Can somebody please offer me some guidance please?

Here is my HijackThis Log and when I ran malwareBytes it's telling me that I have trojan.Agent located in the following file: C:\Documents and Settings\Admin\Local Settings\Temp\svchost.exe.

I'm really confused because I thought the svchost.exe was a legit windows program...Crap!

Topic title was: Win32.Agent, Kaspersky Scan produced the following results ~ OB

Kaspersky found:

C:\WINDOWS\system32\klomp.exe Infected: Trojan-Downloader.Win32.Agent.aukz1
C:\WINDOWS\system32\qdbon.dll Infected: Trojan.Win32.Agent.awyk1
C:\WINDOWS\system32\wr65308.dll Infected: Trojan.Win32.Agent.awyk1
C:\WINDOWS\system32\xwr65308.dll Infected: Trojan.Win32.Agent.awyk1


KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 23, 2008 23:45:14
Records in database: 1506241
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\Admin\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 54175
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 00:41:28


File name / Threat name / Threats count
C:\WINDOWS\system32\klomp.exe Infected: Trojan-Downloader.Win32.Agent.aukz 1
C:\WINDOWS\system32\qdbon.dll Infected: Trojan.Win32.Agent.awyk 1
C:\WINDOWS\system32\wr65308.dll Infected: Trojan.Win32.Agent.awyk 1
C:\WINDOWS\system32\xwr65308.dll Infected: Trojan.Win32.Agent.awyk 1

The selected area was scanned.


HijackThis Log is below: and the RSIT Log is attached

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:51 AM, on 12/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Download Accelerator Plus\DAP.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {c434bc3f-1a2a-4e73-98bb-8f99e454897a} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: D - {D218D6E4-B94B-3DB2-AAB2-8D45EC94C430} - C:\WINDOWS\system32\xwr65308.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\Download Accelerator Plus\DAP.exe" /STARTUP
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: New Application.lnk = C:\WINDOWS\system32\winlogon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\Download Accelerator Plus\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\Download Accelerator Plus\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\Download Accelerator Plus\dapextie2.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\Program,C:\Program
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: GHHHVUTL - NOS Microsystems Ltd. - (no file)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 5597 bytes[color="#000080"][/color]

The following files are now attached:

Attach.txt
DDS.txt

Thanks!

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
• Notepad will open with the results, click no to the Optional_Scan
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom

Thanks for the reply.

The results of the scans are attached

Hi, SholessTroy

Welcome.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   -----------------------------------------------------------
4. Double click on combofix.exe & follow the prompts.
5. Install the Recovery Console upon request.
6. When finished, it will produce a report for you.
7. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Latest Malware Bytes Log:

Malwarebytes' Anti-Malware 1.31
Database version: 1577
Windows 5.1.2600 Service Pack 3

12/30/2008 9:08:16 AM
mbam-log-2008-12-30 (09-08-16).txt

Scan type: Quick Scan
Objects scanned: 44444
Time elapsed: 5 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------------------------------------------------

Malware Bytes Log #1

Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 5.1.2600 Service Pack 3

12/30/2008 8:01:21 AM
mbam-log-2008-12-30 (08-01-21).txt

Scan type: Full Scan (C:\|K:\|)
Objects scanned: 255951
Time elapsed: 1 hour(s), 45 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d218d6e4-b94b-3db2-aab2-8d45ec94c430} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d218d6e4-b94b-3db2-aab2-8d45ec94c430} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

-------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:43 AM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Download Accelerator Plus\DAP.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\Download Accelerator Plus\DAP.exe" /STARTUP
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: New Application.lnk = C:\WINDOWS\system32\winlogon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\Download Accelerator Plus\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\Download Accelerator Plus\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\Download Accelerator Plus\dapextie2.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: GHHHVUTL - NOS Microsystems Ltd. - (no file)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 6231 bytes

Combofix should give us a better idea. Please post its report.

