NAGEL.E / BANKER VIRUS

Hi there, your help greatly appreciated. Cheers - Susan (thank G for multiple laptop homes lol)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:58 a.m., on 6/02/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\notepad.exe
C:\Users\Steven P\Security\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Presario&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Presario&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Hcvu] rundll32 "C:\Users\Steven P\AppData\Roaming\hpf3l0828.dll",EJFBXHDWBV
O4 - HKCU\..\Run: [coivjmmh] C:\Users\Steven P\AppData\Local\taynxb\awrtsftav.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.8.05.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca3f1fd4725840) (gupdate1ca3f1fd4725840) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12332 bytes

Hello.

• Click Start >> Control Panel.
  
• Under the Programs click Uninstall a Program
  
• Highlight Ask Toolbar
  
• Click on the Uninstall/Change button at the top.
  

Next,

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
  O4 - HKCU\..\Run: [Hcvu] rundll32 "C:\Users\Steven P\AppData\Roaming\hpf3l0828.dll",EJFBXHDWBV
  O4 - HKCU\..\Run: [coivjmmh] C:\Users\Steven P\AppData\Local\taynxb\awrtsftav.exe
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Remove the Proxy setting in Internet Explorer and/or in FireFox.

In Internet Explorer

1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
   

In Firefox

1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
   
2. Click the apply button and restart that computer in normal mode.
   

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

comes up straight away with "windows installer service could not be accessed ....."

Cause it's in Safe Mode, skip the Ask Toolbar removal bit for now and carry on with the rest of my instructions.

I'm getting an error message on both computers when I try to run MalWareBytes update. Error Code 732 (12029, 0). Infected laptop hasn't had update since 21/1/10 from what I saw. Have run the scan and it found nothing.
--------------------

Malwarebytes' Anti-Malware 1.44
Database version: 3522
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18882

6/02/2010 11:51:39 a.m.
mbam-log-2010-02-06 (11-51-39).txt

Scan type: Quick Scan
Objects scanned: 104436
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
[img][/img]

• Download combofix from here
  Link 1
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

• See HERE for how to disable your AV.
  
• Double click on svchost.exe.
  
• Follow the prompts. NOTE:
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouse click combofix's window whilst it's running. That may cause it to stall.
  

just running svchost now, ran out of power so have had to restart (aaarrrrrggh), what time are you around until?

Not long, going to bed in a few minutes.

ran the svchost, all was fine, said it was preparing the log, it disappeared, can't find log. Searched computer for combo or svc, nothing. Am I going mad?

No, sometimes it happens.
Re-Run Combofix, see if it makes a log the 2nd time around.

he's used it this morning and it all SEEMS to have disappeared (popups etc). Too easy? I defragged last night but think it ended up hung. Restarted & all good. Is it lurking?

Hard to say, please re-run Combofix so we can get a log and then we can see what's what.

