win32\agent.odg

Hi there Belahzur,
first of all good job sorting out spoofy062's machine.
I have had exactly the same symptoms. Eventually managed to install ESET anti virus, and have since followed your instructions above to the letter.

However, Malwarebytes anti-malware wont install, vista (or should i say the virus win32/agent.odg, eset anti-virus has told me) wouldnt allow any downloads now at all where as yesterday i could at least download somethings, not even picturs download now, and its even blocking installs of any kind. every program i put on anti-virus related is disabled in minutes. Iv managed to run the DDS.scr file, and here are my results....

Luckily i have an old pc ive been using to download files and anti-virus related prog's. needless to say i took steps to make sure this virus wont get on it or spread to it.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Gareth at 20:07:08.72 on 03/06/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.44.1033.18.1789.858 [GMT 1:00]

SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\RelevantKnowledge\rlservice.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Users\Gareth\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Gareth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSEARCH PAGE = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.skybroadband.com
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local;*.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avgls\avgssie.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\fdm2\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Privacy Suite RiskMonitor]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Acer Tour]
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [eRecoveryService]
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Skytel] Skytel.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all with Free Download Manager - file://c:\program files\fdm2\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\fdm2\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\fdm2\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\fdm2\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: live.com\safety
DPF: {678940D3-080C-4FCE-A54D-D443E1177F01} - hxxps://www.coolroom.com/ActiveX/ax.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 85.255.112.16,85.255.112.138
TCP: {195F3E9B-6C36-4063-B665-4CFEBDA79C1B} = 85.255.112.16,85.255.112.138
TCP: {7221BA41-F676-4255-A927-837BCD8529D5} = 85.255.112.16,85.255.112.138
TCP: {7C32E93B-E79E-4BC7-A723-10B66935C139} = 85.255.112.16,85.255.112.138
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

part 2...

================= FIREFOX ===================

FF - ProfilePath - c:\users\gareth\appdata\roaming\mozilla\firefox\profiles\h5grms8l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-4-3 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-4-3 35712]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-5-31 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-5-31 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-5-31 482352]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090528.001\IDSvix86.sys [2009-5-31 292912]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2007-12-18 13560]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-2-6 92800]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [2008-10-6 5152]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-10-7 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-31 101936]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nav\1005000.086\symndisv.sys [2009-5-31 39984]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-12-30 84832]
S3 EC168BDA;EC168BDA service;c:\windows\system32\drivers\EC168BDA.sys [2009-3-9 87296]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-2-14 68922]

=============== Created Last 30 ================

2009-06-03 19:59 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 19:59 --d----- c:\programdata\Malwarebytes
2009-06-03 19:59 --d----- c:\progra~2\Malwarebytes
2009-06-03 19:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-03 19:59 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-02 22:40 --d----- c:\program files\MalwarebytesPortable
2009-06-02 21:54 --d----- c:\programdata\ESET
2009-06-02 21:54 --d----- c:\program files\ESET
2009-06-02 21:13 --d----- c:\programdata\FreeDownloadManager.ORG
2009-06-02 21:13 --d----- c:\progra~2\FreeDownloadManager.ORG
2009-06-02 21:13 --d----- c:\program files\FDM2
2009-06-01 20:00 --d----- C:\Downloads
2009-06-01 19:54 --d----- c:\users\gareth\appdata\roaming\Free Download Manager
2009-06-01 19:54 --d----- c:\program files\Free Download Manager
2009-06-01 00:10 375,684,093 a------- c:\windows\MEMORY.DMP
2009-05-31 22:04 --d----- c:\programdata\Kaspersky Lab Setup Files
2009-05-31 22:04 --d----- c:\progra~2\Kaspersky Lab Setup Files
2009-05-31 22:03 --d----- c:\users\gareth\appdata\roaming\GetRightToGo
2009-05-31 20:13 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-31 20:13 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-31 20:13 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-31 20:13 --d----- c:\program files\Symantec
2009-05-31 20:13 25,136 a----r-- c:\windows\system32\drivers\SymIMV.sys
2009-05-31 20:12 --d----- c:\windows\system32\drivers\NAV
2009-05-31 20:12 --d----- c:\program files\Norton AntiVirus
2009-05-31 20:11 --d----- c:\program files\NortonInstaller
2009-05-31 18:36 --d----- c:\program files\Spyware Doctor
2009-05-31 00:37 --d----- c:\programdata\Symantec Temporary Files
2009-05-31 00:37 --d----- c:\progra~2\Symantec Temporary Files
2009-05-30 20:11 356 ---shr-- C:\autorun.inf
2009-05-30 20:11 --d----- c:\program files\ExpressVids
2009-05-17 21:16 2,146,226,176 a------- C:\E1CD7C11.wip
2009-05-14 20:12 --d----- c:\users\gareth\appdata\roaming\skychart
2009-05-07 10:55 --d----- c:\programdata\ATI
2009-05-07 10:25 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 10:18 188,960 a------- c:\windows\system\WINGDE.DLL
2009-05-07 10:18 92,208 a------- c:\windows\system\WING.DLL
2009-05-07 10:18 12,800 a------- c:\windows\system32\WING32.DLL
2009-05-07 10:18 6,736 a------- c:\windows\system\WINGDIB.DRV
2009-05-07 10:18 5,195 a------- c:\windows\system\DVA.386
2009-05-07 10:18 5,024 a------- c:\windows\system\WINGPAL.WND
2009-05-07 10:18 37 a------- c:\windows\Result.qtw
2009-05-07 10:17 15 a------- c:\windows\qtw.ini
2009-05-07 10:09 --d----- c:\programdata\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-05-07 10:09 --d----- c:\progra~2\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-05-07 09:58 --d----- c:\programdata\PCSettings
2009-05-07 09:58 --d----- c:\progra~2\PCSettings
2009-05-07 09:57 --d----- c:\programdata\Norton
2009-05-07 09:57 --d----- c:\progra~2\Norton
2009-05-07 09:57 --d----- c:\programdata\NortonInstaller
2009-05-07 09:57 --d----- c:\progra~2\NortonInstaller

