Krepper - G and Win32.Small.kj

When I run Spybot-Search and Destroy I get the result below. I select 'Fix Problem' and I am told that the system needs to shutdown in order to remove the problem. I allow Spybot to shutdown, upon restart it runs another scan and removes the items from my registry. I reboot my machine and run Spybot-S&D again and I have the original issue all over again.

Krepper - G

(SBI $710353AD) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i386p
(SBI $BBCD2521) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\i386p
(SBI $B68258E1) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\i386p

Win32.Small.kj

(SBI $385B245F) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xpdx
(SBI $4CEF22AE) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xpdx



If I run Malwarebytes' Anti-Malware 'quick scan' I get the following log and I am told that I need to shut down in order to remove the problem.

Rootkit.Agent

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fak32

Rootkit.Rustock

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpdx


Your invaluable assistance will be gratefully received

If MBAM can't do the job, then were gonna have to use something more powerful.
Before we can though, I need to see a DDS log.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

The file is too big to post, I have saved it as a .rar file however I don't know how to post it.

Can you please instruct me further?

Split the log up into more than one post.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Kimina at 10:58:10.09 on Sat 04/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1339 [GMT 10:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Outdated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiLogger\AntiLogger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Kimina\Desktop\HiJackThis.exe
C:\Documents and Settings\Kimina\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bigpond.com/internet/mybigpond/
uURLSearchHooks: H - No File
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [AntiLogger] "c:\program files\antilogger\AntiLogger.exe" /minimized
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: MaxRecentDocs = 11 (0xb)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\imon.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233656346390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {E1C2CA2F-B009-43DB-AAEB-3433D7E8F1E7} = 61.9.211.33,61.9.211.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kimina\applic~1\mozilla\firefox\profiles\aba8c5y6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/internet/mybigpond/
FF - plugin: c:\documents and settings\kimina\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R1 AntiLog32;AntiLog32;c:\program files\antilogger\AntiLog32.sys [2009-3-31 115056]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-3 15424]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-25 353672]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-4-3 4414520]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-3-27 179856]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-3 552064]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-3-27 15504]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?]
S3 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]

=============== Created Last 30 ================

2009-04-04 00:28 2,048 a------- C:\w2ksect.bin
2009-04-04 00:00 --d----- C:\XPSetup
2009-04-03 22:44 27,612 a------- c:\windows\syscall.dat
2009-04-03 19:02 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-04-03 19:02 --d----- c:\program files\Prevx
2009-04-03 19:02 --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-04-03 15:41 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-04-03 15:41 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-04-03 15:41 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-04-03 15:41 75,264 a------- c:\windows\system32\unacev2.dll
2009-04-03 15:41 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-04-03 15:40 --d----- c:\program files\Trojan Remover
2009-04-03 15:40 --d----- c:\docume~1\kimina\applic~1\Simply Super Software
2009-04-03 15:40 --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-04-02 09:30 --d----- c:\program files\Spybot - Search & Destroy
2009-04-01 13:29 0 a------- c:\windows\setup.INI
2009-04-01 13:21 --d----- c:\docume~1\kimina\applic~1\TypingMaster7
2009-04-01 12:51 2,802 a------- c:\windows\Sobotta.sam
2009-04-01 12:47 338 a------- c:\windows\Sobotta.ntz
2009-04-01 12:47 29 a------- c:\windows\BSL.INI
2009-04-01 08:54 -cd-h--- c:\docume~1\alluse~1\applic~1\{298A24DC-2111-4597-BF26-E3847C84C04B}
2009-03-31 14:02 --d----- c:\docume~1\kimina\applic~1\XemiComputers
2009-03-30 17:03 7,680 a--sh--- c:\windows\Thumbs.db
2009-03-30 15:53 --d----- c:\program files\Nero
2009-03-30 15:53 --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-03-30 12:01 --d----- c:\program files\SEC
2009-03-29 16:12 --d----- C:\Share
2009-03-27 17:03 --d----- c:\docume~1\kimina\applic~1\Malwarebytes
2009-03-27 17:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-27 17:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 17:03 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 17:03 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-27 13:55 --d----- c:\program files\SonicWallES
2009-03-27 10:57 --d----- c:\docume~1\kimina\applic~1\MailFrontier
2009-03-27 10:55 531,991,072 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-27 10:55 7,127,000 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-27 10:52 72,584 a------- c:\windows\zllsputility.exe
2009-03-27 08:18 43,904 ac------ c:\windows\system32\dllcache\sbp2port.sys
2009-03-27 08:18 43,904 a------- c:\windows\system32\drivers\sbp2port.sys
2009-03-25 19:31 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-03-25 19:31 --d----- c:\program files\Zone Labs
2009-03-25 19:31 351,219 a------- c:\windows\system32\vsconfig.xml
2009-03-25 12:01 157,696 a------- c:\windows\system32\unrar.dll
2009-03-25 11:52 44,544 a------- c:\windows\system32\msxml4a.dll
2009-03-22 19:53 --d----- c:\program files\FLAC
2009-03-22 14:55 --d--r-- c:\program files\TypingMaster
2009-03-18 10:48 490 a------- c:\windows\system32\spupdsvc.inf
2009-03-18 10:43 --d----- c:\windows\system32\URTTEMP
2009-03-18 09:59 --d----- c:\windows\system32\windows media
2009-03-18 09:56 --d-h--- c:\windows\msdownld.tmp
2009-03-18 09:55 --d----- c:\program files\Windows Media Components
2009-03-14 09:43 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-03-14 09:43 45,392 a------- c:\windows\system32\AdobePDF.dll
2009-03-14 09:26 --d----- c:\program files\iPod
2009-03-14 09:26 --d----- c:\program files\iTunes
2009-03-14 09:26 --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:34 1,674,280 a------- c:\windows\system32\OLCH2X32.OCX
2009-03-13 19:34 222,416 a------- c:\windows\system32\mhlist32.ocx
2009-03-13 19:34 203,976 a------- c:\windows\system32\RICHTX32.OCX
2009-03-13 19:34 140,288 a------- c:\windows\system32\comdlg32.ocx
2009-03-13 19:34 139,264 a------- c:\windows\system32\ccrpfd.ocx
2009-03-13 19:34 122,880 a------- c:\windows\system32\ftpx.ocx
2009-03-13 19:34 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-03-13 19:34 57,344 a------- c:\windows\system32\BC32R60.dll
2009-03-13 19:34 258,048 a------- c:\windows\system32\FtpX.DLL
2009-03-13 19:34 --d----- c:\program files\Innovative Logic
2009-03-12 18:06 676,864 a------- c:\windows\system32\drivers\hardlock.sys
2009-03-12 18:06 47,616 a------- c:\windows\system32\drivers\Haspnt.sys
2009-03-12 18:06 6,656 a------- c:\windows\system32\haspvdd.dll
2009-03-12 18:06 2,577 a------- c:\windows\system32\config.hsp
2009-03-12 18:06 383 a------- c:\windows\system32\haspdos.sys
2009-03-10 23:09 --d----- c:\program files\LizardTech
2009-03-09 17:12 --d----- c:\docume~1\alluse~1\applic~1\Soulseek
2009-03-09 17:05 --d----- c:\program files\SoulseekNS
2009-03-09 15:02 81,920 a------- c:\windows\system32\ieencode.dll
2009-03-09 13:47 --d----- c:\program files\Windows Media Connect 2
2009-03-09 13:45 --d----- c:\windows\system32\LogFiles
2009-03-08 12:38 144 a------- c:\windows\system32\lkfl.dat
2009-03-08 12:38 96 a------- c:\windows\system32\pdfl.dat
2009-03-08 12:38 80 a------- c:\windows\system32\ibfl.dat
2009-03-08 12:38 --d----- c:\program files\CheckPoint
2009-03-08 11:12 5,632 a------- c:\windows\system32\ptpusb.dll
2009-03-08 11:12 159,232 a------- c:\windows\system32\ptpusd.dll
2009-03-07 17:37 --d----- c:\docume~1\kimina\applic~1\eMule
2009-03-07 17:09 --d----- c:\program files\JockerSoft
2009-03-07 15:38 230 a------- c:\windows\wininit.ini
2009-03-07 12:20 4,608 a--sh--- c:\windows\system32\Thumbs.db
2009-03-07 10:18 --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2009-03-07 10:12 69 a------- c:\windows\NeroDigital.ini
2009-03-07 09:54 --d----- c:\documents and settings\kimina\DesktopPO_)+}}
2009-03-06 14:55 87,608 a------- c:\docume~1\kimina\applic~1\inst.exe
2009-03-06 14:55 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-06 14:55 47,360 a------- c:\docume~1\kimina\applic~1\pcouffin.sys
2009-03-06 14:55 217,127 a------- c:\windows\system32\drv43260.dll
2009-03-06 14:55 208,935 a------- c:\windows\system32\drv33260.dll
2009-03-06 14:55 1,645,320 a------- c:\windows\gdiplus.dll
2009-03-06 14:55 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-03-06 14:55 176,165 a------- c:\windows\system32\drv23260.dll
2009-03-06 14:55 65,602 a------- c:\windows\system32\cook3260.dll
2009-03-06 14:55 --d----- c:\program files\VSO
2009-03-06 14:43 --d----- c:\docume~1\kimina\applic~1\Ashampoo
2009-03-06 14:43 --d----- c:\docume~1\alluse~1\applic~1\ashampoo
2009-03-06 14:42 --d----- c:\program files\Ashampoo
2009-03-06 14:41 --d----- c:\program files\Xilisoft
2009-03-06 13:54 --d----- c:\windows\RegisteredPackages
2009-03-05 11:06 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-04-02 14:51 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 21:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 23:50 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-03 19:36 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-03 15:10 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-03 15:10 298,104 a------- c:\windows\system32\imon.dll
2009-02-03 15:10 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 21:04 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-01-16 18:34 499,712 a------- c:\windows\system32\msvcp71.dll
2009-01-16 18:34 348,160 a------- c:\windows\system32\msvcr71.dll

============= FINISH: 10:58:28.67 ===============

Hello.
We'll run some removal tools soon, but there's two AV's present, so we'll get rid of one.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

sorry about that I thought I had disabled it, I've uninstalled Zone Alarm now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:27 AM, on 4/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AntiLogger\AntiLogger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\DOCUME~1\Kimina\LOCALS~1\Temp\zauninst.exe
C:\DOCUME~1\Kimina\LOCALS~1\Temp\GLB4FF.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kimina\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/internet/mybigpond/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [AntiLogger] "C:\Program Files\AntiLogger\AntiLogger.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233656346390
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1C2CA2F-B009-43DB-AAEB-3433D7E8F1E7}: NameServer = 61.9.211.33,61.9.211.1
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 8474 bytes

Hello again,
I sincerely apologise, I sent the wrong file... below is the one you have requested.

Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe ExtendScript Toolkit CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 8.1.3
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AntiLogger
AntiLogger
AoA MP4 Converter
Apple Software Update
Ashampoo Burning Studio 8.04
Canon MP Navigator EX 1.0
Canon MX300 series
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CCleaner (remove only)
Choice Guard
CodecInstaller 2.10.2
Collins English Dictionary And Thesaurus
Compatibility Pack for the 2007 Office system
Connect
ConvertXtoDVD 3.2.0.55
Crosstrainer
DFX for Windows Media Player
DivX Codec
eMule
Family Tree Maker 2009
Google Talk (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 13
kuler
Librarian Pro
Lizardtech DjVu Control
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Standard Edition 2003
Microsoft Primary Interoperability Assemblies 2005
Microsoft Reader
Microsoft Reader Text-to-Speech for English
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0
Moon Planting Matrix
Mozilla Firefox (3.0.8)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Natural Color Pro
neroxml
NOD32 Antivirus System
OGA Notifier 1.7.0105.35.0
PDF Settings CS4
Photoshop Camera Raw
Prevx CSI
QuickTime
Read in Microsoft Reader Add-in for Microsoft Word
Realtek High Definition Audio Driver
Security Update for Windows XP (KB923789)
Segoe UI
SnagIt 9
SolSuite 2008 v8.10
SolSuite Graphics Pack Volume 1 - v1.22
SolSuite Graphics Pack Volume 2 - v2.14
SoulSeek 157 NS 13c
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Suite Shared Configuration CS4
Trojan Remover 6.7.8
TuneUp Utilities 2007
VC 9.0 Runtime
VC 9.0 Runtime
VCRedistSetup
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Live Writer
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo!7 Messenger
Your Uninstaller! 2008 Version 6.2

Hello.

I see that you are running eMule.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

• eMule
  
• Java(TM) 6 Update 11
  
• Prevx CSI
  

Lets see if we can run this.

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (ZoneAlarm and ESET Nod32)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix detected that ESET NOD32 antivirus system 2.70 is still active however I followed the instructions to disable it in the first instance as per the instructions in http://www.bleepingcomputer.com/forums/topic114351.html.

ComboFix is requesting I disable the scanner prior to pressing the OK button

Hello.
Do this from safe mode as all protection programs will be automatically disabled in safe mode.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

Try running Combofix in safe mode now, Nod32 won't interfere.

I tried to install Windows Recovery Console with my Windows XP install disk however I receive an error message...
Setup cannot continue because the version of Windows on your computer is newer than the version on the CD.
because I am using XP SP3 however my original install disk is XP SP2.

I was given the option to uninstall SP3 by rebooting and following the CD instruction then create a recover disk so I pressed the 'X' button in the right hand corner at the top and was given the option to install the Recovery Console. However I don't know if I should proceed with installing XP Home SP 2 Recover Console.

