"you may not have the appropriate permission to access

I'm getting this message on a PC running OS xp home sp2 File System is NTFS.
1. At bootup, desktop, taskbar, start button all missing. In taskmgr, explorer.exe is missing. Trying to re-add (new task) gives subject message.
2. Copy explorer to C:\ from another PC, load in taskmgr and works once i.e. desktop etc., returns. A reboot removes explorer from taskmgr and trying to load again manually gives above message.
3. Using safe mode, results are exactly the same. Using command prompt I can delete the locked file, replace and again get a one time result. Renaming explorer and loading in taskmgr works and doesn't get locked out but naturally the renamed file doesn't load desktop etc.
4. All attempts to install & run mbam, hijackthis, spydoctor, autoruns from safe mode or normal; including renaming names and/or extensions fail i.e. they partially run the first time but the malware intercepts and destroys the log, any attempt to rerun gives the above message.
5. Both DVD drives won't autorun or manually run any programs on CD's
6. USB drives DO work and allow me to copy stuff to the hard drive again only run once. I'm concerned about the possibility of any infection to the thumb drive. Is that possible?
7. Subject PC is offline and this is being sent from a different PC
8. Can't identify what the malware is but once in normal mode I've seen 8.tmp.exe appear and disappear in taskmgr and I believe that may belong to spysheriff.
9. The PC is my granddaughter's so I'm not sure what she has downloaded i.e. there could well be more than 1 malware sob
Any help would be gratefully received

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

S y s t e m L o o k v 1 . 0 b y j p s h o r t s t u f f ( 2 9 . 0 8 . 0 9 )

L o g c r e a t e d a t 1 3 : 0 7 o n 0 3 / 0 9 / 2 0 0 9 b y E m m a T h o m s o n ( A d m i n i s t r a t o r - E l e v a t i o n s u c c e s s f u l )



N o C o n t e x t : f i l e f i n d



N o C o n t e x t : s c e c l i . d l l



N o C o n t e x t : n e t l o g o n . d l l



N o C o n t e x t : e v e n t l o g . d l l



- = E n d O f F i l e = -

Hello.
I think you missed the colon before filefind. Check that you insert the colon and run the script again.

Hi Belahzur,
You were correct I had missed it but I realised after I had posted it and tried again. And got the same. As I explained I could'nt paste directly as I'm not using the same PC, I'm transfering the code via notepad and copying into notepad inserted 4 leading spaces (tab) on each line. I removed those and it seems to be working but taking a long time. The look button has changed to 'Scanning' (greyed out) window background is grey and pointer occasionally flashes. If that's OK I'll leave it to run while I walk the dog. If it hasn'rt finished by my return should I use the exit button?

Hi Belahzur - is this more like it?

S y s t e m L o o k v 1 . 0 b y j p s h o r t s t u f f ( 2 9 . 0 8 . 0 9 )

L o g c r e a t e d a t 0 9 : 1 5 o n 0 4 / 0 9 / 2 0 0 9 b y E m m a T h o m s o n ( A d m i n i s t r a t o r - E l e v a t i o n s u c c e s s f u l )



= = = = = = = = = = f i l e f i n d = = = = = = = = = =



S e a r c h i n g f o r " s c e c l i . d l l "

C : \ W I N D O W S \ $ N t S e r v i c e P a c k U n i n s t a l l $ \ s c e c l i . d l l - - - - - c 1 7 4 5 9 2 b y t e s [ 1 2 : 2 7 2 6 / 1 2 / 2 0 0 4 ] [ 1 2 : 0 0 2 9 / 0 8 / 2 0 0 2 ] 9 7 4 1 8 A 5 C 6 4 2 A 5 C 7 4 8 A 2 8 B D 7 C F 6 8 6 0 B 5 7

C : \ W I N D O W S \ S e r v i c e P a c k F i l e s \ i 3 8 6 \ s c e c l i . d l l - - - - - - 1 8 0 2 2 4 b y t e s [ 1 2 : 3 3 2 6 / 1 2 / 2 0 0 4 ] [ 0 0 : 5 6 0 4 / 0 8 / 2 0 0 4 ] 0 F 7 8 E 2 7 F 5 6 3 F 2 A A F 7 4 B 9 1 A 4 9 E 2 A B F 1 9 A