==================== Find3M ====================

2009-05-07 10:08 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-07 10:08 143,360 a------- c:\windows\inf\infstor.dat
2009-05-07 10:08 86,016 a------- c:\windows\inf\infpub.dat
2009-04-06 11:29 141,025 a------- c:\windows\hpoins27.dat
2009-03-20 00:08 533 a------- c:\program files\INSTALL.LOG
2009-03-18 23:22 6,225 a------- c:\windows\unins000.dat
2009-03-18 23:22 692,569 a------- c:\windows\unins000.exe
2009-03-17 04:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 04:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 04:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-01-24 23:32 18,265 ---shr-- c:\program files\Setup.ini
2009-01-09 03:05 0 ----h--- c:\programdata\PKP_DLbx.DAT
2009-01-09 03:05 0 ----h--- c:\progra~2\PKP_DLbx.DAT
2008-12-27 20:59 20 ----h--- c:\programdata\PKP_DLdy.DAT
2008-12-27 20:59 20 ----h--- c:\progra~2\PKP_DLdy.DAT
2008-12-20 20:53 75,776 ---shr-- c:\program files\Setup.exe
2008-11-26 21:23 0 ----h--- c:\programdata\PKP_DLeh.DAT
2008-11-26 21:23 0 ----h--- c:\progra~2\PKP_DLeh.DAT
2008-09-02 11:38 174 a--sh--- c:\program files\desktop.ini
2008-09-02 11:25 665,600 a------- c:\windows\inf\drvindex.dat
2007-09-11 00:34 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2007-09-11 00:34 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2007-09-11 00:34 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2007-09-11 00:34 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2002-07-26 18:02 153,088 a------- c:\program files\UNWISE.EXE

============= FINISH: 20:08:16.64 ===============


Any help, would be greatly appretiated.
Cheers

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (NOD32)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 09-06-03.01 - Gareth 03/06/2009 22:39.1 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.44.1033.18.1789.994 [GMT 1:00]
Running from: F:\Combo-Fix.exe
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\program files\\setup.exe
c:\program files\INSTALL.LOG
c:\program files\RelevantKnowledge
c:\program files\RelevantKnowledge\rloci.bin
c:\program files\RelevantKnowledge\rlservice.exe
c:\windows\system32\drivers\ACER_TM7520_HomePremium_x86.mrk
c:\windows\system32\drivers\gxvxcqorurfuiraknhcidprsiefvvsqqvvcsr.sys
c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
c:\windows\system32\gxvxcocyjltxbqgdiyibdtmdrieexmnvmxgcx.dll
c:\windows\system32\gxvxcwbpxtmoxtqpkmtgpjdblmbgwwihrsgiv.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Service_RelevantKnowledge


