hi i uninstalled bitlord updated avg my son gave the pc to a mate of his a couple of weeks ago to try sort out so i dont know what he ran re combofix but heres the log
ComboFix 09-04-22.02 - Beverley H 24/04/2009 2:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.298.1033.18.255.57 [GMT 1:00]
Running from: c:\documents and settings\Beverley H\My Documents\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-03-24 to 2009-04-24 )))))))))))))))))))))))))))))))
.
2009-04-23 06:40 . 2009-04-23 06:40 -------- d-sh--w c:\documents and settings\Beverley H\IECompatCache
2009-04-22 11:53 . 2008-12-11 07:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-22 11:53 . 2009-04-24 00:32 -------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-04-22 11:52 . 2009-04-22 12:24 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-22 11:52 . 2008-12-18 11:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-22 11:52 . 2008-12-10 11:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-22 11:52 . 2009-04-22 11:52 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2009-04-21 07:46 . 2009-04-21 07:46 -------- d-sh--w c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2009-04-20 21:00 . 2009-02-13 10:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-20 20:59 . 2009-04-20 20:59 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-04-20 17:58 . 2009-04-20 17:58 -------- d-sh--w c:\documents and settings\Beverley H\PrivacIE
2009-04-20 17:54 . 2009-04-20 17:54 -------- d-sh--w c:\documents and settings\Beverley H\IETldCache
2009-04-20 16:07 . 2009-04-20 16:07 -------- d-----w c:\windows\ie8updates
2009-04-20 16:00 . 2009-04-20 16:06 -------- dc-h--w c:\windows\ie8
2009-04-20 15:55 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-19 22:29 . 2009-04-20 16:06 1374 ----a-w c:\windows\imsins.BAK
2009-04-18 22:16 . 2008-03-04 14:59 41144 ----a-w c:\windows\system32\drivers\ShlDrv51.sys
2009-04-18 22:16 . 2008-02-07 11:03 179640 ----a-w c:\windows\system32\drivers\PavProc.sys
2009-04-18 17:01 . 2008-06-19 15:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-16 20:35 . 2009-04-20 02:02 -------- d--h--w C:\$AVG8.VAULT$
2009-04-16 18:39 . 2009-04-16 18:39 -------- d-----w c:\documents and settings\liz\Application Data\Malwarebytes
2009-04-13 17:47 . 2001-11-25 11:11 81924 ------w c:\windows\system32\drivers\VC4CB104.SYS
2009-04-09 16:27 . 2009-04-09 16:27 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-09 16:27 . 2009-04-09 16:27 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-09 16:27 . 2009-04-09 16:27 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-09 16:27 . 2009-04-20 00:59 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-07 00:58 . 2009-04-07 00:58 -------- d-----w c:\documents and settings\Beverley H\Application Data\Malwarebytes
2009-04-06 23:40 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 23:40 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 23:40 . 2009-04-06 23:40 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-04-06 15:18 . 2009-04-06 15:18 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\F-Secure
2009-04-06 15:05 . 2009-04-06 15:13 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\fssg
2009-04-06 14:57 . 2009-04-09 14:59 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\f-secure
2009-04-05 19:45 . 2009-04-05 19:45 615 ----a-w c:\windows\system32\UnGET.vbs
2009-04-05 19:45 . 2009-04-05 19:45 615 ----a-w c:\windows\system32\6d6YGyS.vbs
2009-04-05 19:41 . 2009-04-05 19:41 615 ----a-w c:\windows\system32\IWqVfSN.vbs
2009-04-05 19:36 . 2009-04-05 19:36 615 ----a-w c:\windows\system32\uzOsk2r.vbs
2009-04-05 19:35 . 2009-04-05 19:35 615 ----a-w c:\windows\system32\KsLcT.vbs
2009-04-05 19:34 . 2009-04-05 19:34 615 ----a-w c:\windows\system32\gLifdgUYT7FjM.vbs
2009-04-05 18:03 . 2009-04-05 18:03 268 ----a-w c:\windows\_delis32.ini
2009-04-03 19:57 . 2009-04-03 19:57 -------- d-----w c:\documents and settings\liz\Local Settings\Application Data\Identities
2009-04-03 19:56 . 2009-04-03 19:56 -------- d-----w c:\documents and settings\liz\Application Data\Windows Desktop Search
2009-04-03 18:00 . 2009-04-03 18:00 -------- d-----w c:\documents and settings\claire\Local Settings\Application Data\Identities
2009-04-03 17:59 . 2009-04-03 17:59 -------- d-----w c:\documents and settings\claire\Application Data\Windows Desktop Search