ComboFix 08-12-30.02 - Admin 2008-12-30 21:46:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1304 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVG


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-30 18:57 . 2008-12-30 18:57 1,958,450 --a------ c:\program files\pg2-rc1-test2.exe
2008-12-28 20:11 . 2008-12-30 09:01 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-28 19:51 . 2008-12-30 08:32 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-28 19:51 . 2008-12-28 19:51 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-28 19:51 . 2008-12-28 19:51 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-28 19:51 . 2008-12-28 19:51 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-28 19:51 . 2008-12-28 19:51 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-28 19:50 . 2008-12-28 19:50 <DIR> d-------- c:\program files\AVG
2008-12-28 19:37 . 2008-12-28 19:42 64,036,624 --a------ c:\program files\avg_ipw_stf_en_8_227a1407.exe
2008-12-28 19:02 . 2008-12-28 19:02 <DIR> d-------- c:\program files\BillP Studios
2008-12-28 19:02 . 2008-12-28 19:02 <DIR> d-------- c:\documents and settings\Admin\Application Data\WinPatrol
2008-12-28 17:16 . 2008-12-30 10:30 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-28 17:13 . 2008-12-28 17:13 726,384 --a------ c:\program files\WinPatrol_setup.exe
2008-12-28 17:12 . 2008-12-28 17:12 2,869,536 --a------ c:\program files\spywareblastersetup41.exe
2008-12-28 16:47 . 2008-12-28 16:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\PIXELA
2008-12-28 16:42 . 2008-12-28 16:42 <DIR> d-------- c:\program files\PIXELA
2008-12-28 16:42 . 2006-10-18 03:00 32,784 --------- c:\windows\system32\drivers\pxhelper.sys
2008-12-28 16:42 . 2006-10-18 03:00 12,345 --------- c:\windows\system32\drivers\pxhelper.vxd
2008-12-28 15:42 . 2008-12-28 15:42 <DIR> d--h----- c:\windows\PIF
2008-12-27 17:19 . 2008-12-27 17:19 <DIR> d-------- C:\_OTMoveIt
2008-12-27 14:20 . 2008-12-27 14:20 <DIR> d-------- c:\program files\uTorrent
2008-12-27 12:50 . 2008-12-27 12:50 <DIR> d-------- c:\program files\WinAVI MP4 Converter
2008-12-27 11:13 . 2008-12-27 11:13 <DIR> d-------- c:\program files\Philips
2008-12-25 11:38 . 2008-12-25 11:39 7,068,856 --a------ c:\program files\Eraser586_setup_2.exe
2008-12-25 09:36 . 2008-12-25 09:36 7,068,856 --a------ c:\program files\Eraser586_setup_1.exe
2008-12-25 09:27 . 2008-12-25 11:40 <DIR> d-------- c:\program files\Eraser
2008-12-24 22:10 . 2008-12-24 22:10 532,480 --a------ c:\program files\cwshredder_2.exe
2008-12-24 16:28 . 2008-12-24 16:29 12,861,144 --a------ c:\program files\a2FreeSetup_2.exe
2008-12-24 16:26 . 2008-12-24 16:26 3,165,824 --a------ c:\program files\ccsetup215_1.exe
2008-12-24 16:13 . 2008-12-24 16:14 18,274,059 --a------ c:\program files\FFSetup1_65.exe
2008-12-24 16:08 . 2008-12-24 16:08 <DIR> d-------- c:\documents and settings\Admin\Application Data\vlc
2008-12-24 16:05 . 2008-12-24 16:06 16,320,472 --a------ c:\program files\vlc-0.9.8a-win32.exe
2008-12-24 16:04 . 2008-12-24 16:05 9,398,688 --a------ c:\program files\vlc-0.8.6i-win32_1.exe
2008-12-24 16:04 . 2008-12-24 16:04 1,789 --a------ c:\program files\vlc-0.8.6i-win32.exe
2008-12-24 16:03 . 2008-12-24 16:04 7,068,856 --a------ c:\program files\Eraser586_setup.exe
2008-12-24 15:54 . 2008-12-24 15:54 155,648 --a------ c:\windows\system32\stuninstall.exe
2008-12-24 15:53 . 2008-12-24 15:53 <DIR> d-------- c:\program files\eraser53
2008-12-24 15:52 . 2008-12-24 15:52 718,000 --a------ c:\program files\dfsetup105.exe
2008-12-24 15:51 . 2008-12-24 15:51 882,489 --a------ c:\program files\pg2-050918-nt_1.exe