Please advise

I haven't yet uninstalled SP3

I'm separating the log

ComboFix 09-04-01.01 - Kimina 2009-04-04 12:57:00.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1739 [GMT 10:00]
Running from: c:\documents and settings\Kimina\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kimina\Application Data\inst.exe
c:\windows\system32\FTPx.dll
c:\windows\system32\Pncrt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_FNHOJE
-------\Service_I386P
-------\Service_QWER78
-------\Service_WER32
-------\Service_XPDX


((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-04-04 00:40 . 2009-04-04 00:48 d-------- c:\documents and settings\Kimina\Application Data\ImgBurn
2009-04-04 00:39 . 2009-04-04 00:39 d-------- c:\program files\ImgBurn
2009-04-04 00:28 . 2000-07-21 10:40 2,048 --a------ C:\w2ksect.bin
2009-04-04 00:00 . 2009-04-04 00:21 d-------- C:\XPSetup
2009-04-03 22:44 . 2009-04-04 10:28 27,612 --a------ c:\windows\syscall.dat
2009-04-03 15:41 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-04-03 15:41 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-04-03 15:41 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-04-03 15:41 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-04-03 15:41 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-04-03 15:40 . 2009-04-03 15:41 d-------- c:\program files\Trojan Remover
2009-04-03 15:40 . 2009-04-03 15:40 d-------- c:\documents and settings\Kimina\Application Data\Simply Super Software
2009-04-03 15:40 . 2009-04-03 15:40 d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-04-02 15:27 . 2009-04-02 15:27 d-------- c:\documents and settings\Mum&Dad\Application Data\TypingMaster7
2009-04-02 15:26 . 2009-04-02 15:26 d-------- c:\documents and settings\Mum&Dad\Application Data\Malwarebytes
2009-04-02 09:30 . 2009-04-02 09:35 d-------- c:\program files\Spybot - Search & Destroy
2009-04-01 13:21 . 2009-04-01 13:26 d-------- c:\documents and settings\Kimina\Application Data\TypingMaster7
2009-04-01 12:51 . 2009-04-01 12:51 2,802 --a------ c:\windows\Sobotta.sam
2009-04-01 12:47 . 2009-04-01 12:47 338 --a------ c:\windows\Sobotta.ntz
2009-04-01 12:47 . 2009-04-01 12:48 29 --a------ c:\windows\BSL.INI
2009-04-01 08:54 . 2009-04-04 10:28 d--h-c--- c:\documents and settings\All Users\Application Data\{298A24DC-2111-4597-BF26-E3847C84C04B}
2009-03-31 14:02 . 2009-03-31 14:02 d-------- c:\documents and settings\Kimina\Application Data\XemiComputers
2009-03-30 17:03 . 2009-03-30 17:03 7,680 --ahs---- c:\windows\Thumbs.db
2009-03-30 16:06 . 2009-03-30 16:06 d-------- c:\documents and settings\Kimina\Application Data\Nero
2009-03-30 15:53 . 2009-03-30 15:53 d-------- c:\program files\Nero
2009-03-30 15:53 . 2009-04-02 15:39 d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-30 12:01 . 2009-03-30 12:01 d-------- c:\program files\SEC
2009-03-30 11:56 . 2009-03-30 11:56 d-------- c:\documents and settings\Kimina\Application Data\InstallShield
2009-03-29 16:12 . 2009-03-29 16:12 d-------- C:\Share
2009-03-29 16:12 . 2009-03-29 16:20 d-------- c:\documents and settings\Mum&Dad\Application Data\Thinstall
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\documents and settings\Kimina\Application Data\Malwarebytes
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 17:03 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 17:03 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-27 13:55 . 2009-03-27 13:55 d-------- c:\program files\SonicWallES
2009-03-27 10:52 . 2009-03-31 19:20 72,584 --a------ c:\windows\zllsputility.exe
2009-03-27 08:18 . 2008-04-14 04:40 43,904 --a------ c:\windows\system32\drivers\sbp2port.sys
2009-03-27 08:18 . 2008-04-14 04:40 43,904 --a--c--- c:\windows\system32\dllcache\sbp2port.sys
2009-03-25 19:31 . 2009-03-25 19:31 d-------- c:\program files\Zone Labs
2009-03-25 12:01 . 2004-01-22 19:06 157,696 --a------ c:\windows\system32\unrar.dll
2009-03-25 11:52 . 2003-04-18 16:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-03-22 19:53 . 2009-03-27 17:06 d-------- c:\program files\FLAC
2009-03-22 14:55 . 2009-04-02 20:57 dr------- c:\program files\TypingMaster
2009-03-18 10:48 . 2009-03-31 23:31 490 --a------ c:\windows\system32\spupdsvc.inf
2009-03-18 10:43 . 2009-03-18 10:43 d-------- c:\windows\system32\URTTEMP
2009-03-18 09:59 . 2009-03-18 09:59 d-------- c:\windows\system32\windows media
2009-03-18 09:56 . 2009-03-18 09:59 d--h----- c:\windows\msdownld.tmp
2009-03-18 09:55 . 2009-03-18 09:55 d-------- c:\program files\Windows Media Components
2009-03-14 09:43 . 2008-04-07 05:38 45,392 --a------ c:\windows\system32\AdobePDF.dll
2009-03-14 09:43 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\program files\iTunes
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\program files\iPod
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:34 . 2009-03-13 19:34 d-------- c:\program files\Innovative Logic
2009-03-13 19:34 . 1998-10-02 07:00 1,674,280 --a------ c:\windows\system32\OLCH2X32.OCX
2009-03-13 19:34 . 1999-11-16 11:09 222,416 --a------ c:\windows\system32\mhlist32.ocx
2009-03-13 19:34 . 2000-05-22 01:00 203,976 --a------ c:\windows\system32\RICHTX32.OCX
2009-03-13 19:34 . 1999-05-06 23:00 140,288 --a------ c:\windows\system32\comdlg32.ocx
2009-03-13 19:34 . 1998-12-17 09:29 139,264 --a------ c:\windows\system32\ccrpfd.ocx
2009-03-13 19:34 . 2000-01-03 11:50 122,880 --a------ c:\windows\system32\ftpx.ocx
2009-03-13 19:34 . 1998-06-18 01:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2009-03-13 19:34 . 1999-12-20 15:53 57,344 --a------ c:\windows\system32\BC32R60.dll
2009-03-12 18:06 . 2004-07-14 12:54 676,864 --a------ c:\windows\system32\drivers\hardlock.sys
2009-03-12 18:06 . 2009-03-12 18:06 47,616 --a------ c:\windows\system32\drivers\Haspnt.sys
2009-03-12 18:06 . 2009-03-12 18:06 6,656 --a------ c:\windows\system32\haspvdd.dll
2009-03-12 18:06 . 2009-02-02 21:07 2,577 --a------ c:\windows\system32\config.hsp
2009-03-12 18:06 . 2009-03-12 18:06 383 --a------ c:\windows\system32\haspdos.sys
2009-03-11 19:11 . 2009-04-01 13:15 d-------- c:\program files\Common Files\LightScribe
2009-03-11 13:45 . 2009-03-11 13:45 d-------- c:\documents and settings\Mum&Dad\Application Data\Ashampoo
2009-03-10 23:09 . 2009-03-10 23:09 d-------- c:\program files\LizardTech
2009-03-09 17:12 . 2009-03-25 19:36 d-------- c:\documents and settings\All Users\Application Data\Soulseek
2009-03-09 17:05 . 2009-03-09 17:11 d-------- c:\program files\SoulseekNS
2009-03-09 15:02 . 2008-04-14 10:11 81,920 --a------ c:\windows\system32\ieencode.dll
2009-03-09 13:47 . 2009-03-09 14:02 d-------- c:\program files\Windows Media Connect 2
2009-03-09 13:45 . 2009-03-10 23:53 d-------- c:\windows\system32\LogFiles
2009-03-09 13:45 . 2009-03-09 13:46 d-------- c:\windows\system32\drivers\UMDF
2009-03-08 12:38 . 2009-03-08 17:23 d-------- c:\program files\CheckPoint
2009-03-08 12:38 . 2009-03-08 12:38 144 --a------ c:\windows\system32\lkfl.dat
2009-03-08 12:38 . 2009-03-08 17:22 96 --a------ c:\windows\system32\pdfl.dat
2009-03-08 12:38 . 2009-03-08 12:38 80 --a------ c:\windows\system32\ibfl.dat
2009-03-08 11:12 . 2008-04-14 10:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-08 11:12 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-07 17:37 . 2009-04-04 11:38 d-------- c:\documents and settings\Kimina\Application Data\eMule
2009-03-07 17:09 . 2009-03-07 17:09 d-------- c:\program files\JockerSoft
2009-03-07 15:38 . 2009-04-03 19:02 230 --a------ c:\windows\wininit.ini
2009-03-07 12:20 . 2009-03-07 12:20 4,608 --ahs---- c:\windows\system32\Thumbs.db
2009-03-07 10:18 . 2009-03-07 10:18 d-------- c:\documents and settings\All Users\Application Data\LightScribe
2009-03-07 10:12 . 2009-04-01 13:37 69 --a------ c:\windows\NeroDigital.ini
2009-03-07 09:54 . 2009-03-07 09:54 d-------- c:\documents and settings\Kimina\DesktopPO_)+}}
2009-03-06 14:55 . 2009-03-06 14:55 d-------- c:\program files\VSO
2009-03-06 14:55 . 2009-03-06 14:57 d-------- c:\documents and settings\Kimina\Application Data\Vso
2009-03-06 14:55 . 2004-05-04 12:53 1,645,320 --a------ c:\windows\gdiplus.dll
2009-03-06 14:55 . 2006-05-11 20:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2009-03-06 14:55 . 2006-09-29 13:24 217,127 --a------ c:\windows\system32\drv43260.dll
2009-03-06 14:55 . 2006-09-29 13:25 208,935 --a------ c:\windows\system32\drv33260.dll
2009-03-06 14:55 . 2006-09-29 13:26 176,165 --a------ c:\windows\system32\drv23260.dll
2009-03-06 14:55 . 2007-03-18 21:37 65,602 --a------ c:\windows\system32\cook3260.dll
2009-03-06 14:55 . 2009-03-06 14:55 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-03-06 14:55 . 2009-03-06 14:55 47,360 --a------ c:\documents and settings\Kimina\Application Data\pcouffin.sys
2009-03-06 14:43 . 2009-03-06 14:43 d-------- c:\documents and settings\Kimina\Application Data\Ashampoo
2009-03-06 14:43 . 2009-03-06 14:43 d-------- c:\documents and settings\All Users\Application Data\ashampoo
2009-03-06 14:42 . 2009-04-01 13:12 d-------- c:\program files\Ashampoo
2009-03-06 14:41 . 2009-03-06 14:41 d-------- c:\program files\Xilisoft
2009-03-05 19:35 . 2009-03-29 00:05 d-------- c:\program files\Windows Live Safety Center
2009-03-05 11:42 . 2009-03-05 11:42 d-------- c:\program files\QuickTime
2009-03-05 11:06 . 2009-04-04 09:57 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 17:05 . 2009-03-04 17:05 d-------- c:\program files\Common Files\OverDrive Shared
2009-03-04 17:03 . 2009-03-04 17:03 d-------- c:\program files\Microsoft Reader
2009-03-04 17:03 . 2003-06-05 17:15 57,436 --a------ c:\windows\DASShp.dll
2009-03-04 16:55 . 2009-03-04 16:55 d-------- c:\program files\Microsoft Silverlight
2009-03-04 13:54 . 2009-03-04 13:54 d-------- c:\documents and settings\Kimina\Application Data\Librarian Pro
2009-03-04 13:53 . 2009-03-04 13:53 d-------- c:\program files\Koingo Software

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 01:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-04 01:38 --------- d-----w c:\program files\eMule
2009-04-04 01:12 168,634 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_04_11_07_38_small.dmp.zip
2009-04-04 00:38 --------- d-----w c:\program files\Java
2009-04-04 00:28 --------- d-----w c:\program files\AntiLogger
2009-04-03 22:48 --------- d-----w c:\program files\Common Files\Apple
2009-04-03 13:35 167,860 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_03_23_30_08_small.dmp.zip
2009-04-03 10:57 170,972 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_03_20_52_32_small.dmp.zip
2009-04-03 10:57 166,156 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_03_20_50_36_small.dmp.zip
2009-04-03 10:52 2,758,656 ----a-w c:\windows\Internet Logs\xDB291.tmp
2009-04-03 10:52 1,390,080 ----a-w c:\windows\Internet Logs\xDB290.tmp
2009-04-03 09:03 169,503 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_03_18_58_18_small.dmp.zip
2009-04-03 06:22 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\SolSuite
2009-04-01 10:00 --------- d-----w c:\documents and settings\Kimina\Application Data\SolSuite
2009-04-01 08:34 1,241,088 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-03-31 15:39 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-30 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-30 05:40 195,584 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-03-30 05:35 --------- d-----w c:\program files\TuneUp Utilities 2007
2009-03-29 15:28 685,568 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-03-29 15:28 2,309,632 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-03-27 20:40 130,048 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-03-27 13:33 708,096 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-25 09:55 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-25 09:55 --------- d-----w c:\program files\Lavasoft
2009-03-25 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-24 22:57 175,494 ----a-w c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_03_25_08_51_56_small.dmp.zip
2009-03-23 02:03 --------- d-----w c:\program files\SolSuite
2009-03-18 14:45 --------- d-----w c:\documents and settings\Kimina\Application Data\Apple Computer
2009-03-13 23:43 --------- d-----w c:\program files\Common Files\Adobe
2009-03-11 03:03 --------- d-----w c:\program files\Your Uninstaller 2008
2009-03-07 00:28 --------- d-----w c:\documents and settings\Kimina\Application Data\Thinstall
2009-03-05 04:55 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\Apple Computer
2009-03-05 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-04 07:04 --------- d-----w c:\program files\Common Files\L&H
2009-03-04 07:02 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-03 10:00 --------- d-----w c:\program files\DAEMON Tools Lite
2009-03-03 03:42 --------- d-----w c:\documents and settings\All Users\Application Data\DFX
2009-03-03 03:31 --------- d-----w c:\program files\DFX
2009-03-03 03:31 --------- d-----w c:\program files\Common Files\DFX
2009-02-28 02:16 161,704 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_28_12_15_42_small.dmp.zip
2009-02-23 05:33 --------- d-----w c:\program files\TechSmith
2009-02-23 05:33 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2009-02-20 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\TreeCardGames
2009-02-17 11:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-17 09:04 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\eGames
2009-02-17 05:54 162,023 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_17_15_54_37_small.dmp.zip
2009-02-16 00:54 --------- d-----w c:\program files\Windows Sidebar
2009-02-14 03:13 --------- d-----w c:\program files\MSXML 4.0
2009-02-13 02:33 171,827 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_13_12_33_41_small.dmp.zip
2009-02-12 04:05 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-02-11 15:02 --------- d-----w c:\program files\Family Tree Maker 2009
2009-02-11 15:02 --------- d-----w c:\program files\AoA MP4 Converter
2009-02-11 14:40 --------- d-----w c:\program files\ESET
2009-02-11 07:47 --------- d-----w c:\program files\DivX
2009-02-11 07:46 --------- d-----w c:\program files\DirectX 9.0c
2009-02-10 04:57 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\TuneUp Software
2009-02-09 07:17 --------- d-----w c:\program files\Google
2009-02-09 07:09 --------- d-----w c:\documents and settings\Kimina\Application Data\URSoft
2009-02-09 07:00 --------- d-----w c:\program files\Yahoo!
2009-02-09 07:00 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-09 06:40 --------- d-----w c:\documents and settings\Kimina\Application Data\TuneUp Software
2009-02-09 06:04 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-02-09 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2009-02-08 06:34 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\Canon
2009-02-07 16:20 --------- d-----w c:\program files\Microsoft.NET
2009-02-07 16:20 --------- d-----w c:\program files\Microsoft WSE
2009-02-07 16:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-07 16:19 --------- d-----w c:\program files\BCL Technologies
2009-02-07 13:50 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-07 07:36 --------- d-----w c:\program files\Java for Windows
2009-02-07 06:07 --------- d-----w c:\program files\Lingea
2009-02-06 16:44 --------- d-----w c:\documents and settings\Kimina\Application Data\Yahoo!
2009-02-05 01:55 --------- d-----w c:\documents and settings\Kimina\Application Data\SharePod
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-03 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-03 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-03 134656]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-02-03 949376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-03-26 401040]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-30 1213320]
"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2009-03-31 2277232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"GreyMSIAds"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Family Tree Maker 2009\\FTM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [2009-03-31 115056]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-02-03 15424]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-03-27 179856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-03-27 15504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{015fc16c-09fb-11de-b244-806d6172696f}]
\Shell\AutoRun\command - F:\monsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f1c4bc2-1a54-11de-9a3b-001cc0755738}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0ec9e34-f4cf-11dd-8da3-001cc0755738}]
\Shell\AutoRun\command - K:\WDSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 06:51]

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2052111302-839522115-1004.job
- c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-07 17:38]

2009-04-04 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]

2009-04-03 c:\windows\Tasks\Malwarebytes' Scheduled Update for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.