C : \ W I N D O W S \ S o f t w a r e D i s t r i b u t i o n \ D o w n l o a d \ d d 9 a b 5 1 9 3 5 0 1 4 8 4 c f 5 e 6 8 8 4 f a 1 d 2 2 f 9 e \ s c e c l i . d l l - - a - - - 1 8 1 2 4 8 b y t e s [ 1 5 : 4 5 1 8 / 0 9 / 2 0 0 8 ] [ 0 0 : 1 2 1 4 / 0 4 / 2 0 0 8 ] A 8 6 B B 5 E 6 1 B F 3 E 3 9 B 6 2 A B 4 C 7 E 7 0 8 5 A 0 8 4

C : \ W I N D O W S \ s y s t e m 3 2 \ s c e c l i . d l l - - a - - - 1 8 0 2 2 4 b y t e s [ 0 6 : 5 2 0 1 / 1 0 / 2 0 0 4 ] [ 0 0 : 5 6 0 4 / 0 8 / 2 0 0 4 ] 0 F 7 8 E 2 7 F 5 6 3 F 2 A A F 7 4 B 9 1 A 4 9 E 2 A B F 1 9 A



S e a r c h i n g f o r " n e t l o g o n . d l l "

C : \ W I N D O W S \ $ h f _ m i g $ \ K B 9 6 8 3 8 9 \ S P 2 Q F E \ n e t l o g o n . d l l - - a - - - 4 0 8 0 6 4 b y t e s [ 1 8 : 4 6 0 6 / 0 2 / 2 0 0 9 ] [ 1 8 : 4 6 0 6 / 0 2 / 2 0 0 9 ] 6 C 4 7 6 D 3 3 D 8 2 F 1 0 5 4 8 4 9 7 9 0 1 8 1 E 8 F 7 7 7 2

C : \ W I N D O W S \ $ N t S e r v i c e P a c k U n i n s t a l l $ \ n e t l o g o n . d l l - - - - - c 3 9 9 3 6 0 b y t e s [ 1 2 : 2 7 2 6 / 1 2 / 2 0 0 4 ] [ 1 2 : 0 0 2 9 / 0 8 / 2 0 0 2 ] 3 A D D 5 6 3 E D 7 A 1 C 6 6 E 6 F 5 E 0 F 7 A 6 6 1 A A 9 6 D

C : \ W I N D O W S \ S e r v i c e P a c k F i l e s \ i 3 8 6 \ n e t l o g o n . d l l - - - - - - 4 0 7 0 4 0 b y t e s [ 1 2 : 3 2 2 6 / 1 2 / 2 0 0 4 ] [ 0 0 : 5 6 0 4 / 0 8 / 2 0 0 4 ] 9 6 3 5 3 F C E C B A 7 7 4 B B 8 D A 7 4 A 1 C 6 5 0 7 0 1 5 A

C : \ W I N D O W S \ S o f t w a r e D i s t r i b u t i o n \ D o w n l o a d \ d d 9 a b 5 1 9 3 5 0 1 4 8 4 c f 5 e 6 8 8 4 f a 1 d 2 2 f 9 e \ n e t l o g o n . d l l - - a - - - 4 0 7 0 4 0 b y t e s [ 1 5 : 4 5 1 8 / 0 9 / 2 0 0 8 ] [ 0 0 : 1 2 1 4 / 0 4 / 2 0 0 8 ] 1 B 7 F 0 7 1 C 5 1 B 7 7 C 2 7 2 8 7 5 C 3 A 2 3 E 1 E 4 5 5 0

C : \ W I N D O W S \ s y s t e m 3 2 \ n e t l o g o n . d l l - - a - - - 4 0 7 0 4 0 b y t e s [ 0 6 : 5 2 0 1 / 1 0 / 2 0 0 4 ] [ 0 0 : 5 6 0 4 / 0 8 / 2 0 0 4 ] 9 6 3 5 3 F C E C B A 7 7 4 B B 8 D A 7 4 A 1 C 6 5 0 7 0 1 5 A



S e a r c h i n g f o r " e v e n t l o g . d l l "

C : \ W I N D O W S \ $ N t S e r v i c e P a c k U n i n s t a l l $ \ e v e n t l o g . d l l - - - - - c 4 9 1 5 2 b y t e s [ 1 2 : 2 7 2 6 / 1 2 / 2 0 0 4 ] [ 1 2 : 0 0 2 9 / 0 8 / 2 0 0 2 ] B F 3 C 8 C F 5 3 C 7 7 B 4 8 2 0 6 B 3 9 9 1 0 B 6 D 6 C B C C