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 21:49 . 2009-06-03 22:05 -------- d-----w- c:\users\Gareth\AppData\Local\temp
2009-06-03 21:39 . 2009-06-03 21:39 -------- d-----w- c:\users\Gareth\AppData\Local\ESET
2009-06-03 18:59 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 18:59 . 2009-06-03 18:59 -------- d-----w- c:\programdata\Malwarebytes
2009-06-03 18:59 . 2009-06-03 19:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 18:59 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 17:37 . 2009-05-31 19:13 876144 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090603.004\NAVEX15.SYS
2009-06-03 17:37 . 2009-05-31 19:13 1181040 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090603.004\NAVEX32A.DLL
2009-06-03 17:37 . 2009-05-31 19:13 89104 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090603.004\NAVENG.SYS
2009-06-03 17:37 . 2009-05-31 19:13 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090603.004\NAVENG32.DLL
2009-06-03 17:37 . 2009-05-31 19:13 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090603.004\EECTRL.SYS
2009-06-03 17:37 . 2009-05-31 19:13 101936 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090603.004\ERASER.SYS
2009-06-03 17:37 . 2009-05-31 19:13 259368 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090603.004\ECMSVR32.DLL
2009-06-03 17:37 . 2009-05-31 19:12 2414128 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090603.004\CCERASER.DLL
2009-06-02 21:40 . 2009-06-02 21:40 -------- d-----w- c:\program files\MalwarebytesPortable
2009-06-02 21:04 . 2009-06-02 21:04 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-02 20:54 . 2009-06-02 20:54 -------- d-----w- c:\program files\ESET
2009-06-02 20:13 . 2009-06-02 20:13 -------- d-----w- c:\programdata\FreeDownloadManager.ORG
2009-06-02 20:13 . 2009-06-02 20:14 -------- d-----w- c:\program files\FDM2
2009-06-01 19:00 . 2009-06-01 19:21 -------- d-----w- C:\Downloads
2009-06-01 18:54 . 2009-06-02 20:48 -------- d-----w- c:\users\Gareth\AppData\Roaming\Free Download Manager
2009-06-01 18:54 . 2009-06-02 20:12 -------- d-----w- c:\program files\Free Download Manager
2009-05-31 21:04 . 2009-05-31 21:04 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2009-05-31 21:03 . 2009-05-31 21:05 -------- d-----w- c:\users\Gareth\AppData\Roaming\GetRightToGo
2009-05-31 19:15 . 2009-05-31 19:13 396848 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSviA64.sys
2009-05-31 19:15 . 2009-05-31 19:13 292912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSvix86.sys
2009-05-31 19:15 . 2009-05-31 19:13 276344 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSXpx86.sys
2009-05-31 19:15 . 2009-05-31 19:13 447864 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSxpx86.dll
2009-05-31 19:15 . 2009-03-16 20:03 533880 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\Scxpx86.dll
2009-05-31 19:13 . 2009-05-31 19:13 -------- d-----w- c:\program files\Symantec
2009-05-31 19:13 . 2009-05-31 19:13 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-31 19:13 . 2009-05-31 19:13 292912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-05-31 19:13 . 2009-05-31 19:13 276344 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2009-05-31 19:13 . 2009-05-31 19:13 25136 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-05-31 19:13 . 2009-05-31 19:13 396848 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvia64.sys
2009-05-31 19:13 . 2009-05-31 19:13 1290592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-05-31 19:13 . 2009-05-31 19:13 136840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-05-31 19:13 . 2009-05-31 19:13 447864 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\idsxpx86.dll
2009-05-31 19:13 . 2009-05-31 19:13 165240 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-05-31 19:13 . 2009-05-31 19:13 796016 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-05-31 19:12 . 2009-05-31 19:12 -------- d-----w- c:\windows\system32\drivers\NAV
2009-05-31 19:12 . 2009-05-31 19:12 -------- d-----w- c:\program files\Norton AntiVirus
2009-05-31 19:11 . 2009-05-31 19:11 -------- d-----w- c:\program files\NortonInstaller
2009-05-31 17:36 . 2009-05-31 18:00 -------- d-----w- c:\program files\Spyware Doctor
2009-05-30 23:37 . 2009-05-30 23:39 63022928 ----a-w- c:\programdata\Symantec Temporary Files\NAV09EN.exe
2009-05-30 23:37 . 2009-05-30 23:37 -------- d-----w- c:\programdata\Symantec Temporary Files
2009-05-30 19:11 . 2009-05-30 19:11 -------- d-----w- c:\program files\ExpressVids
2009-05-14 19:23 . 2009-05-14 19:23 -------- d-----w- c:\users\Gareth\AppData\Local\Skychart
2009-05-14 19:12 . 2009-05-14 19:12 -------- d-----w- c:\users\Gareth\AppData\Roaming\skychart
2009-05-07 09:55 . 2009-05-07 09:55 -------- d-----w- c:\programdata\ATI
2009-05-07 09:25 . 2009-05-07 09:25 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 09:18 . 1995-01-29 23:00 92208 ----a-w- c:\windows\system\WING.DLL
2009-05-07 09:18 . 1995-01-29 23:00 6736 ----a-w- c:\windows\system\WINGDIB.DRV
2009-05-07 09:18 . 1995-01-29 23:00 188960 ----a-w- c:\windows\system\WINGDE.DLL
2009-05-07 09:18 . 1994-12-05 23:00 12800 ----a-w- c:\windows\system32\WING32.DLL
2009-05-07 09:09 . 2009-05-30 23:43 -------- d-----w- c:\programdata\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-05-07 09:09 . 2009-05-07 09:09 -------- d-----w- c:\users\Gareth\AppData\Local\Downloaded Installations
2009-05-07 08:58 . 2009-05-07 08:58 -------- d-----w- c:\programdata\PCSettings
2009-05-07 08:57 . 2009-05-31 19:12 -------- d-----w- c:\programdata\Norton
2009-05-07 08:57 . 2009-05-31 19:11 -------- d-----w- c:\programdata\NortonInstaller