2008-12-24 15:47 . 2008-12-24 15:47 267,056 --a------ c:\program files\torrent_1.exe
2008-12-24 15:46 . 2008-12-24 15:46 267,056 --a------ c:\program files\torrent.exe
2008-12-24 15:45 . 2008-12-24 15:45 3,165,824 --a------ c:\program files\ccsetup215.exe
2008-12-24 15:43 . 2008-12-24 15:43 12,861,144 --a------ c:\program files\a2FreeSetup_1.exe
2008-12-24 15:41 . 2008-12-24 16:25 <DIR> d-------- c:\documents and settings\Admin\Application Data\Software Informer
2008-12-24 15:39 . 2008-12-24 15:39 8,054,520 --a------ c:\program files\asc-setup-pro.exe
2008-12-24 06:08 . 2008-12-24 06:08 <DIR> d-------- c:\program files\Lavasoft
2008-12-24 06:05 . 2008-12-24 06:07 23,804,784 --a------ c:\program files\Ad-Aware_2008.exe
2008-12-24 05:55 . 2008-12-24 05:58 <DIR> d-------- C:\fixwareout
2008-12-24 05:39 . 2008-12-30 08:53 <DIR> d-------- c:\program files\Trojan Killer
2008-12-24 05:06 . 2008-12-24 05:06 <DIR> d-------- C:\rsit
2008-12-24 05:04 . 2008-12-24 05:04 781,851 --a------ c:\program files\RSIT.exe
2008-12-21 19:23 . 2008-12-29 22:31 <DIR> d-------- c:\program files\a-squared Free
2008-12-21 19:22 . 2008-12-21 19:23 12,861,144 --a------ c:\program files\a2FreeSetup.exe
2008-12-21 17:24 . 2008-12-21 17:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-21 17:22 . 2008-12-21 17:23 16,041,192 --a------ c:\program files\spybotsd-1.6.1.41.exe
2008-12-21 13:44 . 2008-12-21 13:44 <DIR> d-------- c:\program files\RamBooster 2.0
2008-12-21 13:43 . 2008-12-21 13:43 381,841 --a------ c:\program files\RamBooster20.exe
2008-12-20 12:54 . 2008-12-20 12:54 20,234,544 --a------ c:\windows\system32\xa8310062.exe
2008-12-20 12:54 . 2008-12-20 12:54 20,234,544 --a------ c:\windows\system32\xa8307875.exe
2008-12-19 22:38 . 2008-12-19 22:38 <DIR> d-------- c:\documents and settings\Admin\Application Data\Thinstall
2008-12-19 13:19 . 2008-12-19 13:21 <DIR> d-------- c:\program files\ConvertHelper
2008-12-19 13:19 . 2008-12-19 13:19 3,493,157 --a------ c:\program files\ConvertHelperSetup.exe
2008-12-18 22:48 . 2008-12-18 22:48 <DIR> d-------- c:\documents and settings\Admin\Application Data\Snapfish
2008-12-18 22:46 . 2008-12-18 22:46 2,144,584 --a------ c:\program files\InstallWalgreensPluginV3.exe
2008-12-18 12:06 . 2008-12-18 12:06 401,720 --a------ c:\program files\HiJackThis.exe
2008-12-18 09:50 . 2008-12-18 09:50 <DIR> d-------- C:\VundoFix Backups
2008-12-18 09:50 . 2008-12-18 09:50 119,808 --a------ c:\program files\VundoFix.exe
2008-12-18 02:00 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2008-12-18 02:00 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2008-12-14 10:55 . 2008-12-14 10:55 <DIR> d-------- C:\temp
2008-12-14 10:55 . 2008-12-14 10:55 473,600 --a------ c:\temp\irsetup.exe
2008-12-14 10:55 . 2008-12-14 10:55 0 --a------ c:\temp\irsetup.dat
2008-12-11 15:41 . 2008-12-11 15:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2008-12-11 15:41 . 2008-12-11 15:41 <DIR> d-------- c:\documents and settings\Admin\Application Data\AVS4YOU
2008-12-11 15:39 . 2008-12-11 15:50 <DIR> d-------- c:\program files\Common Files\AVSMedia
2008-12-11 15:39 . 2007-02-27 18:36 974,848 --a------ c:\windows\system32\mfc70.dll
2008-12-11 15:39 . 2007-02-27 18:36 487,424 --a------ c:\windows\system32\msvcp70.dll
2008-12-11 15:39 . 2007-02-27 18:36 24,576 --a------ c:\windows\system32\msxml3a.dll
2008-12-10 12:41 . 2008-12-10 12:42 18,508,343 --a------ c:\program files\FFSetup_1.zip