C : \ W I N D O W S \ S e r v i c e P a c k F i l e s \ i 3 8 6 \ e v e n t l o g . d l l - - - - - - 5 5 8 0 8 b y t e s [ 1 2 : 3 2 2 6 / 1 2 / 2 0 0 4 ] [ 0 0 : 5 6 0 4 / 0 8 / 2 0 0 4 ] 8 2 B 2 4 C B 7 0 E 5 9 4 4 E 6 E 3 4 6 6 2 2 0 5 A 2 A 5 B 7 8

C : \ W I N D O W S \ S o f t w a r e D i s t r i b u t i o n \ D o w n l o a d \ d d 9 a b 5 1 9 3 5 0 1 4 8 4 c f 5 e 6 8 8 4 f a 1 d 2 2 f 9 e \ e v e n t l o g . d l l - - a - - - 5 6 3 2 0 b y t e s [ 1 5 : 4 4 1 8 / 0 9 / 2 0 0 8 ] [ 0 0 : 1 1 1 4 / 0 4 / 2 0 0 8 ] 6 D 4 F E B 4 3 E E 5 3 8 F C 5 4 2 8 C C 7 F 0 5 6 5 A A 6 5 6

C : \ W I N D O W S \ s y s t e m 3 2 \ e v e n t l o g . d l l - - a - - - 6 2 9 7 6 b y t e s [ 0 6 : 5 2 0 1 / 1 0 / 2 0 0 4 ] [ 0 0 : 5 6 0 4 / 0 8 / 2 0 0 4 ] ( U n a b l e t o c a l c u l a t e M D 5 )



- = E n d O f F i l e = -

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Hi Belahzur
Here's the result
ÿþL o g f i l e o f T h e A v e n g e r V e r s i o n 2 . 0 , ( c ) b y S w a n d o g 4 6

h t t p : / / s w a n d o g 4 6 . g e e k s t o g o . c o m



P l a t f o r m : W i n d o w s X P



* * * * * * * * * * * * * * * * * * *



S c r i p t f i l e o p e n e d s u c c e s s f u l l y .

S c r i p t f i l e r e a d s u c c e s s f u l l y .



B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r



* * * * * * * * * * * * * * * * * * *



B e g i n n i n g t o p r o c e s s s c r i p t f i l e :



R o o t k i t s c a n a c t i v e .

N o r o o t k i t s f o u n d !



F i l e " C : \ W I N D O W S \ s y s t e m 3 2 \ e v e n t l o g . d l l " d e l e t e d s u c c e s s f u l l y .



C o m p l e t e d s c r i p t p r o c e s s i n g .



* * * * * * * * * * * * * * * * * * *



F i n i s h e d ! T e r m i n a t e .

Hello.
Please download Hijack This from here now, it will work.

http://www.sendspace.com/pro/dl/fpzz64

Hi Belahzur
Here's the HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:57:21, on 06/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\exploser.exe
C:\Documents and Settings\Emma Thomson\Desktop\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: BigMAQ Toolbar - {7f312b9a-208b-49fa-8218-b9aa22ec1463} - C:\Program Files\BigMAQ\tbbig1.dll
O2 - BHO: thechatterbox.cc Toolbar - {a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60} - C:\Program Files\bigmaq\tbbig0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: thechatterbox.cc Toolbar - {a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60} - C:\Program Files\bigmaq\tbbig0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: BigMAQ Toolbar - {7f312b9a-208b-49fa-8218-b9aa22ec1463} - C:\Program Files\BigMAQ\tbbig1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [Cleanup] C:\cleanup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-21-2647683160-1587660973-2963474672-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2647683160-1587660973-2963474672-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-2647683160-1587660973-2963474672-1006\..\Run: [Spyware Doctor] (User '?')
O4 - HKUS\S-1-5-21-2647683160-1587660973-2963474672-1006\..\Run: [Messenger (Yahoo!)] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-2647683160-1587660973-2963474672-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2647683160-1587660973-2963474672-1006\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Emma Thomson\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37490.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.37/ttinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-wedding-dash/WeddingDash.1.0.0.47.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12387 bytes

• Open HijackThis.
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
  R3 - URLSearchHook: (no name) - - (no file)
  O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
  O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Hi Belahzur,
Not great news I'm afraid
Hi-jack delete of these 4 items worked a treat.
Then :-
Eventually got mbam installed after 2 reboots and a rename (it wouldn't run beforehand)
Trying to run the programme it still seems to get blocked (loads but does nothing). 2-possibilities:
a) PC is not online but the update box was checked - would this confuse it?
b) McAfee AV is still running - can't get to control panel or taskbar to stop it.