------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/internet/mybigpond/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {E1C2CA2F-B009-43DB-AAEB-3433D7E8F1E7} = 61.9.211.33,61.9.211.1
FF - ProfilePath - c:\documents and settings\Kimina\Application Data\Mozilla\Firefox\Profiles\aba8c5y6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/internet/mybigpond/
FF - plugin: c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 13:02:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4FDW]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DXDSS]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FAK32]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FVELWOW]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JNHJKFRN]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KHTML]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYSLDR]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ZTX86]
"ImagePath"="TRDUMMY"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-2052111302-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{01807B66-E257-323C-1350-DE894CCC4568}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iahbgcmnfbgcpnnlkl"=hex:6a,61,65,65,6c,6a,6a,64,6f,6f,61,6e,6e,6c,6f,6d,69,70,
62,65,00,00
"haneannjmbcgggem"=hex:6a,61,65,65,6c,6a,6a,64,6f,6f,61,6e,6e,6c,6f,6d,69,70,
62,65,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ESET\nod32krn.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-04-04 13:04:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-04 03:04:31

Pre-Run: 169,337,180,160 bytes free
Post-Run: 169,359,249,408 bytes free

351 --- E O F --- 2009-03-20 00:13:17

Hello.

These files
c:\windows\Internet Logs\xD***.tmp are created by Zone Alarm.
To stop the creation of these files execute this.

Open ZoneAlarm control.
Select Alerts and Logs on the left Pane.
Set Event Logging to Off.
Close ZoneAlarm control.

We have to run Combofix with additional directives. Do this from safe mode so Nod32 doesn't interfere.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\Internet Logs\vsmon_2nd_2009_04_04_11_07_38_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_23_30_08_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_20_52_32_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_20_50_36_small.dmp.zip
c:\windows\Internet Logs\xDB291.tmp
c:\windows\Internet Logs\xDB290.tmp
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_18_58_18_small.dmp.zip
c:\windows\Internet Logs\xDB6.tmp
c:\windows\Internet Logs\xDB5.tmp
c:\windows\Internet Logs\xDB3.tmp
c:\windows\Internet Logs\xDB4.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_03_25_08_51_56_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_02_28_12_15_42_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_02_17_15_54_37_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_02_13_12_33_41_small.dmp.zip

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4FDW]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DXDSS]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FAK32]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FVELWOW]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JNHJKFRN]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KHTML]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYSLDR]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ZTX86]

RegNull::
[HKEY_USERS\S-1-5-21-1214440339-2052111302-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{01807B66-E257-323C-1350-DE894CCC4568}*]

RegLock::
[HKEY_USERS\S-1-5-21-1214440339-2052111302-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{01807B66-E257-323C-1350-DE894CCC4568}*]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Good afternoon,

I was away yesterday for most of the afternoon, during that time a game was installed, I have been lead to believe the game is an illegal version.

I haven't uninstalled it yet, I prefer to take direction from yourself.

Here is my Combofix log once again posted into separate parts...


ComboFix 09-04-04.01 - Kimina 2009-04-05 12:55:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1600 [GMT 10:00]
Running from: c:\documents and settings\Kimina\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kimina\Desktop\CFscript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\Internet Logs\vsmon_2nd_2009_02_13_12_33_41_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_02_17_15_54_37_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_02_28_12_15_42_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_18_58_18_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_20_50_36_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_20_52_32_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_23_30_08_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_04_11_07_38_small.dmp.zip
c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_03_25_08_51_56_small.dmp.zip
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB290.tmp
c:\windows\Internet Logs\xDB291.tmp
c:\windows\Internet Logs\xDB3.tmp
c:\windows\Internet Logs\xDB4.tmp
c:\windows\Internet Logs\xDB5.tmp
c:\windows\Internet Logs\xDB6.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Internet Logs\vsmon_2nd_2009_02_13_12_33_41_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_02_17_15_54_37_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_02_28_12_15_42_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_18_58_18_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_20_50_36_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_20_52_32_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_03_23_30_08_small.dmp.zip
c:\windows\Internet Logs\vsmon_2nd_2009_04_04_11_07_38_small.dmp.zip
c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_03_25_08_51_56_small.dmp.zip
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB290.tmp
c:\windows\Internet Logs\xDB291.tmp
c:\windows\Internet Logs\xDB3.tmp
c:\windows\Internet Logs\xDB4.tmp
c:\windows\Internet Logs\xDB5.tmp
c:\windows\Internet Logs\xDB6.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_FNHOJE
-------\Service_I386P
-------\Service_QWER78
-------\Service_WER32
-------\Service_XPDX


((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-05 11:28 . 2009-04-05 11:28 d-------- c:\program files\Eraser
2009-04-05 11:28 . 2009-04-05 11:28 d--h----- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2009-04-04 22:22 . 2009-04-04 22:22 d-------- c:\documents and settings\Mum&Dad\Application Data\PlayFirst
2009-04-04 22:22 . 2009-04-04 22:22 d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2009-04-04 20:23 . 2009-04-04 20:23 d-------- c:\documents and settings\Mum&Dad\Application Data\URSoft
2009-04-04 18:37 . 2009-04-04 18:37 d-------- c:\program files\Rockstar Games
2009-04-04 18:35 . 2009-04-04 20:54 d-------- c:\program files\DAEMON Tools
2009-04-04 18:35 . 2009-04-04 18:35 223,128 --a------ c:\windows\system32\drivers\dtscsi.sys
2009-04-04 18:34 . 2009-04-04 18:34 d-------- c:\documents and settings\Mum&Dad\Application Data\ImgBurn
2009-04-04 15:39 . 2009-04-04 16:23 d-------- c:\windows\system32\NtmsData
2009-04-04 14:10 . 2009-04-04 14:10 d-------- c:\program files\AskBarDis
2009-04-04 14:09 . 2009-02-16 00:10 1,221,512 --a------ c:\windows\system32\zpeng25.dll
2009-04-04 14:09 . 2009-04-05 12:57 350,192 --a------ c:\windows\system32\vsconfig.xml
2009-04-04 00:40 . 2009-04-04 00:48 d-------- c:\documents and settings\Kimina\Application Data\ImgBurn
2009-04-04 00:39 . 2009-04-04 00:39 d-------- c:\program files\ImgBurn
2009-04-04 00:28 . 2000-07-21 10:40 2,048 --a------ C:\w2ksect.bin
2009-04-04 00:00 . 2009-04-04 00:21 d-------- C:\XPSetup
2009-04-03 22:44 . 2009-04-04 10:28 27,612 --a------ c:\windows\syscall.dat
2009-04-03 15:41 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-04-03 15:41 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-04-03 15:41 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-04-03 15:41 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-04-03 15:41 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-04-03 15:40 . 2009-04-03 15:41 d-------- c:\program files\Trojan Remover
2009-04-03 15:40 . 2009-04-03 15:40 d-------- c:\documents and settings\Kimina\Application Data\Simply Super Software
2009-04-03 15:40 . 2009-04-03 15:40 d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-04-02 15:27 . 2009-04-02 15:27 d-------- c:\documents and settings\Mum&Dad\Application Data\TypingMaster7
2009-04-02 15:26 . 2009-04-02 15:26 d-------- c:\documents and settings\Mum&Dad\Application Data\Malwarebytes
2009-04-02 09:30 . 2009-04-02 09:35 d-------- c:\program files\Spybot - Search & Destroy
2009-04-01 13:21 . 2009-04-01 13:26 d-------- c:\documents and settings\Kimina\Application Data\TypingMaster7
2009-04-01 12:51 . 2009-04-01 12:51 2,802 --a------ c:\windows\Sobotta.sam
2009-04-01 12:47 . 2009-04-01 12:47 338 --a------ c:\windows\Sobotta.ntz
2009-04-01 12:47 . 2009-04-01 12:48 29 --a------ c:\windows\BSL.INI
2009-04-01 08:54 . 2009-04-04 10:28 d--h-c--- c:\documents and settings\All Users\Application Data\{298A24DC-2111-4597-BF26-E3847C84C04B}
2009-03-31 14:02 . 2009-03-31 14:02 d-------- c:\documents and settings\Kimina\Application Data\XemiComputers
2009-03-30 17:03 . 2009-03-30 17:03 7,680 --ahs---- c:\windows\Thumbs.db
2009-03-30 16:06 . 2009-03-30 16:06 d-------- c:\documents and settings\Kimina\Application Data\Nero
2009-03-30 15:53 . 2009-03-30 15:53 d-------- c:\program files\Nero
2009-03-30 15:53 . 2009-04-02 15:39 d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-30 12:01 . 2009-03-30 12:01 d-------- c:\program files\SEC
2009-03-30 11:56 . 2009-03-30 11:56 d-------- c:\documents and settings\Kimina\Application Data\InstallShield
2009-03-29 16:12 . 2009-03-29 16:12 d-------- C:\Share
2009-03-29 16:12 . 2009-03-29 16:20 d-------- c:\documents and settings\Mum&Dad\Application Data\Thinstall
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\documents and settings\Kimina\Application Data\Malwarebytes
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 17:03 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 17:03 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-27 13:55 . 2009-03-27 13:55 d-------- c:\program files\SonicWallES
2009-03-27 10:52 . 2009-03-31 19:20 72,584 --a------ c:\windows\zllsputility.exe
2009-03-27 08:18 . 2008-04-14 04:40 43,904 --a------ c:\windows\system32\drivers\sbp2port.sys
2009-03-27 08:18 . 2008-04-14 04:40 43,904 --a--c--- c:\windows\system32\dllcache\sbp2port.sys
2009-03-25 19:31 . 2009-03-25 19:31 d-------- c:\program files\Zone Labs
2009-03-25 12:01 . 2004-01-22 19:06 157,696 --a------ c:\windows\system32\unrar.dll
2009-03-25 11:52 . 2003-04-18 16:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-03-22 19:53 . 2009-03-27 17:06 d-------- c:\program files\FLAC
2009-03-22 14:55 . 2009-04-02 20:57 dr------- c:\program files\TypingMaster
2009-03-18 10:48 . 2009-03-31 23:31 490 --a------ c:\windows\system32\spupdsvc.inf
2009-03-18 10:43 . 2009-03-18 10:43 d-------- c:\windows\system32\URTTEMP
2009-03-18 09:59 . 2009-03-18 09:59 d-------- c:\windows\system32\windows media
2009-03-18 09:56 . 2009-03-18 09:59 d--h----- c:\windows\msdownld.tmp
2009-03-18 09:55 . 2009-03-18 09:55 d-------- c:\program files\Windows Media Components
2009-03-14 09:43 . 2008-04-07 05:38 45,392 --a------ c:\windows\system32\AdobePDF.dll
2009-03-14 09:43 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\program files\iTunes
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\program files\iPod
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:34 . 2009-03-13 19:34 d-------- c:\program files\Innovative Logic
2009-03-13 19:34 . 1998-10-02 07:00 1,674,280 --a------ c:\windows\system32\OLCH2X32.OCX
2009-03-13 19:34 . 1999-11-16 11:09 222,416 --a------ c:\windows\system32\mhlist32.ocx
2009-03-13 19:34 . 2000-05-22 01:00 203,976 --a------ c:\windows\system32\RICHTX32.OCX
2009-03-13 19:34 . 1999-05-06 23:00 140,288 --a------ c:\windows\system32\comdlg32.ocx
2009-03-13 19:34 . 1998-12-17 09:29 139,264 --a------ c:\windows\system32\ccrpfd.ocx
2009-03-13 19:34 . 2000-01-03 11:50 122,880 --a------ c:\windows\system32\ftpx.ocx
2009-03-13 19:34 . 1998-06-18 01:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2009-03-13 19:34 . 1999-12-20 15:53 57,344 --a------ c:\windows\system32\BC32R60.dll
2009-03-12 18:06 . 2004-07-14 12:54 676,864 --a------ c:\windows\system32\drivers\hardlock.sys
2009-03-12 18:06 . 2009-03-12 18:06 47,616 --a------ c:\windows\system32\drivers\Haspnt.sys
2009-03-12 18:06 . 2009-03-12 18:06 6,656 --a------ c:\windows\system32\haspvdd.dll
2009-03-12 18:06 . 2009-02-02 21:07 2,577 --a------ c:\windows\system32\config.hsp
2009-03-12 18:06 . 2009-03-12 18:06 383 --a------ c:\windows\system32\haspdos.sys
2009-03-11 19:11 . 2009-04-01 13:15 d-------- c:\program files\Common Files\LightScribe
2009-03-11 13:45 . 2009-03-11 13:45 d-------- c:\documents and settings\Mum&Dad\Application Data\Ashampoo
2009-03-10 23:09 . 2009-03-10 23:09 d-------- c:\program files\LizardTech
2009-03-09 17:12 . 2009-03-25 19:36 d-------- c:\documents and settings\All Users\Application Data\Soulseek
2009-03-09 17:05 . 2009-03-09 17:11 d-------- c:\program files\SoulseekNS
2009-03-09 15:02 . 2008-04-14 10:11 81,920 --a------ c:\windows\system32\ieencode.dll
2009-03-09 13:47 . 2009-03-09 14:02 d-------- c:\program files\Windows Media Connect 2
2009-03-09 13:45 . 2009-03-10 23:53 d-------- c:\windows\system32\LogFiles
2009-03-09 13:45 . 2009-03-09 13:46 d-------- c:\windows\system32\drivers\UMDF
2009-03-08 12:38 . 2009-03-08 17:23 d-------- c:\program files\CheckPoint
2009-03-08 12:38 . 2009-03-08 12:38 144 --a------ c:\windows\system32\lkfl.dat
2009-03-08 12:38 . 2009-03-08 17:22 96 --a------ c:\windows\system32\pdfl.dat
2009-03-08 12:38 . 2009-03-08 12:38 80 --a------ c:\windows\system32\ibfl.dat
2009-03-08 11:12 . 2008-04-14 10:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-08 11:12 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-07 17:09 . 2009-03-07 17:09 d-------- c:\program files\JockerSoft
2009-03-07 15:38 . 2009-04-04 21:47 230 --a------ c:\windows\wininit.ini
2009-03-07 12:20 . 2009-03-07 12:20 4,608 --ahs---- c:\windows\system32\Thumbs.db
2009-03-07 10:18 . 2009-03-07 10:18 d-------- c:\documents and settings\All Users\Application Data\LightScribe
2009-03-07 10:12 . 2009-04-01 13:37 69 --a------ c:\windows\NeroDigital.ini
2009-03-07 09:54 . 2009-03-07 09:54 d-------- c:\documents and settings\Kimina\DesktopPO_)+}}
2009-03-06 14:55 . 2009-03-06 14:55 d-------- c:\program files\VSO
2009-03-06 14:55 . 2009-03-06 14:57 d-------- c:\documents and settings\Kimina\Application Data\Vso
2009-03-06 14:55 . 2004-05-04 12:53 1,645,320 --a------ c:\windows\gdiplus.dll
2009-03-06 14:55 . 2006-05-11 20:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2009-03-06 14:55 . 2006-09-29 13:24 217,127 --a------ c:\windows\system32\drv43260.dll
2009-03-06 14:55 . 2006-09-29 13:25 208,935 --a------ c:\windows\system32\drv33260.dll
2009-03-06 14:55 . 2006-09-29 13:26 176,165 --a------ c:\windows\system32\drv23260.dll
2009-03-06 14:55 . 2007-03-18 21:37 65,602 --a------ c:\windows\system32\cook3260.dll
2009-03-06 14:55 . 2009-03-06 14:55 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-03-06 14:55 . 2009-03-06 14:55 47,360 --a------ c:\documents and settings\Kimina\Application Data\pcouffin.sys
2009-03-06 14:43 . 2009-03-06 14:43 d-------- c:\documents and settings\Kimina\Application Data\Ashampoo
2009-03-06 14:43 . 2009-03-06 14:43 d-------- c:\documents and settings\All Users\Application Data\ashampoo
2009-03-06 14:42 . 2009-04-01 13:12 d-------- c:\program files\Ashampoo
2009-03-06 14:41 . 2009-03-06 14:41 d-------- c:\program files\Xilisoft
2009-03-05 19:35 . 2009-03-29 00:05 d-------- c:\program files\Windows Live Safety Center
2009-03-05 11:42 . 2009-03-05 11:42 d-------- c:\program files\QuickTime
2009-03-05 11:06 . 2009-04-05 02:35 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 02:45 --------- d-----w c:\program files\ESET
2009-04-04 14:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-04 08:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 01:38 --------- d-----w c:\program files\eMule
2009-04-04 00:38 --------- d-----w c:\program files\Java
2009-04-04 00:28 --------- d-----w c:\program files\AntiLogger
2009-04-03 22:48 --------- d-----w c:\program files\Common Files\Apple
2009-04-03 06:22 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\SolSuite
2009-04-01 10:00 --------- d-----w c:\documents and settings\Kimina\Application Data\SolSuite
2009-03-30 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-30 05:35 --------- d-----w c:\program files\TuneUp Utilities 2007
2009-03-25 09:55 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-25 09:55 --------- d-----w c:\program files\Lavasoft
2009-03-25 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-23 02:03 --------- d-----w c:\program files\SolSuite
2009-03-18 14:45 --------- d-----w c:\documents and settings\Kimina\Application Data\Apple Computer
2009-03-13 23:43 --------- d-----w c:\program files\Common Files\Adobe
2009-03-11 03:03 --------- d-----w c:\program files\Your Uninstaller 2008
2009-03-07 00:28 --------- d-----w c:\documents and settings\Kimina\Application Data\Thinstall
2009-03-05 04:55 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\Apple Computer
2009-03-05 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-04 07:05 --------- d-----w c:\program files\Common Files\OverDrive Shared
2009-03-04 07:04 --------- d-----w c:\program files\Common Files\L&H
2009-03-04 07:03 --------- d-----w c:\program files\Microsoft Reader
2009-03-04 07:02 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-04 06:55 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-04 03:54 --------- d-----w c:\documents and settings\Kimina\Application Data\Librarian Pro
2009-03-04 03:53 --------- d-----w c:\program files\Koingo Software
2009-03-03 10:00 --------- d-----w c:\program files\DAEMON Tools Lite
2009-03-03 03:42 --------- d-----w c:\documents and settings\All Users\Application Data\DFX
2009-03-03 03:31 --------- d-----w c:\program files\DFX
2009-03-03 03:31 --------- d-----w c:\program files\Common Files\DFX
2009-02-23 05:33 --------- d-----w c:\program files\TechSmith
2009-02-23 05:33 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2009-02-20 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\TreeCardGames
2009-02-17 11:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-17 09:04 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\eGames
2009-02-16 00:54 --------- d-----w c:\program files\Windows Sidebar
2009-02-14 03:13 --------- d-----w c:\program files\MSXML 4.0
2009-02-12 04:05 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-02-11 15:02 --------- d-----w c:\program files\Family Tree Maker 2009
2009-02-11 15:02 --------- d-----w c:\program files\AoA MP4 Converter
2009-02-11 07:47 --------- d-----w c:\program files\DivX
2009-02-11 07:46 --------- d-----w c:\program files\DirectX 9.0c
2009-02-10 04:57 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\TuneUp Software
2009-02-09 07:17 --------- d-----w c:\program files\Google
2009-02-09 07:09 --------- d-----w c:\documents and settings\Kimina\Application Data\URSoft
2009-02-09 07:00 --------- d-----w c:\program files\Yahoo!
2009-02-09 07:00 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-09 06:40 --------- d-----w c:\documents and settings\Kimina\Application Data\TuneUp Software
2009-02-09 06:04 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-02-09 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2009-02-08 06:34 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\Canon
2009-02-07 16:20 --------- d-----w c:\program files\Microsoft.NET
2009-02-07 16:20 --------- d-----w c:\program files\Microsoft WSE
2009-02-07 16:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-07 16:19 --------- d-----w c:\program files\BCL Technologies
2009-02-07 13:50 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-07 07:36 --------- d-----w c:\program files\Java for Windows
2009-02-07 06:07 --------- d-----w c:\program files\Lingea
2009-02-06 16:44 --------- d-----w c:\documents and settings\Kimina\Application Data\Yahoo!
2009-02-05 01:55 --------- d-----w c:\documents and settings\Kimina\Application Data\SharePod
.