2009-04-01 01:42 . 2009-04-01 01:42 -------- d-----w c:\documents and settings\Beverley H\Application Data\Windows Search
2009-04-01 01:41 . 2009-04-01 01:41 -------- d-----w c:\documents and settings\Beverley H\Application Data\Windows Desktop Search
2009-04-01 01:36 . 2008-03-07 17:02 98304 -c----w c:\windows\system32\dllcache\nlhtml.dll
2009-04-01 01:36 . 2008-03-07 17:02 29696 -c----w c:\windows\system32\dllcache\mimefilt.dll
2009-04-01 01:36 . 2008-03-07 17:02 192000 -c----w c:\windows\system32\dllcache\offfilt.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 14:34 . 2009-04-22 11:52 -------- d-----w c:\program files\Spyware Doctor
2009-04-22 17:52 . 2009-04-22 17:15 -------- d-----w c:\program files\ThreatExpert Memory Scanner
2009-04-22 11:54 . 2009-04-22 11:52 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-21 13:41 . 2008-03-27 22:48 -------- d-----w c:\program files\Safari
2009-04-20 20:59 . 2009-04-20 20:59 -------- d-----w c:\program files\Avira
2009-04-19 23:52 . 2009-04-19 23:52 -------- d-----w c:\program files\ERUNT
2009-04-19 22:25 . 2008-06-30 20:56 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\SecTaskMan
2009-04-18 22:16 . 2009-04-18 22:16 -------- d-----w c:\program files\Common Files\Panda Security
2009-04-18 17:01 . 2009-04-18 17:01 -------- d-----w c:\program files\Panda Security
2009-04-17 18:08 . 2006-08-17 01:24 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-16 20:35 . 2006-05-20 23:22 -------- d-----w c:\program files\Ares
2009-04-14 20:52 . 2006-11-04 09:07 244 ---ha-w C:\sqmnoopt04.sqm
2009-04-14 20:52 . 2006-11-04 09:07 232 ---ha-w C:\sqmdata03.sqm
2009-04-14 20:45 . 2006-11-04 09:07 244 ---ha-w C:\sqmnoopt03.sqm
2009-04-14 20:45 . 2006-11-04 09:07 232 ---ha-w C:\sqmdata02.sqm
2009-04-14 20:44 . 2006-11-04 09:07 244 ---ha-w C:\sqmnoopt02.sqm
2009-04-14 20:44 . 2006-11-04 09:07 232 ---ha-w C:\sqmdata01.sqm
2009-04-14 20:42 . 2006-11-04 09:07 244 ---ha-w C:\sqmnoopt01.sqm
2009-04-14 20:42 . 2006-11-04 09:07 232 ---ha-w C:\sqmdata00.sqm
2009-04-14 20:41 . 2006-11-04 18:49 232 ---ha-w C:\sqmdata19.sqm
2009-04-14 20:41 . 2006-11-04 09:07 244 ---ha-w C:\sqmnoopt00.sqm
2009-04-14 20:38 . 2006-11-04 18:49 232 ---ha-w C:\sqmdata18.sqm
2009-04-14 20:38 . 2006-11-04 18:49 244 ---ha-w C:\sqmnoopt19.sqm
2009-04-14 01:08 . 2006-11-04 18:49 244 ---ha-w C:\sqmnoopt18.sqm
2009-04-14 01:08 . 2006-11-04 18:48 232 ---ha-w C:\sqmdata17.sqm
2009-04-14 00:44 . 2006-11-04 18:47 232 ---ha-w C:\sqmdata16.sqm
2009-04-14 00:44 . 2006-11-04 18:48 244 ---ha-w C:\sqmnoopt17.sqm
2009-04-14 00:22 . 2006-11-04 18:47 232 ---ha-w C:\sqmdata15.sqm
2009-04-14 00:22 . 2006-11-04 18:47 244 ---ha-w C:\sqmnoopt16.sqm
2009-04-13 17:47 . 2009-04-13 17:47 -------- d-----w c:\program files\REGSHAVE
2009-04-13 17:47 . 2004-11-15 14:03 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-13 14:38 . 2006-11-04 18:47 244 ---ha-w C:\sqmnoopt15.sqm
2009-04-13 14:38 . 2006-11-04 18:47 232 ---ha-w C:\sqmdata14.sqm
2009-04-13 14:38 . 2006-11-04 18:47 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-13 14:38 . 2006-11-04 18:47 232 ---ha-w C:\sqmdata13.sqm
2009-04-13 14:37 . 2006-11-04 18:47 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-13 14:37 . 2006-11-04 18:46 232 ---ha-w C:\sqmdata12.sqm
2009-04-13 14:36 . 2006-11-04 18:46 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-13 14:36 . 2006-11-04 18:41 232 ---ha-w C:\sqmdata11.sqm
2009-04-13 14:35 . 2006-11-04 18:41 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-13 14:35 . 2006-11-04 18:40 232 ---ha-w C:\sqmdata10.sqm
2009-04-13 14:35 . 2006-11-04 18:40 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-13 14:35 . 2006-11-04 18:37 232 ---ha-w C:\sqmdata09.sqm
2009-04-13 14:28 . 2006-11-04 18:37 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-13 14:28 . 2006-11-04 18:37 232 ---ha-w C:\sqmdata08.sqm
2009-04-13 14:28 . 2006-11-04 18:37 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-13 14:28 . 2006-11-04 18:34 232 ---ha-w C:\sqmdata07.sqm
2009-04-13 14:24 . 2006-11-04 18:34 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-13 14:24 . 2006-11-04 09:18 232 ---ha-w C:\sqmdata06.sqm
2009-04-13 14:23 . 2006-11-04 09:18 244 ---ha-w C:\sqmnoopt06.sqm
2009-04-13 14:23 . 2006-11-04 09:08 232 ---ha-w C:\sqmdata05.sqm
2009-04-13 14:19 . 2006-11-04 09:08 244 ---ha-w C:\sqmnoopt05.sqm
2009-04-13 14:19 . 2006-11-04 09:07 232 ---ha-w C:\sqmdata04.sqm
2009-04-09 20:29 . 2009-04-06 15:14 -------- d-----w c:\program files\F-Secure Internet Security