I've been using only one account through all this which has admin privileges.
but since installing mbam, the PC has started rebooting after entering the password. The first time it did this, it indicated that the password was incorrectly entered (but I'm fairly sure it was correct); I re-entered, got a reboot and logged in ok. It's been consistent since, i.e. login,reboot,login. Am I getting paranoid or is there a keylogger a work? I don't have experience of those so I don't know what to look for.
I've now managed to uninstall mbam and I'll use MSconfig to switch off AVsyncmgr and Mcshield from startup services and try to reinstall & run mbmam
- wish me luck

Bit more
previous notes worked OK except running mbam. monitoring it using taskmgr, it loads in processes using 2,696 Kb memory, but shows no CPU time used and no I/O reads and eventually vanishes (timeout?)

An update
By various nefarous means i.e. changing accounts, safe mode, re-running HJT (finding and destroying an R3 and 2 - BHOs that had returned) and renaming mbam - at last mbam fired up and is now running - has been for an hour and has found 41 infected objects so far. After the problems I had, I've decided to let mbam do a FULL scan (including the thumb drive) - I'll post the results when it finishes in a day or two.

regards

DeeCee

Hello.
Good work! standing by for the log.

Here we go!
1st log - Full Scan
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

07/09/2009 16:56:49
mbam-log-2009-09-07 (16-56-49).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 334441
Time elapsed: 1 hour(s), 21 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 38
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACxunaoyelvc.dll (Rogue.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{36dbc179-a19f-48f2-b16a-6a3e19b42a87} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{36dbc179-a19f-48f2-b16a-6a3e19b42a87} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{36dbc179-a19f-48f2-b16a-6a3e19b42a87} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b7aaeb1-9f3d-4491-9c06-c7165ca8d058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{51b15f5a-e98b-4658-b9cb-9307b74773a7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igfxtray (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\archie thomson\Application Data\FunWebProducts (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\archie thomson\Application Data\FunWebProducts\Data (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\archie thomson\Application Data\FunWebProducts\Data\archie thomson (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Application Data\FunWebProducts (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Application Data\FunWebProducts\Data (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Application Data\FunWebProducts\Data\Emma Thomson (Adware.MyWay) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\igfxtray.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
\\?\globalroot\systemroot\system32\UACxunaoyelvc.dll (Rogue.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\igfxcfg.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\archie thomson\Local Settings\Temp\E.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Local Settings\Temp\a.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Local Settings\Temp\c.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Local Settings\Temp\rasvsnet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\My Documents\My Music\Setup-e3dad9_02001-35.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AAV.rog (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\archie thomson\Application Data\FunWebProducts\Data\archie thomson\avatar.dat (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Application Data\FunWebProducts\Data\Emma Thomson\avatar.dat (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Application Data\FunWebProducts\Data\Emma Thomson\register.dat (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Application Data\FunWebProducts\Data\Emma Thomson\zbucks.dat (Adware.MyWay) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\form.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\explorer.exe (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

2nd log - quick scan follow-up
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

07/09/2009 18:21:03
mbam-log-2009-09-07 (18-21-03).txt

Scan type: Quick Scan
Objects scanned: 156059
Time elapsed: 22 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

3rd scan MbAM updated (found 6 more)

Malwarebytes' Anti-Malware 1.40
Database version: 2754
Windows 5.1.2600 Service Pack 2

07/09/2009 22:57:49
mbam-log-2009-09-07 (22-57-49).txt

Scan type: Quick Scan
Objects scanned: 160707
Time elapsed: 22 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-2647683160-1587660973-2963474672-1006\Dc347.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Local Settings\Temp\d.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Local Settings\Temporary Internet Files\Content.IE5\4Q2AF41W\Antivirus-b90e_2029-5[1].exe (Trojan.FraudLoad) -> Quarantined and deleted successfully.
C:\Documents and Settings\Emma Thomson\Local Settings\Temporary Internet Files\Content.IE5\H2YXLJ3X\Antivirus-349_2029-5[1].exe (Trojan.FraudLoad) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

