\documents and settings\Parents\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Parents\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-03 12:56 . 2009-01-03 12:56 d-------- c:\program files\Trend Micro
2009-01-02 22:43 . 2009-01-02 22:43 d-------- c:\documents and settings\All Users\Application Data\Uniblue
2008-12-24 12:30 . 2008-12-24 12:30 d-------- c:\documents and settings\Parents\Contacts
2008-12-24 12:29 . 2008-12-24 12:29 d-------- c:\program files\Windows Live
2008-12-24 12:29 . 2008-12-24 12:29 d--hs---- c:\program files\Common Files\WindowsLiveInstaller
2008-12-24 12:29 . 2008-12-24 12:29 d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-17 19:06 . 2008-12-17 19:06 d-------- c:\program files\iPod
2008-12-17 19:06 . 2008-12-17 19:06 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 18:04 . 2009-01-02 17:05 640 --a------ c:\windows\system32\SGLCH32.USR
2008-12-06 18:04 . 2009-01-02 17:05 125 --a------ c:\windows\system32\SageInformer50.ssf
2008-12-06 18:00 . 2008-12-06 18:00 d-------- c:\program files\Common Files\InstallEngine
2008-12-06 17:58 . 2008-12-06 17:58 d-------- c:\program files\Common Files\Sage Shared
2008-12-06 17:58 . 2008-12-06 17:58 d-------- c:\program files\Common Files\Sage Line50
2008-12-06 17:56 . 2008-12-06 17:56 d-------- c:\program files\Sage
2008-12-06 17:56 . 2008-12-06 17:56 d-------- c:\program files\Common Files\Sage SBD
2008-12-06 17:56 . 2008-12-06 17:56 d-------- c:\program files\Common Files\Sage Report Designer 2007
2008-12-06 17:56 . 2008-12-06 17:56 d-------- c:\documents and settings\All Users\Application Data\Sage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 03:28 36,272 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-11-17 07:10 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-13 20:41 --------- d-----w c:\program files\Common Files\PCSuite
2008-11-13 20:41 --------- d-----w c:\program files\Common Files\Nokia
2008-11-13 05:17 --------- d-----r c:\program files\Norton Support
2008-11-06 17:47 --------- d-----w c:\program files\Apple Software Update
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 17:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2006-02-01 18:03 114,144 ----a-w c:\documents and settings\Parents\Application Data\GDIPFONTCACHEV1.DAT
2004-04-05 13:02 141,812 ----a-w c:\documents and settings\Parents\Winsock2.reg
2003-08-04 19:23 784 ----a-w c:\documents and settings\Parents\Application Data\mpauth.dat
2001-02-28 13:14 476,576 ----a-w c:\program files\SETUP.EXE
2000-12-12 11:17 100,432 ------w c:\program files\Win2000PPAHotfix.exe
2003-09-14 10:07 56 --sh--r c:\windows\system32\46C0110EBB.sys
2002-04-16 11:27 5 --sha-w c:\windows\system32\CdI5T.drv
2008-05-10 10:58 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051020080511\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"EPSON Stylus D92 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE" [2006-09-27 139264]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-01-08 1260296]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
""="c:\program files\Internet Explorer\iexplore.exe" [2008-10-15 633632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-26 180269]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-17 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"PtiuPbmd"="ulutil2.dll" [2003-11-06 c:\windows\system32\ulutil2.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Startup.lnk - c:\program files\QUICKENW\QWDLLS.EXE [2003-07-25 36864]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2008-05-06 09:42 202088 c:\program files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
--a------ 2001-12-23 17:02 4608 c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2002-06-19 02:44 46592 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"63523:TCP"= 63523:TCP:PORT_63523
"40391:TCP"= 40391:TCP:PORT_40391
"9742:TCP"= 9742:TCP:PORT_9742
"37723:TCP"= 37723:TCP:PORT_37723
"9207:TCP"= 9207:TCP:PORT_9207
"25316:TCP"= 25316:TCP:PORT_25316
"21523:TCP"= 21523:TCP:PORT_21523
"27396:TCP"= 27396:TCP:PORT_27396
"23033:TCP"= 23033:TCP:PORT_23033
"58283:TCP"= 58283:TCP:PORT_58283
"54573:TCP"= 54573:TCP:PORT_54573
"41520:TCP"= 41520:TCP:PORT_41520
"7176:TCP"= 7176:TCP:PORT_7176
"13316:TCP"= 13316:TCP:PORT_13316
"52857:TCP"= 52857:TCP:PORT_52857
"9047:TCP"= 9047:TCP:PORT_9047
"38536:TCP"= 38536:TCP:PORT_38536
"59332:TCP"= 59332:TCP:PORT_59332
"46363:TCP"= 46363:TCP:PORT_46363
"63969:TCP"= 63969:TCP:PORT_63969
"54305:TCP"= 54305:TCP:PORT_54305
"24142:TCP"= 24142:TCP:PORT_24142
"65117:TCP"= 65117:TCP:PORT_65117
"57528:TCP"= 57528:TCP:PORT_57528
"63173:TCP"= 63173:TCP:PORT_63173
"40809:TCP"= 40809:TCP:PORT_40809
"32851:TCP"= 32851:TCP:PORT_32851