2008-12-10 12:35 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2008-12-10 12:35 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2008-12-10 12:35 . 2002-01-05 14:37 344,064 --a------ c:\windows\system32\msvcr70.dll
2008-12-10 12:35 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2008-12-09 17:08 . 2008-12-24 22:59 <DIR> d-------- c:\program files\SpeedBit Video Accelerator
2008-12-09 17:06 . 2008-12-09 17:07 3,467,800 --a------ c:\program files\SpeedBit Video Accelerator_22.exe
2008-12-09 17:01 . 2008-12-09 17:02 7,930,904 --a------ c:\program files\dap9.exe
2008-12-06 14:26 . 2008-12-06 14:26 7,515,608 --a------ c:\program files\asc-setup_1.exe
2008-12-06 12:42 . 2008-12-07 00:39 <DIR> d-------- c:\documents and settings\Admin\Application Data\Safe Folder
2008-12-06 12:39 . 2008-12-25 00:16 <DIR> d-------- c:\documents and settings\Admin\Application Data\CyberScrub
2008-12-06 12:39 . 2007-02-07 11:08 84 --a------ c:\windows\csact.ini
2008-12-03 21:16 . 2008-12-03 21:16 <DIR> d-------- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2008-12-03 21:13 . 2008-12-03 21:13 <DIR> d-------- c:\documents and settings\Admin\Application Data\VSRevoGroup
2008-11-30 11:34 . 2008-11-30 12:33 <DIR> d-------- c:\program files\revouninstaller
2008-11-30 11:33 . 2008-11-30 11:33 1,768,946 --a------ c:\program files\revouninstaller.zip
2008-11-27 18:47 . 2008-11-27 18:47 0 --a------ c:\windows\system32\GHDLQYPCZJL
2008-11-27 17:59 . 2008-11-27 17:59 610,304 --a------ c:\program files\TCPOptimizer.exe
2008-11-26 12:03 . 2008-11-26 12:05 29,297,048 --a------ c:\program files\setupengpro.exe
2008-11-26 11:30 . 2008-11-26 11:30 532,480 --a------ c:\program files\cwshredder_1.exe
2008-11-26 11:28 . 2008-11-26 11:28 2,972,736 --a------ c:\program files\ccsetup214_1.exe
2008-11-26 11:24 . 2008-11-26 11:27 2,972,736 --a------ c:\program files\ccsetup214.exe
2008-11-26 00:10 . 2008-11-26 00:10 <DIR> d-------- c:\program files\Alwil Software
2008-11-24 08:32 . 2001-08-29 19:57 155,648 --a------ c:\windows\system32\addurl41.DLL
2008-11-24 08:32 . 2001-07-10 14:43 18,432 --a------ c:\windows\system32\winwatch.DLL
2008-11-24 08:24 . 2008-11-24 08:24 <DIR> d-------- c:\program files\Trend Micro
2008-11-24 08:24 . 2008-11-24 08:24 812,344 --a------ c:\program files\HJTInstall.exe
2008-11-24 08:12 . 2006-11-01 13:07 334,720 --a------ c:\program files\RootkitRevealer.exe
2008-11-24 08:11 . 2008-11-24 08:12 231,390 --a------ c:\program files\RootkitRevealer.zip
2008-11-23 23:16 . 2008-11-23 23:19 <DIR> d-------- c:\program files\RegCure
2008-11-23 12:09 . 2008-11-23 12:09 <DIR> d-------- c:\windows\Cache
2008-11-22 23:49 . 2008-11-22 23:49 <DIR> d-------- c:\documents and settings\Admin\Application Data\KC Softwares
2008-11-22 16:01 . 2008-11-22 16:01 <DIR> d-------- c:\program files\MRU-Blaster
2008-11-22 16:01 . 2008-11-22 16:01 507,960 --a------ c:\program files\mrublastersetup.exe
2008-11-22 00:53 . 2008-11-22 00:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-22 00:52 . 2008-12-08 23:38 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-22 00:51 . 2008-11-22 00:51 5,738,016 --a------ c:\program files\SUPERAntiSpyware.exe
2008-11-21 17:57 . 2008-11-21 17:57 532,480 --a------ c:\program files\cwshredder.exe
2008-11-21 17:46 . 2008-11-21 17:47 15,083,520 --a------ c:\program files\spybotsd160.exe
2008-11-21 12:32 . 2008-11-21 12:32 <DIR> d-------- c:\program files\runscanner
2008-11-21 12:26 . 2008-11-21 12:27 <DIR> d-------- c:\program files\Crap
2008-11-21 02:21 . 2008-11-21 02:21 <DIR> d-------- c:\documents and settings\Admin\Application Data\Nitro PDF
2008-11-21 02:16 . 2008-11-21 02:16 <DIR> d-------- c:\program files\Nitro PDF