So far so good

Hello.
Maybe, but there is a rootkit present, that's why the UAC key and uacinit.dll wont go away.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Hi Belahzur,
Here's Combofix.txt Part1 (whole thing too big to post!)
ComboFix 09-09-07.03 - Emma Thomson 08/09/2009 10:19.1.1 - NTFSx86
Running from: f:\malware tools\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\catch.scr
c:\docume~1\EMMATH~1\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\EMMATH~1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Emma Thomson\My Documents\reg12Nov08.reg
c:\recycler\S-1-5-21-2217125438-4210465246-261616299-1003
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\run.log
c:\windows\system32\drivers\UACbrrpuhyiju.sys
c:\windows\system32\info.txt
c:\windows\system32\UACenpavbsvxu.dll
c:\windows\system32\UACfsfkqlcdqu.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjnppyxedjb.dat
c:\windows\system32\UACmhldeogryy.dll
c:\windows\system32\UACurulatmoyn.dll
c:\windows\system32\UACxunaoyelvc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_TDSSSERV.SYS
-------\Legacy_BOONTY_GAMES
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_Boonty Games


((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-07 12:49 . 2009-09-07 12:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-09-07 09:37 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 09:37 . 2009-09-07 21:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 09:37 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 12:49 . 2007-06-13 10:23 1033216 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2009-09-03 12:49 . 2007-06-13 10:23 1033216 ----a-w- c:\windows\explorer.exe
2009-09-02 19:15 . 2009-09-02 19:15 -------- d-----w- C:\autorunsc
2009-09-02 19:14 . 2009-09-02 19:29 -------- d-----w- C:\autoruns
2009-09-02 14:45 . 2008-04-14 04:42 1033728 ----a-w- C:\exploser.exe
2009-09-01 15:34 . 2009-09-01 15:42 -------- d--h--w- c:\windows\PIF
2009-09-01 14:33 . 2009-09-01 14:33 25424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 12:26 . 2009-09-01 12:26 -------- d-----w- c:\documents and settings\Papa\Local Settings\Application Data\Apple Computer
2009-09-01 12:26 . 2009-09-01 12:26 -------- d-----w- c:\documents and settings\Papa\Local Settings\Application Data\Conduit
2009-09-01 12:26 . 2009-09-01 12:26 -------- d-----w- c:\documents and settings\Papa\Application Data\Yahoo!
2009-08-29 19:13 . 2009-08-29 19:13 -------- d-----w- c:\documents and settings\Jack\Local Settings\Application Data\Conduit
2009-08-29 19:11 . 2009-08-29 19:11 -------- d-----w- c:\documents and settings\Jack\Application Data\Yahoo!
2009-08-23 14:51 . 2009-08-23 14:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-12 18:41 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-09 12:41 . 2009-08-09 12:41 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-09 12:41 . 2009-08-09 12:41 -------- d-----w- c:\program files\MSBuild
2009-08-09 12:40 . 2009-08-09 12:40 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 12:39 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 12:39 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 12:39 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-09 12:39 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-09 12:39 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 12:39 . 2009-08-09 12:40 -------- d-----w- C:\6d3e60c08e539d171b2078041f96
2009-08-09 12:39 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 12:39 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-09 12:24 . 2009-08-09 12:24 -------- d-----w- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 13:00 . 2005-04-20 14:39 -------- d-----w- c:\program files\Yahoo!
2009-09-07 12:53 . 2005-07-07 13:58 -------- d--h--r- c:\documents and settings\All Users\Application Data\yahoo!
2009-09-07 12:45 . 2006-06-19 20:35 -------- d-----w- c:\program files\WildGames
2009-09-02 18:20 . 2008-11-10 18:20 -------- d-----w- c:\program files\MeBigBoot
2009-09-01 17:35 . 2009-06-04 12:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-01 15:36 . 2008-11-11 10:52 -------- d-----w- c:\program files\Spyware Doctor
2009-08-25 17:14 . 2006-06-12 12:01 -------- d-----w- c:\program files\Diner Dash 2
2009-08-25 17:13 . 2006-04-16 19:27 -------- d-----w- c:\program files\PlayFirst
2009-08-25 17:11 . 2007-09-20 19:00 -------- d-----w- c:\program files\DeliciousDeluxe2_at
2009-08-25 17:09 . 2005-11-05 21:10 -------- d-----w- c:\program files\Yahoo! Games
2009-08-25 17:08 . 2006-05-16 16:01 -------- d-----w- c:\documents and settings\Emma Thomson\Application Data\PlayFirst
2009-08-25 17:08 . 2006-05-16 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-08-25 17:07 . 2006-07-30 18:34 -------- d-----w- c:\program files\GameHouse
2009-08-25 17:05 . 2006-04-30 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-08-25 17:04 . 2007-09-05 15:48 -------- d-----w- c:\program files\BurgerIsland_at
2009-08-25 10:36 . 2007-09-11 20:25 -------- d-----w- c:\program files\BellesBeautyBoutique_at
2009-08-18 15:35 . 2004-12-26 12:42 25424 ----a-w- c:\documents and settings\Emma Thomson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2002-12-11 23:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 15:03 . 2009-02-27 22:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-01 10:32 . 2007-04-23 01:39 -------- d-----w- c:\program files\LimeWire
2009-08-01 10:27 . 2009-08-01 10:29 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-01 10:27 . 2007-04-23 01:40 -------- d-----w- c:\program files\Java
2009-07-24 16:02 . 2005-03-16 10:41 25424 ----a-w- c:\documents and settings\archie thomson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 18:55 . 2004-10-01 06:51 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 17:20 . 2009-07-15 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-15 17:15 . 2009-06-04 12:44 -------- d-----w- c:\program files\Norton Security Scan
2009-07-15 17:08 . 2009-07-15 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-15 17:07 . 2009-07-15 17:07 -------- d-----w- c:\program files\NortonInstaller
2009-07-15 17:07 . 2009-07-15 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-13 22:43 . 2004-12-26 12:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 18:00 . 2007-09-05 15:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 16:12 . 2004-02-06 18:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-12-26 12:33 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-10-01 06:51 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:44 . 2004-10-01 06:52 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-10-01 06:52 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-10-01 06:52 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-10-01 06:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-10-01 06:52 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-10-01 06:52 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-10-01 06:52 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2004-10-01 06:52 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-10-01 06:52 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-10-01 06:52 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-10-01 06:51 84992 ----a-w- c:\windows\system32\avifil32.dll
2005-11-04 18:17 . 2005-11-04 18:17 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-09-05 17:00 . 2006-07-30 18:34 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2002-08-29 . BF3C8CF53C77B48206B39910B6D6CBCC . 49152 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.