yay !!
-----------------------
ComboFix 10-02-05.02 - Steven P 07/02/2010 9:46.1.2 - x86
Microsoft Windows Vista Home Basic 6.0.6002.2.1252.64.1033.18.3002.2056 [GMT 13:00]
Running from: c:\users\Steven P\Security\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\$recycle.bin\S-1-5-21-3767358652-1191654320-1600515110-500
c:\$recycle.bin\S-1-5-21-4205227771-1647843781-2177907723-500
c:\users\Steven P\AppData\Local\taynxb
c:\users\Steven P\AppData\Local\taynxb\awrtsftav.exe
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-02-06 20:54 . 2010-02-06 20:54 -------- d-----w- c:\users\Steven P\AppData\Local\temp
2010-02-06 20:54 . 2010-02-06 20:54 -------- d-----w- c:\users\Jorgiah\AppData\Local\temp
2010-02-06 20:54 . 2010-02-06 20:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-06 04:56 . 2010-02-06 04:56 -------- d-----w- C:\Archive
2010-02-06 04:40 . 2010-02-06 04:40 -------- d-----w- c:\program files\Trend Micro
2010-02-06 04:15 . 2010-02-06 04:15 -------- d-----w- c:\users\Steven P\AppData\Local\Trend Micro
2010-02-05 21:16 . 2009-07-29 14:29 94480 ----a-r- c:\windows\system32\drivers\tmcomm.sys
2010-02-05 19:26 . 2010-02-05 19:26 1140850688 --sha-w- C:\NRTPage.sys
2010-02-04 19:47 . 2010-02-04 19:47 97792 --sha-r- c:\users\Steven P\AppData\Roaming\hpf3l0828.dll
2010-01-24 00:43 . 2010-02-03 07:50 -------- d-----w- c:\users\Steven P\Tracing
2010-01-23 06:18 . 2010-01-23 06:18 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbE17B.tmp.exe
2010-01-13 00:21 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 00:21 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 04:00 . 2010-01-13 22:12 181120 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 00:09 . 2009-12-19 05:32 20 ---h--w- c:\programdata\PKP_DLdw.DAT
2010-02-05 00:06 . 2009-01-09 14:01 -------- d-----w- c:\programdata\NortonInstaller
2010-02-02 17:10 . 2009-10-09 02:09 -------- d-----w- c:\users\Jorgiah\AppData\Roaming\LimeWire
2010-01-25 04:00 . 2009-10-09 01:20 -------- d-----w- c:\users\Jorgiah\AppData\Roaming\Sierra Wireless
2010-01-22 18:59 . 2009-03-28 06:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 00:33 . 2009-01-09 14:11 -------- d-----w- c:\program files\Norton Internet Security
2010-01-17 00:32 . 2009-01-09 14:02 -------- d-----w- c:\programdata\Norton
2010-01-17 00:31 . 2008-08-01 23:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-16 23:18 . 2009-12-19 05:28 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-01-13 05:03 . 2008-08-02 00:33 -------- d-----w- c:\programdata\Microsoft Help
2010-01-13 05:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-09 01:43 . 2009-09-27 03:09 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-01-09 01:43 . 2008-08-02 01:14 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-08 23:19 . 2009-01-10 03:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 23:18 . 2009-01-10 03:34 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 03:07 . 2009-01-10 03:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 03:07 . 2009-01-10 03:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 22:36 . 2010-01-05 22:36 -------- d-----w- c:\users\Steven P\AppData\Roaming\GretagMacbeth
2010-01-05 22:24 . 2010-01-05 22:24 -------- d-----w- c:\program files\X-Rite
2010-01-05 22:23 . 2010-01-05 22:23 -------- d-----w- c:\program files\GretagMacbeth
2010-01-04 23:05 . 2010-01-04 22:56 -------- d-----w- c:\program files\EPSON
2010-01-04 23:05 . 2008-08-01 23:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-02 06:38 . 2010-01-22 19:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 19:07 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 19:07 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 19:07 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-27 02:56 . 2009-10-09 01:20 105416 ----a-w- c:\users\Jorgiah\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-19 22:11 . 2009-12-19 22:11 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-12-19 06:00 . 2009-12-19 05:58 -------- d-----w- c:\users\Steven P\AppData\Roaming\Nikon
2009-12-19 05:58 . 2009-12-19 05:30 -------- d-----w- c:\program files\Common Files\Nikon
2009-12-19 05:36 . 2009-12-19 05:36 49152 ----a-r- c:\users\Steven P\AppData\Roaming\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-12-19 05:35 . 2009-12-19 05:35 57344 ----a-r- c:\users\Steven P\AppData\Roaming\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2009-12-19 05:33 . 2009-12-19 05:30 -------- d-----w- c:\program files\Nikon
2009-12-19 05:32 . 2009-12-19 05:28 -------- d-----w- c:\programdata\Ultima_T15
2009-12-19 05:32 . 2009-12-19 05:28 -------- d-----w- c:\programdata\EnterNHelp
2009-12-19 05:30 . 2009-12-19 05:30 -------- d-----w- c:\programdata\Nikon
2009-12-19 05:28 . 2008-08-01 23:52 106496 ----a-w- c:\windows\system32\ATL71.DLL
2009-12-13 03:11 . 2009-01-09 13:56 105416 ----a-w- c:\users\Steven P\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-12 23:52 . 2009-12-12 23:49 -------- d-----w- c:\users\Steven P\AppData\Roaming\HP
2009-12-12 23:50 . 2008-08-02 01:03 -------- d-----w- c:\programdata\HP
2009-12-12 23:50 . 2009-12-12 23:50 -------- d-----w- c:\programdata\WEBREG
2009-12-12 23:49 . 2009-12-12 23:32 188663 ----a-w- c:\windows\hpwins22.dat
2009-12-12 23:47 . 2008-08-01 23:52 -------- d-----w- c:\program files\HP
2009-12-12 23:47 . 2009-12-12 23:47 -------- d-----w- c:\programdata\HP Product Assistant
2009-12-12 23:40 . 2009-12-12 23:40 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-11-22 06:09 . 2009-11-22 06:09 439816 ----a-w- c:\users\Steven P\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-11-17 05:16 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-14 02:21 . 2009-11-14 02:21 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-02-07 04:08 . 2009-01-10 23:08 696 ----a-w- c:\program files\Collections.html
2009-01-11 00:31 . 2009-01-10 23:31 255 ----a-w- c:\program files\PlayList.txt
2008-08-01 22:13 . 2008-08-01 22:13 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "c:\program files\AGI\common\agcutils.dll" [2010-02-06 43520]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agcutils.AGSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}]
[HKEY_CLASSES_ROOT\agcutils.AGSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]
2009-10-01 04:29 2166296 ----a-w- c:\program files\IObitCom\tbIObi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{31c7d459-9cc3-44f2-9dca-fc11795309b4}"= "c:\program files\IObitCom\tbIObi.dll" [2009-10-01 2166296]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIObi.dll" [2009-10-01 2166296]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-09 39408]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 145944]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-12 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\Watcher\WaHelper.exe" [2008-05-27 114688]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2004-03-24 1732608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-28 198160]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