2009-04-09 16:26 . 2008-06-30 00:18 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-04-07 18:30 . 2009-04-07 18:30 -------- d-----w c:\program files\IKEA HomePlanner
2009-04-07 18:28 . 2008-10-14 14:18 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-07 14:59 . 2006-05-21 17:26 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-04-07 13:37 . 2006-05-21 17:26 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-07 12:11 . 2008-10-09 14:56 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-07 12:10 . 2009-04-07 12:10 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-07 12:10 . 2009-04-07 12:10 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-06 23:42 . 2009-04-06 23:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 18:36 . 2009-04-05 18:36 -------- d-----w c:\program files\Garmin GPS Plugin
2009-04-05 18:36 . 2006-11-05 21:50 -------- d-----w c:\program files\DIFX
2009-04-05 18:36 . 2009-04-05 18:36 -------- d-----w c:\program files\Garmin
2009-04-05 18:04 . 2006-06-10 15:40 -------- d-----w c:\program files\Common Files\Logitech
2009-04-05 18:02 . 2009-01-30 23:20 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-04-01 01:39 . 2009-04-01 01:39 -------- d-----w c:\program files\Windows Desktop Search
2009-03-16 01:14 . 2006-12-18 16:30 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-16 00:04 . 2007-07-03 10:45 -------- d-----w c:\program files\Kontiki
2009-03-16 00:04 . 2009-03-16 00:04 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Sky
2009-03-15 23:42 . 2009-03-15 23:42 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-08 03:34 . 2004-08-04 01:07 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2004-08-04 01:07 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2004-08-04 01:07 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2004-08-04 01:07 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2004-08-04 01:07 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2004-08-04 01:07 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2004-08-04 01:07 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2004-08-04 01:07 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2004-08-04 01:07 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2004-08-04 01:07 156160 ----a-w c:\windows\system32\msls31.dll
2008-10-15 19:46 . 2006-11-01 08:36 100208 ----a-w c:\documents and settings\liz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-05 12:09 . 2006-05-30 19:25 100208 ----a-w c:\documents and settings\claire\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-02 23:47 . 2006-06-02 18:06 100208 ----a-w c:\documents and settings\Beverley H\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-02-11 22:31 . 2007-02-11 22:31 9232 ----a-w c:\documents and settings\claire\mqdmmdfl.sys
2007-02-11 22:31 . 2007-02-11 22:31 92064 ----a-w c:\documents and settings\claire\mqdmmdm.sys
2007-02-11 22:31 . 2007-02-11 22:31 79328 ----a-w c:\documents and settings\claire\mqdmserd.sys
2007-02-11 22:31 . 2007-02-11 22:31 66656 ----a-w c:\documents and settings\claire\mqdmbus.sys
2007-02-11 22:31 . 2007-02-11 22:31 6208 ----a-w c:\documents and settings\claire\mqdmcmnt.sys
2007-02-11 22:31 . 2007-02-11 22:31 5936 ----a-w c:\documents and settings\claire\mqdmwhnt.sys
2007-02-11 22:31 . 2007-02-11 22:31 4048 ----a-w c:\documents and settings\claire\mqdmcr.sys
2007-02-11 22:31 . 2006-12-19 16:27 25600 ----a-w c:\documents and settings\claire\usbsermptxp.sys
2007-02-11 22:31 . 2006-12-19 16:27 22768 ----a-w c:\documents and settings\claire\usbsermpt.sys
2006-08-14 00:34 . 2006-08-14 00:25 25600 ----a-w c:\documents and settings\Beverley H\usbsermptxp.sys
2006-08-14 00:34 . 2006-08-14 00:25 22768 ----a-w c:\documents and settings\Beverley H\usbsermpt.sys
2006-06-10 18:15 . 2006-06-10 18:15 133 ----a-w c:\documents and settings\Beverley H\Local Settings\Application Data\fusioncache.dat
2006-05-30 19:25 . 2006-05-30 19:25 129 ----a-w c:\documents and settings\claire\Local Settings\Application Data\fusioncache.dat
2004-11-15 13:54 . 2004-11-15 13:54 12328 ----a-w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
2009-04-09 16:26 1078552 ----a-w c:\program files\AVG\AVG8\avgssie.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2009-01-26 14:31 1879896 ----a-w c:\progra~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