Part 2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-10-08 173368]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f312b9a-208b-49fa-8218-b9aa22ec1463}]
2009-06-13 18:15 2094616 ----a-w- c:\program files\bigmaq\tbbig1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-10-08 12:22 1172792 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]
"{7f312b9a-208b-49fa-8218-b9aa22ec1463}"= "c:\program files\BigMAQ\tbbig1.dll" [2009-06-13 2094616]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CLASSES_ROOT\clsid\{7f312b9a-208b-49fa-8218-b9aa22ec1463}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-07-01 118784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"EPSON Stylus C46 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE" [2004-01-14 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-01 136600]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-01-13 111928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-04-28 66048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
broadband medic.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe [2005-3-5 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McShield"=3 (0x3)
"AvSynMgr"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-05 29744]
R3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\NaiFiltr.sys [2001-11-26 23856]
R3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2005-01-19 11264]
R4 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-11-26 155665]
S0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\NaiFsRec.sys [2001-04-30 4512]

.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-08-28 c:\windows\Tasks\Norton Security Scan for Emma Thomson.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-15 17:16]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Messenger (Yahoo!) - ~c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchURL = hxxp://www.google.com/
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Emma Thomson\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37490.cab
FF - ProfilePath - c:\documents and settings\Emma Thomson\Application Data\Mozilla\Firefox\Profiles\8bjgg2hx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Emma Thomson\Application Data\Mozilla\Firefox\Profiles\8bjgg2hx.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 10:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2647683160-1587660973-2963474672-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3260)
c:\windows\system32\WININET.dll
c:\progra~1\ntl\BROADB~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-08 10:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 09:54

Pre-Run: 42,928,443,392 bytes free
Post-Run: 46,761,091,072 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

272 --- E O F --- 2009-09-08 07:44

At the start of this I realised that windows firewall also wasn't running but I don't know if the malware turned it off or my grandaughter was conned into removing it (although that's unlikely) anyway I intend to fix that (unless you think differently) using MS method in article ID:920074 which says:-

This problem is caused by a missing or corrupted SharedAccess.reg file. The SharedAccess.reg file represents the Windows Firewall service.

1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command line, and then press ENTER:
Rundll32 setupapi,InstallHinfSection Ndi-Steelhead 132 %windir%\inf\netrass.inf
3. Restart Windows,
4. Click Start, click Run, type cmd, and then click OK.
5. At the command prompt, type the following command, and then press ENTER:
Netsh firewall reset
6. Click Start, click Run, type firewall.cpl, and then press ENTER. In the Windows Firewall dialog box, click On (recommended), and then click OK.