((((((((((((((((((((((((((((( SnapShot@2009-04-04_13.03.57.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-22 23:03:31 316,752 ----a-w c:\windows\system32\Eraser.dll
+ 2007-12-22 23:03:30 41,296 ----a-w c:\windows\system32\Eraserl.exe
+ 2007-12-22 23:03:33 91,472 ----a-w c:\windows\system32\Erasext.dll
+ 2001-08-17 12:36:52 1,135,616 ----a-w c:\windows\system32\ntbackup.exe
+ 2009-02-15 14:10:10 110,472 ----a-w c:\windows\system32\vsdata.dll
+ 2009-02-15 14:10:26 353,672 ----a-w c:\windows\system32\vsdatant.sys
+ 2009-02-15 14:10:10 229,256 ----a-w c:\windows\system32\vsinit.dll
+ 2009-02-15 14:10:10 107,912 ----a-w c:\windows\system32\vsmonapi.dll
+ 2009-02-15 14:10:10 309,128 ----a-w c:\windows\system32\vspubapi.dll
+ 2009-02-15 14:10:10 58,248 ----a-w c:\windows\system32\vsregexp.dll
+ 2009-02-15 14:10:10 482,184 ----a-w c:\windows\system32\vsutil.dll
+ 2009-02-15 14:10:12 35,208 ----a-w c:\windows\system32\vswmi.dll
+ 2009-02-15 14:10:12 109,960 ----a-w c:\windows\system32\vsxml.dll
+ 2009-02-15 14:10:12 69,000 ----a-w c:\windows\system32\zlcomm.dll
+ 2009-02-15 14:10:12 103,816 ----a-w c:\windows\system32\zlcommdb.dll
- 2009-04-02 04:51:23 4,212 ---ha-w c:\windows\system32\zllictbl.dat
+ 2009-04-05 02:58:00 4,212 ---ha-w c:\windows\system32\zllictbl.dat
+ 2009-02-15 14:10:06 74,632 ----a-w c:\windows\system32\ZoneLabs\camupd.dll
+ 2008-03-17 06:52:02 813,568 ----a-w c:\windows\system32\ZoneLabs\dbghelp.dll
+ 2009-02-15 14:10:06 98,184 ----a-w c:\windows\system32\ZoneLabs\fbl.dll
+ 2009-02-15 14:10:06 38,280 ----a-w c:\windows\system32\ZoneLabs\featuremap.dll
+ 2009-02-15 14:10:08 159,112 ----a-w c:\windows\system32\ZoneLabs\httpblocker.dll
+ 2009-02-04 08:27:18 548,128 ----a-w c:\windows\system32\ZoneLabs\icslta.dll
+ 2009-02-15 14:10:28 35,720 ----a-w c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
+ 2009-02-15 14:10:28 344,456 ----a-w c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2009-02-15 14:10:28 136,584 ----a-w c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
+ 2009-02-15 14:10:28 344,968 ----a-w c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2009-02-15 14:10:30 12,168 ----a-w c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2009-02-15 14:10:30 29,576 ----a-w c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2009-02-15 14:10:30 11,144 ----a-w c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll
+ 2009-02-15 14:10:30 11,656 ----a-w c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll
+ 2009-02-15 14:10:30 13,704 ----a-w c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll
+ 2009-02-15 14:10:30 10,632 ----a-w c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll
+ 2009-02-15 14:10:30 10,120 ----a-w c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll
+ 2009-02-15 14:10:30 9,608 ----a-w c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll
+ 2009-02-15 14:10:30 17,800 ----a-w c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll
+ 2009-02-15 14:10:30 188,808 ----a-w c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
+ 2009-02-15 14:10:30 34,696 ----a-w c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2009-02-15 14:10:30 84,872 ----a-w c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2009-02-15 14:10:30 24,968 ----a-w c:\windows\system32\ZoneLabs\lib\zic.zip.dll
+ 2009-02-15 14:10:30 14,216 ----a-w c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2009-02-15 14:10:30 59,272 ----a-w c:\windows\system32\ZoneLabs\lib\zpdp.zip.dll
+ 2009-02-15 14:10:32 1,536,392 ----a-w c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
+ 2009-02-15 14:10:32 20,360 ----a-w c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
+ 2009-02-15 14:10:32 151,944 ----a-w c:\windows\system32\ZoneLabs\lib\ztv.zip.dll
+ 2009-02-15 14:10:32 118,664 ----a-w c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2009-02-15 14:10:32 94,088 ----a-w c:\windows\system32\ZoneLabs\lib\zvpn.zip.dll
+ 2008-11-16 16:23:50 722,400 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
+ 2008-11-16 16:23:52 796,128 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
+ 2009-02-15 14:10:08 134,536 ----a-w c:\windows\system32\ZoneLabs\scheduler.dll
+ 2008-12-14 15:11:48 10,465,257 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2008-11-16 16:23:54 1,512,928 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
+ 2008-11-16 16:24:00 51,688 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
+ 2009-02-15 14:10:08 431,496 ----a-w c:\windows\system32\ZoneLabs\ssleay32.dll
+ 2007-10-11 06:51:34 832,984 ----a-w c:\windows\system32\ZoneLabs\updating.dll
+ 2009-02-15 14:10:22 176,520 ----a-w c:\windows\system32\ZoneLabs\updclient.exe
+ 2009-02-15 14:10:10 108,424 ----a-w c:\windows\system32\ZoneLabs\vsdb.dll
+ 2009-02-15 14:10:22 2,402,184 ----a-w c:\windows\system32\ZoneLabs\vsmon.exe
+ 2009-02-15 14:10:10 1,648,520 ----a-w c:\windows\system32\ZoneLabs\vsruledb.dll
+ 2009-02-15 14:10:12 172,936 ----a-w c:\windows\system32\ZoneLabs\vsvault.dll
+ 2008-12-14 15:11:48 10,465,257 ----a-w c:\windows\system32\ZoneLabs\zlasdbup.dat
+ 2009-02-15 14:10:12 178,568 ----a-w c:\windows\system32\ZoneLabs\zlparser.dll
+ 2009-02-15 14:10:12 97,672 ----a-w c:\windows\system32\ZoneLabs\zlquarantine.dll
+ 2009-02-15 14:10:12 302,472 ----a-w c:\windows\system32\ZoneLabs\zlsre.dll
+ 2009-02-15 14:10:14 108,424 ----a-w c:\windows\system32\ZoneLabs\zlupdate.dll
+ 2009-04-05 02:57:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_654.dat
.
-- Snapshot reset to current date --

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 18:22 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-03 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-03 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-03 134656]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-02-03 949376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-03-26 401040]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-30 1213320]
"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2009-03-31 2277232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"GreyMSIAds"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Family Tree Maker 2009\\FTM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [2009-03-31 115056]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-02-03 15424]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-04 464264]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-03-27 179856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-03-27 15504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{015fc16c-09fb-11de-b244-806d6172696f}]
\Shell\AutoRun\command - F:\monsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f1c4bc2-1a54-11de-9a3b-001cc0755738}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0ec9e34-f4cf-11dd-8da3-001cc0755738}]
\Shell\AutoRun\command - K:\WDSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 06:51]

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2052111302-839522115-1004.job
- c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-07 17:38]

2009-04-05 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]

2009-04-04 c:\windows\Tasks\Malwarebytes' Scheduled Update for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/internet/mybigpond/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E1C2CA2F-B009-43DB-AAEB-3433D7E8F1E7} = 61.9.211.33,61.9.211.1
FF - ProfilePath - c:\documents and settings\Kimina\Application Data\Mozilla\Firefox\Profiles\aba8c5y6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/internet/mybigpond/
FF - plugin: c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 12:58:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ESET\nod32krn.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-04-05 12:59:48 - machine was rebooted [Kimina]
ComboFix-quarantined-files.txt 2009-04-05 02:59:45
ComboFix2.txt 2009-04-04 03:04:34

Pre-Run: 156,595,453,952 bytes free
Post-Run: 156,588,822,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Illy's old HDD" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="D: Spare N A D B" /noexecute=optin /fastdetect

443 --- E O F --- 2009-03-20 00:13:17

Hello.
If you think the game is illegally cracked, then uninstall it.
Better safe than sorry.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

done

How is the machine running now?