2005-02-22 13:50 368640 ----a-w c:\program files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}"= "c:\program files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" [2005-02-22 368640]
[HKEY_CLASSES_ROOT\clsid\{ee5d279f-081b-4404-994d-c6b60aaeba6d}]
[HKEY_CLASSES_ROOT\EpsonToolBand.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3937476C-846F-459C-BD47-75EC6B0834E4}]
[HKEY_CLASSES_ROOT\EpsonToolBand.ToolBandObj]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}"= "c:\program files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" [2005-02-22 368640]
[HKEY_CLASSES_ROOT\clsid\{ee5d279f-081b-4404-994d-c6b60aaeba6d}]
[HKEY_CLASSES_ROOT\EpsonToolBand.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3937476C-846F-459C-BD47-75EC6B0834E4}]
[HKEY_CLASSES_ROOT\EpsonToolBand.ToolBandObj]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-09 1932568]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"= "c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll" [2007-08-24 2212224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2009-03-08 236544]
"WPDShServiceObj"= {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-09 16:27 10520 ----a-w c:\windows\system32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^claire^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\claire\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^liz^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk.disabled]
path=c:\documents and settings\liz\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk.disabled
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.disabledStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AresChatServer"=3 (0x3)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"ecure"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WSearch"=2 (0x2)
"RasMan"=3 (0x3)
"Alerter"=2 (0x2)
"svchost1"=2 (0x2)
"odserv"=3 (0x3)
"PavPrSrv"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PPWebCap"=c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" -atboottime
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"kdx"="c:\program files\Kontiki\KHost.exe" -all
"REGSHAVE"=c:\program files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R3 AdWatchDrv;AW Realtime Driver; [x]
R3 ca506aaf;ADS USB Audio Filter Driver (WDM);c:\windows\system32\drivers\ca506aaf.sys [2002-04-29 14273]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2006-12-13 40832]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
R3 SPCA506AV;USB Instant VCD;c:\windows\system32\DRIVERS\CA506AV.SYS [2002-07-30 178835]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-09 908056]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-09 298264]
R4 ecure;FireDaemon Service: ecure; [x]
R4 svchost1;FireDaemon Service: svchost1; [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-22 130936]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-09 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-09 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys [2008-03-04 41144]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]
S2 PavProc;Panda Process Protection Driver;c:\windows\system32\DRIVERS\PavProc.sys [2008-02-07 179640]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MCHINJDRV
*NewlyCreated* - PCTCORE
*NewlyCreated* - SSMDRV
*Deregistered* - ALG
*Deregistered* - AntiVirSchedulerService
*Deregistered* - AntiVirService
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - DwShield0000685F
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - ImapiService
*Deregistered* - Irmon
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mchInjDrv
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - sdAuxService
*Deregistered* - sdCoreService
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2006-08-16 c:\windows\Tasks\dfrg defrag.job
- c:\windows\system32\dfrg.msc [2004-08-04 01:07]
2009-04-13 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-04-07 14:31]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{0E5CBF21-D15F-11D0-8301-00AA005B4383} - %SystemRoot%\system32\SHELL32.dll
SharedTaskScheduler-{438755C2-A8BA-11D1-B96B-00A0C90312E1} - %SystemRoot%\system32\browseui.dll
SharedTaskScheduler-{8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll
ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-PostBootReminder-{7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
SSODL-SysTray-{35CEC8A3-2BE6-11D2-8773-92E220524153} - %systemroot%\system32\stobject.dll
.