2008-11-21 02:16 . 2008-11-21 02:16 <DIR> d-------- c:\program files\Common Files\Nitro PDF
2008-11-21 02:16 . 2008-11-21 02:16 <DIR> d-------- c:\program files\Common Files\BCL Technologies
2008-11-21 02:16 . 2008-11-21 02:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nitro PDF
2008-11-21 00:12 . 2008-11-21 00:16 7,574,342 --a------ c:\program files\firefox-3.1b2pre.en-US.win32.installer.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 05:50 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-31 02:58 --------- d-----w c:\program files\PeerGuardian2
2008-12-30 16:50 --------- d-----w c:\program files\Convert X to DVD
2008-12-30 16:47 --------- d-----w c:\documents and settings\Admin\Application Data\Vso
2008-12-29 03:50 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-29 03:44 --------- d-----w c:\program files\CCleaner
2008-12-29 01:46 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2008-12-29 00:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 07:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-25 06:59 --------- d-----w c:\documents and settings\Admin\Application Data\Any Video Converter
2008-12-25 00:00 2,400,246 ----a-w c:\program files\eraser58setup.exe.dap
2008-12-24 14:08 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-22 00:54 1,791,702 ----a-w c:\program files\runscanner.zip.dap
2008-12-19 21:24 0 ----a-w c:\program files\acaladvdcreator.exe.dap
2008-12-10 21:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-10 20:36 --------- d-----w c:\program files\Magic Video Converter
2008-12-01 07:54 1,717 ----a-w c:\program files\sg_backup_2008-11-30-2354.spg
2008-11-28 05:57 156,421 ----a-w c:\program files\FHSetup.exe.dap
2008-11-28 01:59 1,717 ----a-w c:\program files\sg_backup_2008-11-27-1759.spg
2008-11-28 01:59 1,717 ----a-w c:\program files\FirstBackup.spg
2008-11-24 18:43 --------- d-----w c:\program files\IObit
2008-11-21 06:12 --------- d-----w c:\program files\hp deskjet 960c series
2008-11-21 05:52 0 ----a-w c:\program files\asc-setuppro.exe.dap
2008-11-19 09:48 --------- d-----w c:\documents and settings\Admin\Application Data\dvdcss
2008-11-16 18:14 --------- d-----w c:\program files\Any Video Converter
2008-11-16 17:51 54,618 ----a-w c:\program files\3001-8022_4-10903602.html
2008-11-16 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-11-16 17:19 --------- d-----w c:\program files\Yahoo!
2008-11-10 00:54 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2008-11-03 02:51 --------- d-----w c:\documents and settings\Admin\Application Data\IObit
2008-10-28 06:25 --------- d--h--w c:\documents and settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2008-10-28 06:25 --------- d-----w c:\documents and settings\NetworkService\Application Data\iolo
2008-10-28 06:25 --------- d-----w c:\documents and settings\Admin\Application Data\iolo
2008-10-25 03:37 6,095,368 ----a-w c:\program files\asc-setup.exe
2008-10-16 08:50 47,360 ----a-w c:\documents and settings\Admin\Application Data\pcouffin.sys
2008-10-05 11:20 4,865,408 ----a-w c:\program files\Silverlight.2.0.exe
2006-07-28 16:32 7,005 ----a-w c:\program files\Eula.txt
2005-12-07 22:19 102,160 ----a-w c:\program files\RootkitRevealer.chm
2005-09-19 04:35 882,489 ----a-w c:\program files\pg2-050918-nt.exe
2002-01-07 13:30 7,719 ----a-w c:\program files\eraser.xml
2002-01-07 13:30 5,715 ----a-w c:\program files\README.txt
2002-01-07 13:30 443 ----a-w c:\program files\file_id.diz
2002-01-07 13:30 181 ----a-w c:\program files\setup.exe.sig
2002-01-07 13:30 18,351 ----a-w c:\program files\COPYING.txt
.