The machine is running fine right now.

How would you like me to proceed?

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Hello again,

While the machine is running fine I still have the the same trojans/malware showing up.

Please advise further.

Did your AV alert you?
Where did it find them?

the same files in exactly the same place

Spybot-S&D found

Krepper - G

(SBI $710353AD) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i386p
(SBI $BBCD2521) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\i386p
(SBI $B68258E1) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\i386p

and

Win32.Small.kj

(SBI $385B245F) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xpdx
(SBI $4CEF22AE) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xpdx

and Malwarebytes' found

Rootkit.Agent

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fak32

Rootkit.Rustock

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpdx

Lets try a manual reg fix. Combofix deleted the servers. Either something re-spawned them, or they are just leftovers.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i386p]
  [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\i386p]
  [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\i386p]
  [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xpdx]
  [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xpdx]
  [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fak32]
  [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpdx]
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

Hi again

After following your instructions I run Malwarebytes' and it finds:

Rootkit.Agent HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fak32 - Reference 33597
Rootkit.Rustock HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpdx - Reference 31435

To fix the problem it Malwarebytes' advises me to reboot.

I reboot and run it again and it comes back clean so I run Spybot-S&D and it finds Kreeper-G in the same spot as the original files.

I allow Spybot to reboot and the auto scan starts up again and I am led to believe I have cleaned them.

However once I have logged in I run Malwarebytes' just to be certain and there they are both of them.

Rootkit.Agent HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fak32 - Reference 33597
Rootkit.Rustock HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpdx - Reference 31435

This time Spybot only shows:

Win32.Small.kj

(SBI $385B245F) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xpdx

and

(SBI $B68258E1) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\i386p

(SBI $710353AD) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i386p

so one of each as left after a Spybot scan.



Please advise further.

Please download a new copy of Combofix and run it again. See what it finds this time.

ComboFix 09-04-04.01 - Kimina 2009-04-07 1:37:35.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1578 [GMT 10:00]
Running from: c:\documents and settings\Kimina\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_FNHOJE
-------\Service_I386P
-------\Service_QWER78
-------\Service_WER32
-------\Service_XPDX


((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-06 19:15 . 2009-04-06 19:15 d-------- c:\program files\SpywareBlaster
2009-04-06 19:14 . 2009-04-06 23:23 d-------- c:\program files\SpywareGuard
2009-04-05 15:57 . 2009-04-05 15:57 d-------- c:\documents and settings\Mum&Dad\Application Data\Simply Super Software
2009-04-05 11:28 . 2009-04-05 11:28 d-------- c:\program files\Eraser
2009-04-05 11:28 . 2009-04-05 11:28 d--h----- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2009-04-04 22:22 . 2009-04-04 22:22 d-------- c:\documents and settings\Mum&Dad\Application Data\PlayFirst
2009-04-04 22:22 . 2009-04-04 22:22 d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2009-04-04 20:23 . 2009-04-04 20:23 d-------- c:\documents and settings\Mum&Dad\Application Data\URSoft
2009-04-04 18:37 . 2009-04-04 18:37 d-------- c:\program files\Rockstar Games
2009-04-04 18:35 . 2009-04-04 20:54 d-------- c:\program files\DAEMON Tools
2009-04-04 18:35 . 2009-04-04 18:35 223,128 --a------ c:\windows\system32\drivers\dtscsi.sys
2009-04-04 18:34 . 2009-04-04 18:34 d-------- c:\documents and settings\Mum&Dad\Application Data\ImgBurn
2009-04-04 15:39 . 2009-04-04 16:23 d-------- c:\windows\system32\NtmsData
2009-04-04 14:10 . 2009-04-04 14:10 d-------- c:\program files\AskBarDis
2009-04-04 14:09 . 2009-02-16 00:10 1,221,512 --a------ c:\windows\system32\zpeng25.dll
2009-04-04 14:09 . 2009-04-07 01:39 350,192 --a------ c:\windows\system32\vsconfig.xml
2009-04-04 00:40 . 2009-04-04 00:48 d-------- c:\documents and settings\Kimina\Application Data\ImgBurn
2009-04-04 00:39 . 2009-04-04 00:39 d-------- c:\program files\ImgBurn
2009-04-04 00:28 . 2000-07-21 10:40 2,048 --a------ C:\w2ksect.bin
2009-04-04 00:00 . 2009-04-04 00:21 d-------- C:\XPSetup
2009-04-03 22:44 . 2009-04-04 10:28 27,612 --a------ c:\windows\syscall.dat
2009-04-03 15:41 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-04-03 15:41 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-04-03 15:41 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-04-03 15:41 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-04-03 15:41 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-04-03 15:40 . 2009-04-06 01:27 d-------- c:\program files\Trojan Remover
2009-04-03 15:40 . 2009-04-03 15:40 d-------- c:\documents and settings\Kimina\Application Data\Simply Super Software
2009-04-03 15:40 . 2009-04-03 15:40 d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-04-02 15:27 . 2009-04-02 15:27 d-------- c:\documents and settings\Mum&Dad\Application Data\TypingMaster7
2009-04-02 15:26 . 2009-04-02 15:26 d-------- c:\documents and settings\Mum&Dad\Application Data\Malwarebytes
2009-04-02 09:30 . 2009-04-02 09:35 d-------- c:\program files\Spybot - Search & Destroy
2009-04-01 13:21 . 2009-04-01 13:26 d-------- c:\documents and settings\Kimina\Application Data\TypingMaster7
2009-04-01 12:51 . 2009-04-01 12:51 2,802 --a------ c:\windows\Sobotta.sam
2009-04-01 12:47 . 2009-04-01 12:47 338 --a------ c:\windows\Sobotta.ntz
2009-04-01 12:47 . 2009-04-01 12:48 29 --a------ c:\windows\BSL.INI
2009-04-01 08:54 . 2009-04-04 10:28 d--h-c--- c:\documents and settings\All Users\Application Data\{298A24DC-2111-4597-BF26-E3847C84C04B}
2009-03-31 14:02 . 2009-03-31 14:02 d-------- c:\documents and settings\Kimina\Application Data\XemiComputers
2009-03-30 17:03 . 2009-03-30 17:03 7,680 --ahs---- c:\windows\Thumbs.db
2009-03-30 16:06 . 2009-03-30 16:06 d-------- c:\documents and settings\Kimina\Application Data\Nero
2009-03-30 15:53 . 2009-03-30 15:53 d-------- c:\program files\Nero
2009-03-30 15:53 . 2009-04-02 15:39 d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-30 12:01 . 2009-03-30 12:01 d-------- c:\program files\SEC
2009-03-30 11:56 . 2009-03-30 11:56 d-------- c:\documents and settings\Kimina\Application Data\InstallShield
2009-03-29 16:12 . 2009-03-29 16:12 d-------- C:\Share
2009-03-29 16:12 . 2009-03-29 16:20 d-------- c:\documents and settings\Mum&Dad\Application Data\Thinstall
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\documents and settings\Kimina\Application Data\Malwarebytes
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 17:03 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 17:03 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-27 13:55 . 2009-03-27 13:55 d-------- c:\program files\SonicWallES
2009-03-27 10:52 . 2009-03-31 19:20 72,584 --a------ c:\windows\zllsputility.exe
2009-03-27 08:18 . 2008-04-14 04:40 43,904 --a------ c:\windows\system32\drivers\sbp2port.sys
2009-03-27 08:18 . 2008-04-14 04:40 43,904 --a--c--- c:\windows\system32\dllcache\sbp2port.sys
2009-03-25 19:31 . 2009-03-25 19:31 d-------- c:\program files\Zone Labs
2009-03-25 12:01 . 2004-01-22 19:06 157,696 --a------ c:\windows\system32\unrar.dll
2009-03-25 11:52 . 2003-04-18 16:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-03-22 19:53 . 2009-03-27 17:06 d-------- c:\program files\FLAC
2009-03-22 14:55 . 2009-04-02 20:57 dr------- c:\program files\TypingMaster
2009-03-18 10:48 . 2009-03-31 23:31 490 --a------ c:\windows\system32\spupdsvc.inf
2009-03-18 10:43 . 2009-03-18 10:43 d-------- c:\windows\system32\URTTEMP
2009-03-18 09:59 . 2009-03-18 09:59 d-------- c:\windows\system32\windows media
2009-03-18 09:56 . 2009-03-18 09:59 d--h----- c:\windows\msdownld.tmp
2009-03-18 09:55 . 2009-03-18 09:55 d-------- c:\program files\Windows Media Components
2009-03-14 09:43 . 2008-04-07 05:38 45,392 --a------ c:\windows\system32\AdobePDF.dll
2009-03-14 09:43 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\program files\iTunes
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\program files\iPod
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:34 . 2009-03-13 19:34 d-------- c:\program files\Innovative Logic
2009-03-13 19:34 . 1998-10-02 07:00 1,674,280 --a------ c:\windows\system32\OLCH2X32.OCX
2009-03-13 19:34 . 1999-11-16 11:09 222,416 --a------ c:\windows\system32\mhlist32.ocx
2009-03-13 19:34 . 2000-05-22 01:00 203,976 --a------ c:\windows\system32\RICHTX32.OCX
2009-03-13 19:34 . 1999-05-06 23:00 140,288 --a------ c:\windows\system32\comdlg32.ocx
2009-03-13 19:34 . 1998-12-17 09:29 139,264 --a------ c:\windows\system32\ccrpfd.ocx
2009-03-13 19:34 . 2000-01-03 11:50 122,880 --a------ c:\windows\system32\ftpx.ocx
2009-03-13 19:34 . 1998-06-18 01:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2009-03-13 19:34 . 1999-12-20 15:53 57,344 --a------ c:\windows\system32\BC32R60.dll
2009-03-12 18:06 . 2004-07-14 12:54 676,864 --a------ c:\windows\system32\drivers\hardlock.sys
2009-03-12 18:06 . 2009-03-12 18:06 47,616 --a------ c:\windows\system32\drivers\Haspnt.sys
2009-03-12 18:06 . 2009-03-12 18:06 6,656 --a------ c:\windows\system32\haspvdd.dll
2009-03-12 18:06 . 2009-02-02 21:07 2,577 --a------ c:\windows\system32\config.hsp
2009-03-12 18:06 . 2009-03-12 18:06 383 --a------ c:\windows\system32\haspdos.sys
2009-03-11 19:11 . 2009-04-01 13:15 d-------- c:\program files\Common Files\LightScribe
2009-03-11 13:45 . 2009-03-11 13:45 d-------- c:\documents and settings\Mum&Dad\Application Data\Ashampoo
2009-03-10 23:09 . 2009-03-10 23:09 d-------- c:\program files\LizardTech
2009-03-09 17:12 . 2009-03-25 19:36 d-------- c:\documents and settings\All Users\Application Data\Soulseek
2009-03-09 17:05 . 2009-03-09 17:11 d-------- c:\program files\SoulseekNS
2009-03-09 15:02 . 2008-04-14 10:11 81,920 --a------ c:\windows\system32\ieencode.dll
2009-03-09 13:47 . 2009-03-09 14:02 d-------- c:\program files\Windows Media Connect 2
2009-03-09 13:45 . 2009-03-10 23:53 d-------- c:\windows\system32\LogFiles
2009-03-09 13:45 . 2009-03-09 13:46 d-------- c:\windows\system32\drivers\UMDF
2009-03-08 12:38 . 2009-03-08 17:23 d-------- c:\program files\CheckPoint
2009-03-08 12:38 . 2009-03-08 12:38 144 --a------ c:\windows\system32\lkfl.dat
2009-03-08 12:38 . 2009-03-08 17:22 96 --a------ c:\windows\system32\pdfl.dat
2009-03-08 12:38 . 2009-03-08 12:38 80 --a------ c:\windows\system32\ibfl.dat
2009-03-08 11:12 . 2008-04-14 10:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-08 11:12 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-07 17:09 . 2009-03-07 17:09 d-------- c:\program files\JockerSoft
2009-03-07 15:38 . 2009-04-04 21:47 230 --a------ c:\windows\wininit.ini
2009-03-07 12:20 . 2009-03-07 12:20 4,608 --ahs---- c:\windows\system32\Thumbs.db
2009-03-07 10:18 . 2009-03-07 10:18 d-------- c:\documents and settings\All Users\Application Data\LightScribe
2009-03-07 10:12 . 2009-04-01 13:37 69 --a------ c:\windows\NeroDigital.ini
2009-03-07 09:54 . 2009-03-07 09:54 d-------- c:\documents and settings\Kimina\DesktopPO_)+}}
2009-03-06 14:55 . 2009-03-06 14:55 d-------- c:\program files\VSO
2009-03-06 14:55 . 2009-03-06 14:57 d-------- c:\documents and settings\Kimina\Application Data\Vso
2009-03-06 14:55 . 2004-05-04 12:53 1,645,320 --a------ c:\windows\gdiplus.dll
2009-03-06 14:55 . 2006-05-11 20:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2009-03-06 14:55 . 2006-09-29 13:24 217,127 --a------ c:\windows\system32\drv43260.dll
2009-03-06 14:55 . 2006-09-29 13:25 208,935 --a------ c:\windows\system32\drv33260.dll
2009-03-06 14:55 . 2006-09-29 13:26 176,165 --a------ c:\windows\system32\drv23260.dll
2009-03-06 14:55 . 2007-03-18 21:37 65,602 --a------ c:\windows\system32\cook3260.dll
2009-03-06 14:55 . 2009-03-06 14:55 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-03-06 14:55 . 2009-03-06 14:55 47,360 --a------ c:\documents and settings\Kimina\Application Data\pcouffin.sys
2009-03-06 14:43 . 2009-03-06 14:43 d-------- c:\documents and settings\Kimina\Application Data\Ashampoo
2009-03-06 14:43 . 2009-03-06 14:43 d-------- c:\documents and settings\All Users\Application Data\ashampoo
2009-03-06 14:42 . 2009-04-01 13:12 d-------- c:\program files\Ashampoo
2009-03-06 14:41 . 2009-03-06 14:41 d-------- c:\program files\Xilisoft