ok, thats not all of the log file, ill upload the rest to my skydrive. see if i can get a link to it. its huge!!

ok, let me know if this works.

http://cid-a327b85ad79f181d.skydrive.live.com/self.aspx/public%20files/text.txt

its late here in uk so im off to bed, thanks for your help so far . pick this up tomorrow.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Folder::
c:\users\Gareth\AppData\Roaming\uTorrent
c:\program files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{0BCB4AD2-3F74-43AC-92BC-36D6AA614431}c:\\program files\\utorrent\\utorrent.exe"=-
"UDP Query User{D90EFB19-053D-445E-8ABD-3346A777B42E}c:\\program files\\utorrent\\utorrent.exe"=-
"{A403179B-D132-46AB-A907-412C4589E06A}"=-
"{D2C596BE-7373-4E71-BE21-0CD6D6E5E3DC}"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Ive run Combofix again as instructed. Heres the new log file.

http://cid-a327b85ad79f181d.skydrive.live.com/browse.aspx/public%20files?uc=1

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

HI
Sorry for the delay in replying, Ive run Combo-fix/u to uninstall it. Some things have improved. No navigating away from anti-virus or windows website, no admin errors etc. Ill restart now and update you.
Thanks for your help so far.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Well, im affraid to say this issue hasnt been resolved. I reinstalled eset anti-virus and it didnt show any kind of infection. But on the next reboot it was once again disabled by the virus.
I am however able to access microsoft website and other anti-virus content as well as download files again. Hopefully we're getting there but a little more help would be appretiated.

Cheers

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Finally managed to download and run Malwarebytes anti-malware, here the log contents.

Malwarebytes' Anti-Malware 1.37
Database version: 2243
Windows 6.0.6001 Service Pack 1

07/06/2009 17:07:21
mbam-log-2009-06-07 (17-07-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 248920
Time elapsed: 1 hour(s), 58 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831} (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\ExpressVids (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\expressvids\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\program files\malwarebytesportable\MalwarebytesPortable.exe (Dont.Steal.Our.Software.A) -> Quarantined and deleted successfully.
d:\downloaded software\Media_Player_11_Plugin_2.3.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\Uninstall Instructions.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.


Although after reboot, im still having anti-virus software and various other bits 'removed/disabled' by what ever is infecting my machine.

See if you can run Combo-Fix again.

Sorry for the late response, I have managed do download combofix again, here is the log file.
http://cid-a327b85ad79f181d.skydrive.live.com/browse.aspx/public%20files

Im still having some problems, mainly im unable to download and save any file, some programs but more importantly any antivirus software is disabled upon system reboot and some administrative functions are disabled.
Thanks for your support so far.

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

The log will be quite big, so upload that too please.

again, sorry for the late reply. GMER ran ok after i finally got it. here the log.......


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-23 21:02:44
Windows 6.0.6001 Service Pack 1


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1596] kernel32.dll!SetUnhandledExceptionFilter 767F6E2D 4 Bytes [C2, 04, 00, 00]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AA7BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74AE98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74AAD3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A9F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AA7599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A9E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74ADB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74AAD68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74AA012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74AA0095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A971F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B2D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AC75E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A9DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74A9668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74A966BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AA1E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:484] 86C48790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060ee8990
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060ee8990
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x30 0x00 0xA4 0x47 ...

---- EOF - GMER 1.0.15 ----

Hello.
I looked over your past log again, and I noticed Norton, and some signs of NOD32.

With my recommendations, I recommend getting rid of both and install Avira, and see what happens then.

Yeah i originally had norton which some how this virus/worm got through. Since reading these posts i installed nod32 to see if that was better...

Ill try avira as soon as i can download it lol, will need to get my other pc out.

Ill let you know what happens.

thanks again.