Now open a new notepad file.
Input this into the notepad file:

FCopy::
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll | c:\windows\system32\eventlog.dll

File::
C:\exploser.exe

Folder::
C:\autorunsc
C:\autoruns

FileLook::
c:\windows\explorer.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Here it is - 2 bits again
Note "C:\exploser.exe" - this was the renamed explorer.exe file I put on in the early stages to get access to the drives - did it get infected?
When combo fix started - it reported a later version was available. I didn't download it as I wasn't sure of the possible results if I didn't rename it as Combo-Fix (the textfile had already been dropped in.

ComboFix 09-09-07.03 - Emma Thomson 08/09/2009 16:47.2.1 - NTFSx86
Running from: f:\malware tools\Combo-Fix.exe
Command switches used :: f:\malware tools\CFScript.txt
* Created a new restore point

FILE ::
"C:\exploser.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autoruns
c:\autoruns\arun.pif
c:\autoruns\autoruns.chm
c:\autoruns\autoruns.exe
c:\autoruns\Autoruns.zip
c:\autoruns\autorunsc.exe
C:\autorunsc
C:\exploser.exe

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-08 15:48 . 2009-09-08 15:48 -------- d-----w- c:\windows\LastGood
2009-09-08 15:47 . 2004-08-04 00:56 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-09-08 15:47 . 2004-08-04 00:56 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-09-07 12:49 . 2009-09-07 12:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-09-07 09:37 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 09:37 . 2009-09-07 21:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 09:37 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 12:49 . 2007-06-13 10:23 1033216 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2009-09-03 12:49 . 2007-06-13 10:23 1033216 ------w- c:\windows\explorer.exe
2009-09-01 15:34 . 2009-09-01 15:42 -------- d--h--w- c:\windows\PIF
2009-09-01 14:33 . 2009-09-01 14:33 25424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 12:26 . 2009-09-01 12:26 -------- d-----w- c:\documents and settings\Papa\Local Settings\Application Data\Apple Computer
2009-09-01 12:26 . 2009-09-01 12:26 -------- d-----w- c:\documents and settings\Papa\Local Settings\Application Data\Conduit
2009-09-01 12:26 . 2009-09-01 12:26 -------- d-----w- c:\documents and settings\Papa\Application Data\Yahoo!
2009-08-29 19:13 . 2009-08-29 19:13 -------- d-----w- c:\documents and settings\Jack\Local Settings\Application Data\Conduit
2009-08-29 19:11 . 2009-08-29 19:11 -------- d-----w- c:\documents and settings\Jack\Application Data\Yahoo!
2009-08-23 14:51 . 2009-08-23 14:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-12 18:41 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 13:00 . 2005-04-20 14:39 -------- d-----w- c:\program files\Yahoo!
2009-09-07 12:53 . 2005-07-07 13:58 -------- d--h--r- c:\documents and settings\All Users\Application Data\yahoo!
2009-09-07 12:45 . 2006-06-19 20:35 -------- d-----w- c:\program files\WildGames
2009-09-02 18:20 . 2008-11-10 18:20 -------- d-----w- c:\program files\MeBigBoot
2009-09-01 17:35 . 2009-06-04 12:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-01 15:36 . 2008-11-11 10:52 -------- d-----w- c:\program files\Spyware Doctor
2009-08-25 17:14 . 2006-06-12 12:01 -------- d-----w- c:\program files\Diner Dash 2
2009-08-25 17:13 . 2006-04-16 19:27 -------- d-----w- c:\program files\PlayFirst
2009-08-25 17:11 . 2007-09-20 19:00 -------- d-----w- c:\program files\DeliciousDeluxe2_at
2009-08-25 17:09 . 2005-11-05 21:10 -------- d-----w- c:\program files\Yahoo! Games
2009-08-25 17:08 . 2006-05-16 16:01 -------- d-----w- c:\documents and settings\Emma Thomson\Application Data\PlayFirst
2009-08-25 17:08 . 2006-05-16 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-08-25 17:07 . 2006-07-30 18:34 -------- d-----w- c:\program files\GameHouse
2009-08-25 17:05 . 2006-04-30 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-08-25 17:04 . 2007-09-05 15:48 -------- d-----w- c:\program files\BurgerIsland_at
2009-08-25 10:36 . 2007-09-11 20:25 -------- d-----w- c:\program files\BellesBeautyBoutique_at
2009-08-18 15:35 . 2004-12-26 12:42 25424 ----a-w- c:\documents and settings\Emma Thomson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 12:41 . 2009-08-09 12:41 -------- d-----w- c:\program files\MSBuild
2009-08-09 12:40 . 2009-08-09 12:40 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 12:24 . 2009-08-09 12:24 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:11 . 2002-12-11 23:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 15:03 . 2009-02-27 22:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-01 10:32 . 2007-04-23 01:39 -------- d-----w- c:\program files\LimeWire
2009-08-01 10:27 . 2009-08-01 10:29 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-01 10:27 . 2007-04-23 01:40 -------- d-----w- c:\program files\Java
2009-07-24 16:02 . 2005-03-16 10:41 25424 ----a-w- c:\documents and settings\archie thomson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 18:55 . 2004-10-01 06:51 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 17:20 . 2009-07-15 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-15 17:15 . 2009-06-04 12:44 -------- d-----w- c:\program files\Norton Security Scan
2009-07-15 17:08 . 2009-07-15 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-15 17:07 . 2009-07-15 17:07 -------- d-----w- c:\program files\NortonInstaller
2009-07-15 17:07 . 2009-07-15 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-13 22:43 . 2004-12-26 12:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 18:00 . 2007-09-05 15:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 16:12 . 2004-02-06 18:05 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-12-26 12:33 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-10-01 06:51 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:44 . 2004-10-01 06:52 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-10-01 06:52 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-10-01 06:52 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-10-01 06:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-10-01 06:52 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-10-01 06:52 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-10-01 06:52 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2004-10-01 06:52 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-10-01 06:52 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-10-01 06:52 76288 ----a-w- c:\windows\system32\telnet.exe
2005-11-04 18:17 . 2005-11-04 18:17 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-09-05 17:00 . 2006-07-30 18:34 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\explorer.exe ---
Company: Microsoft Corporation
File Description: Windows Explorer
File Version: 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)
Product Name: Microsoft Windows Operating System
Copyright: Microsoft Corporation. All rights reserved.
Original Filename: EXPLORER.EXE
File size: 1033216
Created time: 2009-09-03 12:49
Modified time: 2007-06-13 10:23
MD5: 97BD6515465659FF8F3B7BE375B2EA87
SHA1: 972307A3EF93680AFDD03603DF20F2241047A934