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 02:55 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-06 00:24 --------- d-----w c:\program files\QuickTime
2009-04-05 15:40 --------- d-----w c:\documents and settings\Kimina\Application Data\Adobe-BackupByPhotoshopPortable
2009-04-05 05:12 --------- d-----w c:\documents and settings\Kimina\Application Data\Thinstall
2009-04-05 02:45 --------- d-----w c:\program files\ESET
2009-04-04 16:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-04 08:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 01:38 --------- d-----w c:\program files\eMule
2009-04-04 00:38 --------- d-----w c:\program files\Java
2009-04-04 00:28 --------- d-----w c:\program files\AntiLogger
2009-04-03 22:48 --------- d-----w c:\program files\Common Files\Apple
2009-04-03 06:22 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\SolSuite
2009-04-01 10:00 --------- d-----w c:\documents and settings\Kimina\Application Data\SolSuite
2009-03-30 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-30 05:35 --------- d-----w c:\program files\TuneUp Utilities 2007
2009-03-28 14:05 --------- d-----w c:\program files\Windows Live Safety Center
2009-03-25 09:55 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-25 09:55 --------- d-----w c:\program files\Lavasoft
2009-03-25 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-23 02:03 --------- d-----w c:\program files\SolSuite
2009-03-18 14:45 --------- d-----w c:\documents and settings\Kimina\Application Data\Apple Computer
2009-03-13 23:43 --------- d-----w c:\program files\Common Files\Adobe
2009-03-11 03:03 --------- d-----w c:\program files\Your Uninstaller 2008
2009-03-05 04:55 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\Apple Computer
2009-03-05 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-04 07:05 --------- d-----w c:\program files\Common Files\OverDrive Shared
2009-03-04 07:04 --------- d-----w c:\program files\Common Files\L&H
2009-03-04 07:03 --------- d-----w c:\program files\Microsoft Reader
2009-03-04 07:02 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-04 06:55 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-04 03:54 --------- d-----w c:\documents and settings\Kimina\Application Data\Librarian Pro
2009-03-04 03:53 --------- d-----w c:\program files\Koingo Software
2009-03-03 10:00 --------- d-----w c:\program files\DAEMON Tools Lite
2009-03-03 03:42 --------- d-----w c:\documents and settings\All Users\Application Data\DFX
2009-03-03 03:31 --------- d-----w c:\program files\DFX
2009-03-03 03:31 --------- d-----w c:\program files\Common Files\DFX
2009-02-23 05:33 --------- d-----w c:\program files\TechSmith
2009-02-23 05:33 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2009-02-20 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\TreeCardGames
2009-02-17 11:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-17 09:04 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\eGames
2009-02-16 00:54 --------- d-----w c:\program files\Windows Sidebar
2009-02-14 03:13 --------- d-----w c:\program files\MSXML 4.0
2009-02-12 10:40 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe-BackupByPhotoshopPortable
2009-02-12 04:05 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-02-11 15:02 --------- d-----w c:\program files\Family Tree Maker 2009
2009-02-11 15:02 --------- d-----w c:\program files\AoA MP4 Converter
2009-02-11 07:47 --------- d-----w c:\program files\DivX
2009-02-11 07:46 --------- d-----w c:\program files\DirectX 9.0c
2009-02-10 04:57 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\TuneUp Software
2009-02-09 07:17 --------- d-----w c:\program files\Google
2009-02-09 07:09 --------- d-----w c:\documents and settings\Kimina\Application Data\URSoft
2009-02-09 07:00 --------- d-----w c:\program files\Yahoo!
2009-02-09 07:00 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-09 06:40 --------- d-----w c:\documents and settings\Kimina\Application Data\TuneUp Software
2009-02-09 06:04 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-02-09 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2009-02-08 06:34 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\Canon
2009-02-07 16:20 --------- d-----w c:\program files\Microsoft.NET
2009-02-07 16:20 --------- d-----w c:\program files\Microsoft WSE
2009-02-07 16:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-07 16:19 --------- d-----w c:\program files\BCL Technologies
2009-02-07 13:50 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-07 07:36 --------- d-----w c:\program files\Java for Windows
2009-02-07 06:07 --------- d-----w c:\program files\Lingea
2009-02-06 16:44 --------- d-----w c:\documents and settings\Kimina\Application Data\Yahoo!
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 18:22 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-03 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-03 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-03 134656]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-02-03 949376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-03-26 401040]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-30 1213320]
"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2009-03-31 2277232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Kimina\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"GreyMSIAds"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Family Tree Maker 2009\\FTM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [2009-03-31 115056]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-02-03 15424]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-04 464264]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-03-27 179856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-03-27 15504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{015fc16c-09fb-11de-b244-806d6172696f}]
\Shell\AutoRun\command - F:\monsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f1c4bc2-1a54-11de-9a3b-001cc0755738}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0ec9e34-f4cf-11dd-8da3-001cc0755738}]
\Shell\AutoRun\command - K:\WDSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 06:51]

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2052111302-839522115-1004.job
- c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-07 17:38]

2009-04-05 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]

2009-04-06 c:\windows\Tasks\Malwarebytes' Scheduled Update for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/internet/mybigpond/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {E1C2CA2F-B009-43DB-AAEB-3433D7E8F1E7} = 61.9.211.33,61.9.211.1
FF - ProfilePath - c:\documents and settings\Kimina\Application Data\Mozilla\Firefox\Profiles\aba8c5y6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/internet/mybigpond/
FF - plugin: c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 01:41:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4FDW]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DXDSS]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FVELWOW]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JNHJKFRN]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KHTML]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYSLDR]
"ImagePath"="TRDUMMY"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ZTX86]
"ImagePath"="TRDUMMY"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ESET\nod32krn.exe
c:\windows\system32\igfxsrvc.exe
c:\combofix\hidec.exe
c:\windows\system32\wscntfy.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-04-07 1:44:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 15:43:16
ComboFix2.txt 2009-04-05 02:59:48

Pre-Run: 180,710,002,688 bytes free
Post-Run: 180,658,348,032 bytes free

349 --- E O F --- 2009-03-20 00:13:17

Hello.

I strongly recommend you to remove Ask from your computer because it's:

• Promoting its toolbars on sites targeted to kids.
  
• Promoting its toolbars through ads that appear to be part of other companies' sites.
  
• Promoting its toolbars through other companies' spyware.
  
• Installing without any disclosure whatsoever and without any consent whatsoever.
  
• Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  
• Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.
  

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Ask Toolbar
  

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Folder::
c:\program files\eMule

Driver::
ASKService

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4FDW]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DXDSS]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FVELWOW]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JNHJKFRN]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KHTML]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYSLDR]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ZTX86]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

ComboFix 09-04-04.01 - Kimina 2009-04-07 2:16:55.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1598 [GMT 10:00]
Running from: c:\documents and settings\Kimina\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kimina\Desktop\CFscript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\eMule