c:\users\Steven P\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2009-1-11 157000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-10-26 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-5 110592]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2010-1-6 708608]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2010-1-6 954368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d3,0e,ee,4a,94,24,ca,01

R2 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\pythonservice.exe [11/01/2009 11:37 a.m. 10240]
R2 PDIHWCTL;PDIHWCTL;c:\windows\System32\drivers\pdihwctl.sys [6/01/2010 11:24 a.m. 14416]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2/08/2008 2:40 p.m. 361808]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [14/11/2009 12:31 a.m. 92008]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2/08/2008 1:04 p.m. 193840]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [5/06/2008 6:54 a.m. 113664]
S2 gupdate1ca3f1fd4725840;Google Update Service (gupdate1ca3f1fd4725840);c:\program files\Google\Update\GoogleUpdate.exe [27/09/2009 4:08 p.m. 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [21/01/2008 3:33 p.m. 21504]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [9/10/2009 6:10 p.m. 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [5/08/2009 10:48 p.m. 704864]
S3 i1;i1 Pro;c:\windows\System32\drivers\i1.sys [6/01/2010 11:24 a.m. 26045]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-06 c:\windows\Tasks\AWC Startup.job
- c:\program files\Cisco\IObit\Advanced SystemCare 3\AWC.exe [2009-11-02 20:33]

2010-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-27 03:08]

2010-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-27 03:08]

2010-01-28 c:\windows\Tasks\HPCeeScheduleForSteven P.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-01 22:14]

2010-02-06 c:\windows\Tasks\User_Feed_Synchronization-{6B017BE1-86DF-494A-9744-2553EA19B92F}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]

2010-02-06 c:\windows\Tasks\User_Feed_Synchronization-{BD0B4BE0-711F-4243-9F62-2895FC946B25}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.nz/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride =
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 09:54
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-07 09:57:00
ComboFix-quarantined-files.txt 2010-02-06 20:56

Pre-Run: 72,396,464,128 bytes free
Post-Run: 72,320,122,880 bytes free

- - End Of File - - 1428B46E1365AB65B32B98C7098984F0

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

Awesome !! thank you so much for all your help - we would have been knackered without you