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\DRIVERS\DontGo.sys [2008-04-23 7680]
R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS []
R0 ulsata2;ulsata2;c:\windows\system32\DRIVERS\ulsata2.sys [2008-04-23 125952]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-20 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NIS\1002000.007\ccHPx86.sys [2008-12-20 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081220.001\IDSxpx86.sys [2008-12-20 274808]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\DRIVERS\msikbd2k.sys [2003-03-11 6656]
R1 o2adj;o2adj;c:\windows\system32\drivers\o2adj.sys [2003-01-06 9856]
R2 DK2DRV;DK2 WindowsNT Driver;\??\c:\windows\System32\Drivers\DK2DRV.SYS [2003-11-11 27488]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\mrtRate.sys [2003-07-25 34712]
R2 nhksrv;Netropa NHK Server;c:\program files\Keymaestro\Multimedia Keyboard\nhksrv.exe [2003-07-30 28672]
R2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll" /prefetch:1 []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-16 99376]
S2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\DRIVERS\ATINTTXX.sys [2003-03-12 13824]
S3 adxapie;adxapie;\??\c:\docume~1\Parents\LOCALS~1\Temp\adxapie.sys []
S3 Clasgdkpr;Clasgdkpr; []
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Parents.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe []

2009-01-02 c:\windows\Tasks\Norton Internet Security - Parents - Full System Scan.job
- c:\program files\Norton Internet Security\Engine\16.0.0.125\Navw32.exe []

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-02 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-01-08 09:14]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SpeedTouch USB Diagnostics - c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe


.

------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll

O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - hxxp://www.stop-sign.com/pub/download/scandl_cnry.cab
c:\windows\Downloaded Program Files\setup.inf

c:\windows\Downloaded Program Files\ConnectorLauncher.dll - c:\windows\Downloaded Program Files\ConnectorScriptEngine.exe
O16 -: {50647AB5-18FD-4142-82B0-5852478DD0D5}
hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
c:\windows\Downloaded Program Files\ConnectorLauncher.inf

c:\windows\Downloaded Program Files\OBInstallRunner.OCX - O16 -: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9}
hxxp://www.opinionbar.com/download/resources/OBInstallCabinet.CAB

c:\windows\system32\atl.dll - c:\windows\system32\ACNePlayer.dll
O16 -: {B991DA79-51F7-4011-98D2-1F2592E82A56}
hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
c:\windows\Downloaded Program Files\ACNeplayerU.inf

O16 -: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} - hxxp://www.envivio.tv/downloads/EnvivioTV/EnvivioTVSilentInstaller.exe

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://85.105.200.152:7070/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 16:46:35
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2070620897-436321949-3341562259-1005\Software\Microsoft\SystemCertificates\AddressBook*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2070620897-436321949-3341562259-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*NULL*i%z*NULL**NULL*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2070620897-436321949-3341562259-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*NULL*i%z*NULL**NULL*\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ
*NULL*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6037"
"DeviceInstanceIds"=multi:"\00"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\program files\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
c:\documents and settings\ALL USERS\APPLICATION DATA\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files\IOMEGA\SYSTEM32\APPSERVICES.EXE
c:\program files\NORTON INTERNET SECURITY\ENGINE\16.2.0.7\CCSVCHST.EXE
c:\program files\Real\RealPlayer\RealPlay.exe
c:\windows\SYSTEM32\WWSECURE.EXE
c:\program files\PC CONNECTIVITY SOLUTION\SERVICELAYER.EXE
c:\program files\PC CONNECTIVITY SOLUTION\TRANSPORTS\NCLUSBSRV.EXE
c:\program files\PC CONNECTIVITY SOLUTION\TRANSPORTS\NCLRSSRV.EXE
c:\program files\NORTON INTERNET SECURITY\ENGINE\16.2.0.7\CCSVCHST.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-03 16:50:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 16:50:36
ComboFix2.txt 2009-01-03 16:00:36

Pre-Run: 51,781,009,408 bytes free
Post-Run: 51,765,313,536 bytes free

274 --- E O F --- 2008-12-18 07:22:51

Hello.
Looks good now, what problems remain?

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  
• Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa.
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

Hope this means something to you LOL

JavaRa 1.12 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sat Jan 03 17:32:17 2009

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\JavaSoft\Java2D\1.6.0_02

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: C:\Program Files\JavaSoft

------------------------------------

Finished reporting.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

Ok mate I will work my way through the list of recomendations tonight. Thank you soooooooooo much for your help and advice. Do you have a favourite charity as I feel I should make a donation as I have been saved alot of money by not having to scratch my hard drive.

Sorry, no donations here. A simple thank you is enough.

Thanks again Belahzur. I have run several of the recommended programs. Also used a registry cleaner and registry defrag, also defraged C drive. Took about 5Gb of dross off the hard drive and uninstalled items of software that haven't been used for a long time. PC in running sweet as a nut now. I dropped a couple of coins in to the Hampshire Air Ambulance tin this morning when I bought the newspaper, hope you approve. Don't take this personally but I hope never to have to 'speak' to you again. LOL

LOL!
I hope so.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.