.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-06 19:15 . 2009-04-06 19:15 d-------- c:\program files\SpywareBlaster
2009-04-06 19:14 . 2009-04-06 23:23 d-------- c:\program files\SpywareGuard
2009-04-05 15:57 . 2009-04-05 15:57 d-------- c:\documents and settings\Mum&Dad\Application Data\Simply Super Software
2009-04-05 11:28 . 2009-04-05 11:28 d-------- c:\program files\Eraser
2009-04-05 11:28 . 2009-04-05 11:28 d--h----- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2009-04-04 22:22 . 2009-04-04 22:22 d-------- c:\documents and settings\Mum&Dad\Application Data\PlayFirst
2009-04-04 22:22 . 2009-04-04 22:22 d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2009-04-04 20:23 . 2009-04-04 20:23 d-------- c:\documents and settings\Mum&Dad\Application Data\URSoft
2009-04-04 18:37 . 2009-04-04 18:37 d-------- c:\program files\Rockstar Games
2009-04-04 18:35 . 2009-04-04 20:54 d-------- c:\program files\DAEMON Tools
2009-04-04 18:35 . 2009-04-04 18:35 223,128 --a------ c:\windows\system32\drivers\dtscsi.sys
2009-04-04 18:34 . 2009-04-04 18:34 d-------- c:\documents and settings\Mum&Dad\Application Data\ImgBurn
2009-04-04 15:39 . 2009-04-04 16:23 d-------- c:\windows\system32\NtmsData
2009-04-04 14:09 . 2009-02-16 00:10 1,221,512 --a------ c:\windows\system32\zpeng25.dll
2009-04-04 14:09 . 2009-04-07 02:18 350,192 --a------ c:\windows\system32\vsconfig.xml
2009-04-04 00:40 . 2009-04-04 00:48 d-------- c:\documents and settings\Kimina\Application Data\ImgBurn
2009-04-04 00:39 . 2009-04-04 00:39 d-------- c:\program files\ImgBurn
2009-04-04 00:28 . 2000-07-21 10:40 2,048 --a------ C:\w2ksect.bin
2009-04-04 00:00 . 2009-04-04 00:21 d-------- C:\XPSetup
2009-04-03 22:44 . 2009-04-04 10:28 27,612 --a------ c:\windows\syscall.dat
2009-04-03 15:41 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-04-03 15:41 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-04-03 15:41 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-04-03 15:41 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-04-03 15:41 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-04-03 15:40 . 2009-04-06 01:27 d-------- c:\program files\Trojan Remover
2009-04-03 15:40 . 2009-04-03 15:40 d-------- c:\documents and settings\Kimina\Application Data\Simply Super Software
2009-04-03 15:40 . 2009-04-03 15:40 d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-04-02 15:27 . 2009-04-02 15:27 d-------- c:\documents and settings\Mum&Dad\Application Data\TypingMaster7
2009-04-02 15:26 . 2009-04-02 15:26 d-------- c:\documents and settings\Mum&Dad\Application Data\Malwarebytes
2009-04-02 09:30 . 2009-04-02 09:35 d-------- c:\program files\Spybot - Search & Destroy
2009-04-01 13:21 . 2009-04-01 13:26 d-------- c:\documents and settings\Kimina\Application Data\TypingMaster7
2009-04-01 12:51 . 2009-04-01 12:51 2,802 --a------ c:\windows\Sobotta.sam
2009-04-01 12:47 . 2009-04-01 12:47 338 --a------ c:\windows\Sobotta.ntz
2009-04-01 12:47 . 2009-04-01 12:48 29 --a------ c:\windows\BSL.INI
2009-04-01 08:54 . 2009-04-04 10:28 d--h-c--- c:\documents and settings\All Users\Application Data\{298A24DC-2111-4597-BF26-E3847C84C04B}
2009-03-31 14:02 . 2009-03-31 14:02 d-------- c:\documents and settings\Kimina\Application Data\XemiComputers
2009-03-30 17:03 . 2009-03-30 17:03 7,680 --ahs---- c:\windows\Thumbs.db
2009-03-30 16:06 . 2009-03-30 16:06 d-------- c:\documents and settings\Kimina\Application Data\Nero
2009-03-30 15:53 . 2009-03-30 15:53 d-------- c:\program files\Nero
2009-03-30 15:53 . 2009-04-02 15:39 d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-30 12:01 . 2009-03-30 12:01 d-------- c:\program files\SEC
2009-03-30 11:56 . 2009-03-30 11:56 d-------- c:\documents and settings\Kimina\Application Data\InstallShield
2009-03-29 16:12 . 2009-03-29 16:12 d-------- C:\Share
2009-03-29 16:12 . 2009-03-29 16:20 d-------- c:\documents and settings\Mum&Dad\Application Data\Thinstall
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\documents and settings\Kimina\Application Data\Malwarebytes
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 17:03 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 17:03 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-27 13:55 . 2009-03-27 13:55 d-------- c:\program files\SonicWallES
2009-03-27 10:52 . 2009-03-31 19:20 72,584 --a------ c:\windows\zllsputility.exe
2009-03-27 08:18 . 2008-04-14 04:40 43,904 --a------ c:\windows\system32\drivers\sbp2port.sys
2009-03-27 08:18 . 2008-04-14 04:40 43,904 --a--c--- c:\windows\system32\dllcache\sbp2port.sys
2009-03-25 19:31 . 2009-03-25 19:31 d-------- c:\program files\Zone Labs
2009-03-25 12:01 . 2004-01-22 19:06 157,696 --a------ c:\windows\system32\unrar.dll
2009-03-25 11:52 . 2003-04-18 16:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-03-22 19:53 . 2009-03-27 17:06 d-------- c:\program files\FLAC
2009-03-22 14:55 . 2009-04-02 20:57 dr------- c:\program files\TypingMaster
2009-03-18 10:48 . 2009-03-31 23:31 490 --a------ c:\windows\system32\spupdsvc.inf
2009-03-18 10:43 . 2009-03-18 10:43 d-------- c:\windows\system32\URTTEMP
2009-03-18 09:59 . 2009-03-18 09:59 d-------- c:\windows\system32\windows media
2009-03-18 09:56 . 2009-03-18 09:59 d--h----- c:\windows\msdownld.tmp
2009-03-18 09:55 . 2009-03-18 09:55 d-------- c:\program files\Windows Media Components
2009-03-14 09:43 . 2008-04-07 05:38 45,392 --a------ c:\windows\system32\AdobePDF.dll
2009-03-14 09:43 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\program files\iTunes
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\program files\iPod
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:34 . 2009-03-13 19:34 d-------- c:\program files\Innovative Logic
2009-03-13 19:34 . 1998-10-02 07:00 1,674,280 --a------ c:\windows\system32\OLCH2X32.OCX
2009-03-13 19:34 . 1999-11-16 11:09 222,416 --a------ c:\windows\system32\mhlist32.ocx
2009-03-13 19:34 . 2000-05-22 01:00 203,976 --a------ c:\windows\system32\RICHTX32.OCX
2009-03-13 19:34 . 1999-05-06 23:00 140,288 --a------ c:\windows\system32\comdlg32.ocx
2009-03-13 19:34 . 1998-12-17 09:29 139,264 --a------ c:\windows\system32\ccrpfd.ocx
2009-03-13 19:34 . 2000-01-03 11:50 122,880 --a------ c:\windows\system32\ftpx.ocx
2009-03-13 19:34 . 1998-06-18 01:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2009-03-13 19:34 . 1999-12-20 15:53 57,344 --a------ c:\windows\system32\BC32R60.dll
2009-03-12 18:06 . 2004-07-14 12:54 676,864 --a------ c:\windows\system32\drivers\hardlock.sys
2009-03-12 18:06 . 2009-03-12 18:06 47,616 --a------ c:\windows\system32\drivers\Haspnt.sys
2009-03-12 18:06 . 2009-03-12 18:06 6,656 --a------ c:\windows\system32\haspvdd.dll
2009-03-12 18:06 . 2009-02-02 21:07 2,577 --a------ c:\windows\system32\config.hsp
2009-03-12 18:06 . 2009-03-12 18:06 383 --a------ c:\windows\system32\haspdos.sys
2009-03-11 19:11 . 2009-04-01 13:15 d-------- c:\program files\Common Files\LightScribe
2009-03-11 13:45 . 2009-03-11 13:45 d-------- c:\documents and settings\Mum&Dad\Application Data\Ashampoo
2009-03-10 23:09 . 2009-03-10 23:09 d-------- c:\program files\LizardTech
2009-03-09 17:12 . 2009-03-25 19:36 d-------- c:\documents and settings\All Users\Application Data\Soulseek
2009-03-09 17:05 . 2009-03-09 17:11 d-------- c:\program files\SoulseekNS
2009-03-09 15:02 . 2008-04-14 10:11 81,920 --a------ c:\windows\system32\ieencode.dll
2009-03-09 13:47 . 2009-03-09 14:02 d-------- c:\program files\Windows Media Connect 2
2009-03-09 13:45 . 2009-03-10 23:53 d-------- c:\windows\system32\LogFiles
2009-03-09 13:45 . 2009-03-09 13:46 d-------- c:\windows\system32\drivers\UMDF
2009-03-08 12:38 . 2009-03-08 17:23 d-------- c:\program files\CheckPoint
2009-03-08 12:38 . 2009-03-08 12:38 144 --a------ c:\windows\system32\lkfl.dat
2009-03-08 12:38 . 2009-03-08 17:22 96 --a------ c:\windows\system32\pdfl.dat
2009-03-08 12:38 . 2009-03-08 12:38 80 --a------ c:\windows\system32\ibfl.dat
2009-03-08 11:12 . 2008-04-14 10:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-08 11:12 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-07 17:09 . 2009-03-07 17:09 d-------- c:\program files\JockerSoft
2009-03-07 15:38 . 2009-04-04 21:47 230 --a------ c:\windows\wininit.ini
2009-03-07 12:20 . 2009-03-07 12:20 4,608 --ahs---- c:\windows\system32\Thumbs.db
2009-03-07 10:18 . 2009-03-07 10:18 d-------- c:\documents and settings\All Users\Application Data\LightScribe
2009-03-07 10:12 . 2009-04-01 13:37 69 --a------ c:\windows\NeroDigital.ini
2009-03-07 09:54 . 2009-03-07 09:54 d-------- c:\documents and settings\Kimina\DesktopPO_)+}}
2009-03-06 14:55 . 2009-03-06 14:55 d-------- c:\program files\VSO
2009-03-06 14:55 . 2009-03-06 14:57 d-------- c:\documents and settings\Kimina\Application Data\Vso
2009-03-06 14:55 . 2004-05-04 12:53 1,645,320 --a------ c:\windows\gdiplus.dll
2009-03-06 14:55 . 2006-05-11 20:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2009-03-06 14:55 . 2006-09-29 13:24 217,127 --a------ c:\windows\system32\drv43260.dll
2009-03-06 14:55 . 2006-09-29 13:25 208,935 --a------ c:\windows\system32\drv33260.dll
2009-03-06 14:55 . 2006-09-29 13:26 176,165 --a------ c:\windows\system32\drv23260.dll
2009-03-06 14:55 . 2007-03-18 21:37 65,602 --a------ c:\windows\system32\cook3260.dll
2009-03-06 14:55 . 2009-03-06 14:55 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-03-06 14:55 . 2009-03-06 14:55 47,360 --a------ c:\documents and settings\Kimina\Application Data\pcouffin.sys
2009-03-06 14:43 . 2009-03-06 14:43 d-------- c:\documents and settings\Kimina\Application Data\Ashampoo
2009-03-06 14:43 . 2009-03-06 14:43 d-------- c:\documents and settings\All Users\Application Data\ashampoo
2009-03-06 14:42 . 2009-04-01 13:12 d-------- c:\program files\Ashampoo
2009-03-06 14:41 . 2009-03-06 14:41 d-------- c:\program files\Xilisoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 16:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-06 00:24 --------- d-----w c:\program files\QuickTime
2009-04-05 15:40 --------- d-----w c:\documents and settings\Kimina\Application Data\Adobe-BackupByPhotoshopPortable
2009-04-05 05:12 --------- d-----w c:\documents and settings\Kimina\Application Data\Thinstall
2009-04-05 02:45 --------- d-----w c:\program files\ESET
2009-04-04 16:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-04 08:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 00:38 --------- d-----w c:\program files\Java
2009-04-04 00:28 --------- d-----w c:\program files\AntiLogger
2009-04-03 22:48 --------- d-----w c:\program files\Common Files\Apple
2009-04-03 06:22 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\SolSuite
2009-04-01 10:00 --------- d-----w c:\documents and settings\Kimina\Application Data\SolSuite
2009-03-30 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-30 05:35 --------- d-----w c:\program files\TuneUp Utilities 2007
2009-03-28 14:05 --------- d-----w c:\program files\Windows Live Safety Center
2009-03-25 09:55 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-25 09:55 --------- d-----w c:\program files\Lavasoft
2009-03-25 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-23 02:03 --------- d-----w c:\program files\SolSuite
2009-03-18 14:45 --------- d-----w c:\documents and settings\Kimina\Application Data\Apple Computer
2009-03-13 23:43 --------- d-----w c:\program files\Common Files\Adobe
2009-03-11 03:03 --------- d-----w c:\program files\Your Uninstaller 2008
2009-03-05 04:55 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\Apple Computer
2009-03-05 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-04 07:05 --------- d-----w c:\program files\Common Files\OverDrive Shared
2009-03-04 07:04 --------- d-----w c:\program files\Common Files\L&H
2009-03-04 07:03 --------- d-----w c:\program files\Microsoft Reader
2009-03-04 07:02 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-04 06:55 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-04 03:54 --------- d-----w c:\documents and settings\Kimina\Application Data\Librarian Pro
2009-03-04 03:53 --------- d-----w c:\program files\Koingo Software
2009-03-03 10:00 --------- d-----w c:\program files\DAEMON Tools Lite
2009-03-03 03:42 --------- d-----w c:\documents and settings\All Users\Application Data\DFX
2009-03-03 03:31 --------- d-----w c:\program files\DFX
2009-03-03 03:31 --------- d-----w c:\program files\Common Files\DFX
2009-02-23 05:33 --------- d-----w c:\program files\TechSmith
2009-02-23 05:33 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2009-02-20 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\TreeCardGames
2009-02-17 11:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-17 09:04 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\eGames
2009-02-16 00:54 --------- d-----w c:\program files\Windows Sidebar
2009-02-14 03:13 --------- d-----w c:\program files\MSXML 4.0
2009-02-12 10:40 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe-BackupByPhotoshopPortable
2009-02-12 04:05 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-02-11 15:02 --------- d-----w c:\program files\Family Tree Maker 2009
2009-02-11 15:02 --------- d-----w c:\program files\AoA MP4 Converter
2009-02-11 07:47 --------- d-----w c:\program files\DivX
2009-02-11 07:46 --------- d-----w c:\program files\DirectX 9.0c
2009-02-10 04:57 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\TuneUp Software
2009-02-09 07:17 --------- d-----w c:\program files\Google
2009-02-09 07:09 --------- d-----w c:\documents and settings\Kimina\Application Data\URSoft
2009-02-09 07:00 --------- d-----w c:\program files\Yahoo!
2009-02-09 07:00 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-09 06:40 --------- d-----w c:\documents and settings\Kimina\Application Data\TuneUp Software
2009-02-09 06:04 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-02-09 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2009-02-08 06:34 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\Canon
2009-02-07 16:20 --------- d-----w c:\program files\Microsoft.NET
2009-02-07 16:20 --------- d-----w c:\program files\Microsoft WSE
2009-02-07 16:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-07 16:19 --------- d-----w c:\program files\BCL Technologies
2009-02-07 13:50 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-07 07:36 --------- d-----w c:\program files\Java for Windows
2009-02-07 06:07 --------- d-----w c:\program files\Lingea
2009-02-06 16:44 --------- d-----w c:\documents and settings\Kimina\Application Data\Yahoo!
.

((((((((((((((((((((((((((((( SnapShot@2009-04-07_ 1.42.41.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-06 15:40:14 4,212 ---ha-w c:\windows\system32\zllictbl.dat
+ 2009-04-06 16:19:26 4,212 ---ha-w c:\windows\system32\zllictbl.dat
+ 2009-04-06 16:18:54 16,384 ----atw c:\windows\temp\Perflib_Perfdata_68c.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-03 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-03 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-03 134656]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-02-03 949376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-03-26 401040]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-30 1213320]
"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2009-03-31 2277232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Kimina\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"GreyMSIAds"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Family Tree Maker 2009\\FTM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [2009-03-31 115056]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-02-03 15424]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-03-27 179856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-03-27 15504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{015fc16c-09fb-11de-b244-806d6172696f}]
\Shell\AutoRun\command - F:\monsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f1c4bc2-1a54-11de-9a3b-001cc0755738}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0ec9e34-f4cf-11dd-8da3-001cc0755738}]
\Shell\AutoRun\command - K:\WDSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 06:51]

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2052111302-839522115-1004.job
- c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-07 17:38]

2009-04-05 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]

2009-04-06 c:\windows\Tasks\Malwarebytes' Scheduled Update for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/internet/mybigpond/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E1C2CA2F-B009-43DB-AAEB-3433D7E8F1E7} = 61.9.211.33,61.9.211.1
FF - ProfilePath - c:\documents and settings\Kimina\Application Data\Mozilla\Firefox\Profiles\aba8c5y6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/internet/mybigpond/
FF - plugin: c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 02:21:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ESET\nod32krn.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-04-07 2:22:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 16:22:33
ComboFix2.txt 2009-04-06 15:44:35
ComboFix3.txt 2009-04-05 02:59:48

Pre-Run: 180,593,336,320 bytes free
Post-Run: 180,576,178,176 bytes free

322 --- E O F --- 2009-03-20 00:13:17

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

Once TeaTimer is disabled, download this file ResetTeaTimer.bat.
If you use using Firefox, right click the link and choose "Save Link As..."
Double click on ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Let me know how the machine is running now.

Hi Belahzur,

I've run scans with Malwarebytes' and Spybot, rebooted and run them both again.

So far there is no sign of an infection.

The link for ResetTeaTimer.bat is not working, I have tried it in IE, Firefox and Chrome.

Please advise further.

Doesn't matter than.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Oops...my mistake, it turns out I unchecked Resident in the right hand column instead of highlighting it in the left hand column then unchecking Resident Tea Timer in the right hand column.

I ran the .bat file and uninstalled ComboFix.

Thank you so much for time and help.

I'll have a look at the feedback form as soon as I wake up in a few hours.

Hello again Belahzur,

Just when we thought it was safe to go back into the water....

I don't know what has changed other than I had dialup speed for one day then I reboot my PC this morning and find that I am infected again...
Krepper G is the same as before in Spybot S&D

(SBI $710353AD) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i386p
(SBI $BBCD2521) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\i386p
(SBI $B68258E1) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\i386p

and

Win32.Small.kj

(SBI $4CEF22AE) System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xpdx

Please advise me further

What did you do after we cleaned this up?

Run any programs? because any one of what you run could possibly be infected.

Download and run Combofix again.

I ran standard programs I normally run yesterday after the clean up, I also ran another scan before I went to bed and everything was fine.

No trace of infection in NOD32, Spybot S&D or Malwarebytes'.

This evening when a scan was run the infection was picked up.

I ran Adobe Acrobat Professional 9 this afternoon, MS Outlook, MS Word, MS Excel and someone in the household played a game.

here is the log...

ComboFix 09-04-04.01 - Kimina 2009-04-09 1:42:46.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1541 [GMT 10:00]
Running from: c:\documents and settings\Kimina\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_FNHOJE
-------\Service_I386P
-------\Service_QWER78
-------\Service_WER32


((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.