------- Sigcheck -------

2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-10 03:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 23:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3gdr\tcpip.sys
2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3qfe\tcpip.sys
2008-11-09 16:54 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\dllcache\TCPIP.SYS
2008-11-09 16:54 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DownloadAccelerator"="c:\program files\Download Accelerator Plus\DAP.exe" [2008-12-09 3114496]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-06-02 1457152]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-07 376832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-28 1601304]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
MRU-Blaster Silent Clean.lnk - c:\program files\MRU-Blaster\mrublaster.exe [2004-03-28 1216512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client Manager.lnk - c:\program files\2Wire Wireless\Client Manager\CMTWO.EXE [2008-10-13 323584]
New Application.lnk - c:\windows\system32\winlogon.exe [2004-08-10 507904]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-08 23:38 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2008-12-28 19:51 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-12-17 23:23 2107224 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\Program Files\\torrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\torrent_1.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12505:TCP"= 12505:TCP:BitComet 12505 TCP
"12505:UDP"= 12505:UDP:BitComet 12505 UDP
"62622:TCP"= 62622:TCP:utorrent

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-28 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-28 324872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-28 107272]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-28 298264]
R2 bepldr;BCL easyPDF SDK 5 Loader;"c:\program files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe" [2007-08-22 151552]
R2 MSSQL$NR2005;MSSQL$NR2005;c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005 []
R2 sbbotdi;sbbotdi;\??\c:\progra~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-12-09 35584]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-14 33752]
S3 GHHHVUTL;GHHHVUTL; []
S3 MIFIG;MIFIG; []
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 SQLAgent$NR2005;SQLAgent$NR2005;c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlagent.EXE -i NR2005 []
S3 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe -start -scm []
S3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\DRIVERS\WlanUIG.sys [2008-10-13 347648]
S3 XCVDBA;XCVDBA; []

*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2008-12-05 02:18]

2008-12-31 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.atcomet.com/b/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Clean Traces - c:\program files\Download Accelerator Plus\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\Download Accelerator Plus\dapextie.htm
IE: Download &all with DAP - c:\program files\Download Accelerator Plus\dapextie2.htm
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\Download Accelerator Plus\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\Download Accelerator Plus\dapie.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 21:50:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
"*"=dword:00000004

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\.Default\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\AppGPFault\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\CCSelect\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security="Inherited"
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\Close\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\CriticalBatteryAlarm\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\DeviceConnect\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\DeviceDisconnect\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\DeviceFail\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\MailBeep\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\Maximize\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\MenuCommand\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\MenuPopup\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\Minimize\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\Open\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\PrintComplete\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\RestoreDown\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\RestoreUp\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\ShowBand\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security="Inherited"
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\SystemAsterisk\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\SystemExclamation\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\SystemExit\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\SystemHand\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\SystemNotification\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\SystemQuestion\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\SystemStart\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\WindowsLogoff\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\.Default\WindowsLogon\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\Conf\Person Joins\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\Conf\Person Leaves\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\Conf\Receive Call\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\Conf\Receive Request to Join\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\Explorer\ActivatingDocument\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security="Inherited"
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\Explorer\BlockedPopup\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security="Inherited"
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\Explorer\MoveMenuItem\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security="Inherited"
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\Explorer\Navigating\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\Explorer\SecurityBand\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security="Inherited"
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_ContactOnline\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security="Inherited"
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewAlert\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security="Inherited"
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMail\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security="Inherited"
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMessage\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security="Inherited"
@=""