2nd bit

((((((((((((((((((((((((((((( SnapShot@2009-09-08_09.43.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 15:48 . 2008-04-14 00:11 56320 c:\windows\LastGood\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-10-08 173368]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f312b9a-208b-49fa-8218-b9aa22ec1463}]
2009-06-13 18:15 2094616 ----a-w- c:\program files\bigmaq\tbbig1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-10-08 12:22 1172792 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]
"{7f312b9a-208b-49fa-8218-b9aa22ec1463}"= "c:\program files\BigMAQ\tbbig1.dll" [2009-06-13 2094616]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CLASSES_ROOT\clsid\{7f312b9a-208b-49fa-8218-b9aa22ec1463}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-07-01 118784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"EPSON Stylus C46 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE" [2004-01-14 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-01 136600]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-01-13 111928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-04-28 66048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
broadband medic.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe [2005-3-5 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McShield"=3 (0x3)
"AvSynMgr"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\naifsrec.sys [30/04/2001 05:51 4512]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [25/01/2009 21:05 33752]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [30/07/2006 19:34 29744]
S3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\naifiltr.sys [26/11/2001 17:51 23856]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [03/01/2006 14:44 11264]
S4 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [26/11/2001 17:51 155665]
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-08-28 c:\windows\Tasks\Norton Security Scan for Emma Thomson.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-15 17:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchURL = hxxp://www.google.com/
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Emma Thomson\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37490.cab
FF - ProfilePath - c:\documents and settings\Emma Thomson\Application Data\Mozilla\Firefox\Profiles\8bjgg2hx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Emma Thomson\Application Data\Mozilla\Firefox\Profiles\8bjgg2hx.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 17:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2647683160-1587660973-2963474672-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-09-08 17:07
ComboFix-quarantined-files.txt 2009-09-08 16:05
ComboFix2.txt 2009-09-08 09:54

Pre-Run: 46,794,747,904 bytes free
Post-Run: 46,753,931,264 bytes free

227 --- E O F --- 2009-09-08 07:44

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Hi Belahzur
Everything seems OK now but I'll know better after grandlings have been using it. I've changed all passwords and revoked admin rights on their accounts and I'll install new a-v/a-mw software. Now I'd better check my own PC & laptop after doing all that file swapping. Thanks for all your help and I hope the sun is shining wherever you are. If you find out who wriites this stuff, I'd be pleased to meet them to personally explain the error of their ways if you know what I mean.

Best wishes from

deecee

Heh, UK, and yes, it's been sunny here today.