2009-04-07 13:42 . 2009-04-07 13:42 d---s---- c:\documents and settings\Mum&Dad\UserData
2009-04-06 19:15 . 2009-04-07 13:59 d-------- c:\program files\SpywareBlaster
2009-04-06 19:14 . 2009-04-09 01:38 d-------- c:\program files\SpywareGuard
2009-04-05 15:57 . 2009-04-05 15:57 d-------- c:\documents and settings\Mum&Dad\Application Data\Simply Super Software
2009-04-05 11:28 . 2009-04-05 11:28 d-------- c:\program files\Eraser
2009-04-05 11:28 . 2009-04-05 11:28 d--h----- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2009-04-04 22:22 . 2009-04-04 22:22 d-------- c:\documents and settings\Mum&Dad\Application Data\PlayFirst
2009-04-04 22:22 . 2009-04-07 10:04 d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2009-04-04 20:23 . 2009-04-04 20:23 d-------- c:\documents and settings\Mum&Dad\Application Data\URSoft
2009-04-04 18:37 . 2009-04-04 18:37 d-------- c:\program files\Rockstar Games
2009-04-04 18:35 . 2009-04-04 20:54 d-------- c:\program files\DAEMON Tools
2009-04-04 18:35 . 2009-04-04 18:35 223,128 --a------ c:\windows\system32\drivers\dtscsi.sys
2009-04-04 18:34 . 2009-04-04 18:34 d-------- c:\documents and settings\Mum&Dad\Application Data\ImgBurn
2009-04-04 15:39 . 2009-04-04 16:23 d-------- c:\windows\system32\NtmsData
2009-04-04 14:09 . 2009-02-16 00:10 1,221,512 --a------ c:\windows\system32\zpeng25.dll
2009-04-04 14:09 . 2009-04-08 22:02 350,192 --a------ c:\windows\system32\vsconfig.xml
2009-04-04 00:40 . 2009-04-04 00:48 d-------- c:\documents and settings\Kimina\Application Data\ImgBurn
2009-04-04 00:39 . 2009-04-04 00:39 d-------- c:\program files\ImgBurn
2009-04-04 00:28 . 2000-07-21 10:40 2,048 --a------ C:\w2ksect.bin
2009-04-04 00:00 . 2009-04-04 00:21 d-------- C:\XPSetup
2009-04-03 22:44 . 2009-04-04 10:28 27,612 --a------ c:\windows\syscall.dat
2009-04-03 15:41 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-04-03 15:41 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-04-03 15:41 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-04-03 15:41 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-04-03 15:41 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-04-03 15:40 . 2009-04-06 01:27 d-------- c:\program files\Trojan Remover
2009-04-03 15:40 . 2009-04-03 15:40 d-------- c:\documents and settings\Kimina\Application Data\Simply Super Software
2009-04-03 15:40 . 2009-04-03 15:40 d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-04-02 15:27 . 2009-04-02 15:27 d-------- c:\documents and settings\Mum&Dad\Application Data\TypingMaster7
2009-04-02 15:26 . 2009-04-02 15:26 d-------- c:\documents and settings\Mum&Dad\Application Data\Malwarebytes
2009-04-02 09:30 . 2009-04-02 09:35 d-------- c:\program files\Spybot - Search & Destroy
2009-04-01 13:21 . 2009-04-01 13:26 d-------- c:\documents and settings\Kimina\Application Data\TypingMaster7
2009-04-01 12:51 . 2009-04-01 12:51 2,802 --a------ c:\windows\Sobotta.sam
2009-04-01 12:47 . 2009-04-01 12:47 338 --a------ c:\windows\Sobotta.ntz
2009-04-01 12:47 . 2009-04-01 12:48 29 --a------ c:\windows\BSL.INI
2009-04-01 08:54 . 2009-04-04 10:28 d--h-c--- c:\documents and settings\All Users\Application Data\{298A24DC-2111-4597-BF26-E3847C84C04B}
2009-03-31 14:02 . 2009-03-31 14:02 d-------- c:\documents and settings\Kimina\Application Data\XemiComputers
2009-03-30 17:03 . 2009-03-30 17:03 7,680 --ahs---- c:\windows\Thumbs.db
2009-03-30 16:06 . 2009-03-30 16:06 d-------- c:\documents and settings\Kimina\Application Data\Nero
2009-03-30 15:53 . 2009-03-30 15:53 d-------- c:\program files\Nero
2009-03-30 15:53 . 2009-04-02 15:39 d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-30 12:01 . 2009-03-30 12:01 d-------- c:\program files\SEC
2009-03-30 11:56 . 2009-03-30 11:56 d-------- c:\documents and settings\Kimina\Application Data\InstallShield
2009-03-29 16:12 . 2009-03-29 16:12 d-------- C:\Share
2009-03-29 16:12 . 2009-03-29 16:20 d-------- c:\documents and settings\Mum&Dad\Application Data\Thinstall
2009-03-27 17:03 . 2009-04-07 16:08 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\documents and settings\Kimina\Application Data\Malwarebytes
2009-03-27 17:03 . 2009-03-27 17:03 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 17:03 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 17:03 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-27 13:55 . 2009-03-27 13:55 d-------- c:\program files\SonicWallES
2009-03-27 10:52 . 2009-03-31 19:20 72,584 --a------ c:\windows\zllsputility.exe
2009-03-27 08:18 . 2008-04-14 04:40 43,904 --a------ c:\windows\system32\drivers\sbp2port.sys
2009-03-27 08:18 . 2008-04-14 04:40 43,904 --a--c--- c:\windows\system32\dllcache\sbp2port.sys
2009-03-25 19:31 . 2009-03-25 19:31 d-------- c:\program files\Zone Labs
2009-03-25 12:01 . 2004-01-22 19:06 157,696 --a------ c:\windows\system32\unrar.dll
2009-03-25 11:52 . 2003-04-18 16:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-03-22 19:53 . 2009-03-27 17:06 d-------- c:\program files\FLAC
2009-03-22 14:55 . 2009-04-02 20:57 dr------- c:\program files\TypingMaster
2009-03-18 10:48 . 2009-03-31 23:31 490 --a------ c:\windows\system32\spupdsvc.inf
2009-03-18 10:43 . 2009-03-18 10:43 d-------- c:\windows\system32\URTTEMP
2009-03-18 09:59 . 2009-03-18 09:59 d-------- c:\windows\system32\windows media
2009-03-18 09:56 . 2009-03-18 09:59 d--h----- c:\windows\msdownld.tmp
2009-03-18 09:55 . 2009-03-18 09:55 d-------- c:\program files\Windows Media Components
2009-03-14 09:43 . 2008-04-07 05:38 45,392 --a------ c:\windows\system32\AdobePDF.dll
2009-03-14 09:43 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\program files\iTunes
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\program files\iPod
2009-03-14 09:26 . 2009-03-14 09:26 d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:34 . 2009-03-13 19:34 d-------- c:\program files\Innovative Logic
2009-03-13 19:34 . 1998-10-02 07:00 1,674,280 --a------ c:\windows\system32\OLCH2X32.OCX
2009-03-13 19:34 . 1999-11-16 11:09 222,416 --a------ c:\windows\system32\mhlist32.ocx
2009-03-13 19:34 . 2000-05-22 01:00 203,976 --a------ c:\windows\system32\RICHTX32.OCX
2009-03-13 19:34 . 1999-05-06 23:00 140,288 --a------ c:\windows\system32\comdlg32.ocx
2009-03-13 19:34 . 1998-12-17 09:29 139,264 --a------ c:\windows\system32\ccrpfd.ocx
2009-03-13 19:34 . 2000-01-03 11:50 122,880 --a------ c:\windows\system32\ftpx.ocx
2009-03-13 19:34 . 1998-06-18 01:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2009-03-13 19:34 . 1999-12-20 15:53 57,344 --a------ c:\windows\system32\BC32R60.dll
2009-03-12 18:06 . 2004-07-14 12:54 676,864 --a------ c:\windows\system32\drivers\hardlock.sys
2009-03-12 18:06 . 2009-03-12 18:06 47,616 --a------ c:\windows\system32\drivers\Haspnt.sys
2009-03-12 18:06 . 2009-03-12 18:06 6,656 --a------ c:\windows\system32\haspvdd.dll
2009-03-12 18:06 . 2009-02-02 21:07 2,577 --a------ c:\windows\system32\config.hsp
2009-03-12 18:06 . 2009-03-12 18:06 383 --a------ c:\windows\system32\haspdos.sys
2009-03-11 19:11 . 2009-04-01 13:15 d-------- c:\program files\Common Files\LightScribe
2009-03-11 13:45 . 2009-03-11 13:45 d-------- c:\documents and settings\Mum&Dad\Application Data\Ashampoo
2009-03-10 23:09 . 2009-03-10 23:09 d-------- c:\program files\LizardTech
2009-03-09 17:12 . 2009-03-25 19:36 d-------- c:\documents and settings\All Users\Application Data\Soulseek
2009-03-09 17:05 . 2009-03-09 17:11 d-------- c:\program files\SoulseekNS
2009-03-09 15:02 . 2008-04-14 10:11 81,920 --a------ c:\windows\system32\ieencode.dll
2009-03-09 13:47 . 2009-03-09 14:02 d-------- c:\program files\Windows Media Connect 2
2009-03-09 13:45 . 2009-03-10 23:53 d-------- c:\windows\system32\LogFiles
2009-03-09 13:45 . 2009-03-09 13:46 d-------- c:\windows\system32\drivers\UMDF
2009-03-08 12:38 . 2009-03-08 17:23 d-------- c:\program files\CheckPoint
2009-03-08 12:38 . 2009-03-08 12:38 144 --a------ c:\windows\system32\lkfl.dat
2009-03-08 12:38 . 2009-03-08 17:22 96 --a------ c:\windows\system32\pdfl.dat
2009-03-08 12:38 . 2009-03-08 12:38 80 --a------ c:\windows\system32\ibfl.dat
2009-03-08 11:12 . 2008-04-14 10:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-08 11:12 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 15:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-08 13:18 --------- d-----w c:\documents and settings\Kimina\Application Data\Adobe-BackupByPhotoshopPortable
2009-04-08 12:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 00:24 --------- d-----w c:\program files\QuickTime
2009-04-05 05:12 --------- d-----w c:\documents and settings\Kimina\Application Data\Thinstall
2009-04-05 02:45 --------- d-----w c:\program files\ESET
2009-04-04 08:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 00:38 --------- d-----w c:\program files\Java
2009-04-04 00:28 --------- d-----w c:\program files\AntiLogger
2009-04-03 22:48 --------- d-----w c:\program files\Common Files\Apple
2009-04-03 06:22 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\SolSuite
2009-04-01 10:00 --------- d-----w c:\documents and settings\Kimina\Application Data\SolSuite
2009-04-01 03:12 --------- d-----w c:\program files\Ashampoo
2009-03-30 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-30 05:35 --------- d-----w c:\program files\TuneUp Utilities 2007
2009-03-28 14:05 --------- d-----w c:\program files\Windows Live Safety Center
2009-03-25 09:55 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-25 09:55 --------- d-----w c:\program files\Lavasoft
2009-03-25 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-23 02:03 --------- d-----w c:\program files\SolSuite
2009-03-18 14:45 --------- d-----w c:\documents and settings\Kimina\Application Data\Apple Computer
2009-03-13 23:43 --------- d-----w c:\program files\Common Files\Adobe
2009-03-11 03:03 --------- d-----w c:\program files\Your Uninstaller 2008
2009-03-07 07:09 --------- d-----w c:\program files\JockerSoft
2009-03-07 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2009-03-06 04:57 --------- d-----w c:\documents and settings\Kimina\Application Data\Vso
2009-03-06 04:55 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-06 04:55 47,360 ----a-w c:\documents and settings\Kimina\Application Data\pcouffin.sys
2009-03-06 04:55 --------- d-----w c:\program files\VSO
2009-03-06 04:43 --------- d-----w c:\documents and settings\Kimina\Application Data\Ashampoo
2009-03-06 04:43 --------- d-----w c:\documents and settings\All Users\Application Data\ashampoo
2009-03-06 04:41 --------- d-----w c:\program files\Xilisoft
2009-03-05 04:55 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\Apple Computer
2009-03-05 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-04 07:05 --------- d-----w c:\program files\Common Files\OverDrive Shared
2009-03-04 07:04 --------- d-----w c:\program files\Common Files\L&H
2009-03-04 07:03 --------- d-----w c:\program files\Microsoft Reader
2009-03-04 07:02 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-04 06:55 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-04 03:54 --------- d-----w c:\documents and settings\Kimina\Application Data\Librarian Pro
2009-03-04 03:53 --------- d-----w c:\program files\Koingo Software
2009-03-03 10:00 --------- d-----w c:\program files\DAEMON Tools Lite
2009-03-03 03:42 --------- d-----w c:\documents and settings\All Users\Application Data\DFX
2009-03-03 03:31 --------- d-----w c:\program files\DFX
2009-03-03 03:31 --------- d-----w c:\program files\Common Files\DFX
2009-02-23 05:33 --------- d-----w c:\program files\TechSmith
2009-02-23 05:33 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2009-02-20 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\TreeCardGames
2009-02-17 11:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-17 09:04 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\eGames
2009-02-16 00:54 --------- d-----w c:\program files\Windows Sidebar
2009-02-14 03:13 --------- d-----w c:\program files\MSXML 4.0
2009-02-12 10:40 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe-BackupByPhotoshopPortable
2009-02-12 04:05 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-02-11 15:02 --------- d-----w c:\program files\Family Tree Maker 2009
2009-02-11 15:02 --------- d-----w c:\program files\AoA MP4 Converter
2009-02-11 07:47 --------- d-----w c:\program files\DivX
2009-02-11 07:46 --------- d-----w c:\program files\DirectX 9.0c
2009-02-10 04:57 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\TuneUp Software
2009-02-09 07:17 --------- d-----w c:\program files\Google
2009-02-09 07:09 --------- d-----w c:\documents and settings\Kimina\Application Data\URSoft
2009-02-09 07:00 --------- d-----w c:\program files\Yahoo!
2009-02-09 07:00 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-09 06:40 --------- d-----w c:\documents and settings\Kimina\Application Data\TuneUp Software
2009-02-09 06:04 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-02-09 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2009-02-08 06:34 --------- d-----w c:\documents and settings\Mum&Dad\Application Data\Canon
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-03 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-03 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-03 134656]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-02-03 949376]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-30 1213320]
"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2009-03-31 2277232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Kimina\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"GreyMSIAds"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Family Tree Maker 2009\\FTM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [2009-03-31 115056]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-02-03 15424]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-03-27 179856]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-03-27 15504]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{015fc16c-09fb-11de-b244-806d6172696f}]
\Shell\AutoRun\command - F:\monsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f1c4bc2-1a54-11de-9a3b-001cc0755738}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0ec9e34-f4cf-11dd-8da3-001cc0755738}]
\Shell\AutoRun\command - K:\WDSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 06:51]

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2052111302-839522115-1004.job
- c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-07 17:38]

2009-04-07 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-06 15:32]

2009-04-08 c:\windows\Tasks\Malwarebytes' Scheduled Update for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-06 15:32]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/internet/mybigpond/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {E1C2CA2F-B009-43DB-AAEB-3433D7E8F1E7} = 61.9.211.33,61.9.211.1
FF - ProfilePath - c:\documents and settings\Kimina\Application Data\Mozilla\Firefox\Profiles\aba8c5y6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/internet/mybigpond/
FF - plugin: c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 01:46:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-09 1:48:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-08 15:48:53
ComboFix2.txt 2009-04-06 16:22:36

Pre-Run: 180,815,441,920 bytes free
Post-Run: 180,757,225,472 bytes free

293 --- E O F --- 2009-03-20 00:13:17