------- Supplementary Scan -------
.
mWindow Title = LIVERPOOL RULE UNITED ARE SCUM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
IE: {{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\Java\jre1.6.0_03\bin\ssv.dll
IE: {{2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\MICROS~2\Office12\ONBttnIE.dll
IE: {{92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\MIC273~1\Office12\REFIEBAR.DLL
IE: {{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\SPYBOT~1\SDHelper.dll
Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - c:\windows\system32\mscoree.dll
Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - c:\windows\system32\mscoree.dll
Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - c:\windows\system32\mscoree.dll
Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - c:\windows\system32\urlmon.dll
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} -
Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - c:\progra~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
Handler: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - c:\windows\system32\mshtml.dll
Handler: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - c:\windows\system32\urlmon.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\HP\hpcoretech\comp\hpuiprot.dll
Handler: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - c:\windows\system32\msvidctl.dll
Handler: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: http\
0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: https\
0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: ipp\
0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - c:\windows\system32\mshtml.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\AVG\AVG8\avgpp.dll
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - c:\progra~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
Handler: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - c:\windows\system32\mshtml.dll
Handler: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} -
Handler: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\program files\Common Files\Microsoft Shared\Help\hxds.dll
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: msdaipp\
0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - c:\progra~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
Handler: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - c:\windows\system32\mshtml.dll
Handler: sysimage - {76E67A63-06E9-11D2-A840-006008059382} -
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
Handler: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - c:\windows\system32\mshtml.dll
Handler: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - c:\windows\system32\wiascr.dll
Name-Space Handler: mk\* - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} -
hxxp://www.bebo.com/files/BeboUploader.5.1.4.cabDPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
hxxp://by124w.bay124.mail.live.com/mail ... nPUpld.cabDPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -
hxxp://cdn.scan.onecare.live.com/resour ... se5483.cabDPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} -
hxxp://esupport.epson-europe.com/selfte ... TPTest.cabDPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} -
hxxp://alanmurphy1.spaces.live.com/Phot ... nPUpld.cabDPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} -
hxxp://www.superadblocker.com/activex/sabspx.cab.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-24 03:01
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-854245398-115176313-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2805DA7-0C85-FE5C-F241-48FBF06EC61E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"bbikekmhakgnaplpnallgfahajamcjpdfomg"=hex:6a,61,70,65,66,64,64,6d,69,6f,64,65,
67,6d,65,65,64,6f,6d,6f,00,00
"abkmcppgdebpppknjoikbgjddfopdlhkfi"=hex:6a,61,65,66,66,62,6d,66,6b,64,6e,62,
68,70,6a,6d,6d,63,62,68,00,00
"bbikekmhakgnaplpnallgfahajamfjcakain"=hex:6a,61,70,65,66,64,64,6d,69,6f,64,65,
67,6d,65,65,64,6f,6d,6f,00,00
"abkmcppgdebpppknjoikbgjddfnpoblhdl"=hex:6a,61,65,66,6e,61,65,6f,66,70,70,61,
69,6a,62,68,63,63,6b,6e,00,00
"iaikekmhakgnaplpna"=hex:61,61,00,00
"hakmcppgdebpppkn"=hex:61,61,00,00
"iaelobdnhimakdngnn"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(832)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-04-24 3:09
ComboFix-quarantined-files.txt 2009-04-24 02:09
ComboFix2.txt 2009-04-22 02:02
ComboFix3.txt 2007-12-21 17:13
Pre-Run: 20,711,317,504 bytes free
Post-Run: 20,702,961,664 bytes free
460 --- E O F --- 2008-11-16 23:54