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\AppEvents\Schemes\Names\T*NULL*r*NULL*o*NULL*y*NULL*0*NULL*B~]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
@="Troy"

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (S-1-5-21-343818398-1326574676-839522115-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-343818398-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Denied: (A 2) (Everyone)
@Denied: (A 2) (S-1-5-7)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash6.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\Programmable]
@Owner=S-1-5-21-343818398-1326574676-839522115-1003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\*NULL*u�|·*NULL*]
@Security="Inherited"
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="??\09"
"ReinstallString"="6.14.10.6525"
"DeviceInstanceIds"=multi:"c:\\dell\\drivers\\r101520\\driver\\2kxp_inf\\cx_23511.inf\00"

[HKEY_LOCAL_MACHINE\software\SigmaTel\GlobalState]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-343818398-1326574676-839522115-1003
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\a-squared Free\a2service.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-12-30 21:53:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 05:53:06
ComboFix.txt 2008-12-30 16:21:07

Pre-Run: 101,810,716,672 bytes free
Post-Run: 101,803,249,664 bytes free

807 --- E O F --- 2008-12-18 11:53:12

Hi, SholessTroy

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time.

There are basically two types of these programs:
On-Access and On-Demand

On-Access Scanners
As the name implies, are scanners that run in the background all the time the PC is turned on and running. The main function of an On-Access scanner is to monitor activity on your machine.

On-Demand Scanners
As the name implies, are scanners that only run when you ask them to. Such as: Online Scans and scanners that run on your machine but are not actively scanning your machine.

Many peer-to-peer networks are under constant attack by people with a variety of motives.

Examples include:

• poisoning attacks (e.g. providing files whose contents are different than the description)
• denial of service attacks (attacks that may make the network run very slowly or break completely)
• defection attacks (users or software that make use of the network without contributing resources to it)
• insertion of viruses to carried data (e.g. downloaded or carried files may be infected with viruses or other malware)
• malware in the peer-to-peer network software itself (e.g. distributed software may contain spyware)
• filtering (network operators may attempt to prevent peer-to-peer network data from being carried)
• identity attacks (e.g. tracking down the users of the network and harassing or legally attacking them)
• spamming (e.g. sending unsolicited information across the network- not necessarily as a denial of service attack)

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file paths into the "Suspicious files to scan"box one by one on the top of the page:
  
  c:\windows\system32\xa8310062.exe
  c:\windows\system32\xa8307875.exe
  
  
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure the following is checked.
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe) and select "Run as an Administrator.")

I'm getting the following error message while trying to upload the suspicious files [c:\windows\system32\xa8310062.exe &
c:\windows\system32\xa8307875.exe] on the VirSCAN website.

ERROR: Maximum upload size of 10 exceeded. Your upload has failed!



Evidently those 2 exe files are for a program called Blaze Media Pro which is not a program I ever plan on using.

If you are sure of it, remove it from your system, as well as these files.

In regard to the Antivirus, yes, A-Square is the second entry I see.

I would like to see a Kaspersky scan to discard remnants.

A-Squared has been uninstalled and below is the scan report from Kaspersky

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 31, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 31, 2008 13:39:54
Records in database: 1538315
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\

Scan statistics:
Files scanned: 212527
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:36:22

No malware has been detected. The scan area is clean.

The selected area was scanned.

How is the computer doing?

Great..Thank you very much!

Hi, SholessTroy.

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
  
  

Create a Restore point (If the above process fails to do so):

1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
2. In the System Restore dialog box, click Create a restore point, and then click Next.
3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
   
2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
   
3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
   
4. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
   
5. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
   
6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
   
8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
   
9. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
   
10. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes.

Click Here for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "Solved".

Best wishes!

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.