Possible infected but not sure what?

Hi,

I have been trying to work out why when I do a search in google it keeps getting redirected. I have downloaded a few spyware program and what its found it has deleted, but I am still having the same problem.

I downloaded Malawares and it didnt find anything.

I have just run hijack this see results below, I have run a few other, but not sure what you need to help me out.

Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:31 PM, on 28/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/def...://au.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMin1.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMin1.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMin1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SetDefPrt2] C:\Program Files\Brother\Brmfl06b\BrStDvPt.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://216.240.157.195/bigw/ax/ImageUploader5.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: TPSvc - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: getPlus® Installer - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TVService - Team MediaPortal - C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe
O23 - Service: XAudioService - Unknown owner - C:\WINDOWS\system32\DRIVERS\xaudio.exe (file missing)

--
End of file - 10685 bytes

Edited by tripplej, 28 February 2010 - 03:10 AM.

Hi,

Just some further info..I installed stop zilla, and it came up with about 90 problems, but when I ran, malawares and spybot it didnt come up with anything.

The browswer situation is getting worse, it is even bring up a pop up window. Prior to all of this I wasnt getting any pop up windows. IE would always ask me to accept a new pop up window, if that makes sense.

I appreciate you guys are very busy, but if their is anyone that can help me solve my problem, I would really appreciate it, I have tried everything I know but its beyond my skills, surfed the net but cant seem to find a solution and google is very frustrating with the redirecting problem.....

Thanks again for taking the time to read this....

Thanks

Edited by tripplej, 01 March 2010 - 04:23 PM.

Hello tripplej Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



In order to better assist you I will need the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt

If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.



Disable:


Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers.
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.






Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



If GMER does not want to run add the following to those that you unchecked and try it again:

• Registry
• Files
  

Note: Please make only the Attach.txt from DDS an attachment, post the other logs directly into the reply window.



Thanks,



thewall

Hi Thanks for your help as requested here is the DSS file:
Note: I am not sure what are script blockers, I dont think I have any...

DDS (Ver_09-12-01.01) - NTFSx86
Run by Sharon at 21:12:05.95 on Fri 05/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.681 [GMT 11:00]

AV: HAURI AntiVirus ViRobot *On-access scanning enabled* (Updated) {0E1A4B6B-60E9-4B3A-8031-1950BD69B260}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\AccessControl\HFACSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\DOCUME~1\Sharon\LOCALS~1\Temp\RtkBtMnt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsock.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hauri\Common\Base\vrscan.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\hpcsvc.exe
C:\Program Files\Hauri\Common\hsvcmod.exe
C:\Program Files\Hauri\Common\Base\vrmonsvc.exe
C:\Program Files\Hauri\Common\Base\vrrepair.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\AntiSpam\HSockPE.exe
C:\Program Files\Hauri\Common\Base\vrmonnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sharon\Desktop\New Folder\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
uURLSearchHooks: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin1.dll
uWindows: run=0000
uWindows: load=0000
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin1.dll
BHO: {E3215F20-3212-11D6-9F8B-00D0B743919D} - No File
BHO: IEHelpObj Class: {ec45e3fe-c16d-4f24-9238-d1b49ad74815} - c:\program files\hauri\virobot desktop 5.5\service\hWebMan.dll
TB: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin1.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [SetDefPrt2] c:\program files\brother\brmfl06b\BrStDvPt.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Vrmon] c:\program files\hauri\common\base\VRMONNT.EXE
mRun: [HEProtect] c:\program files\hauri\virobot desktop 5.5\antispam\HSockPE.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://216.240.157.195/bigw/ax/ImageUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {BA3ED5CB-4935-4B1C-A418-AC9CCE2275C1} - hxxp://hglobal.globalhauri.com/HProduct/LCS2p/globalhauri/CLIENT/LCS2p/web/hLcs2Pre.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sharon\applic~1\mozilla\firefox\profiles\a301cii2.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-8-29 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-8-29 234888]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-3-27 165160]
R2 hpcsvc;ViRobot Communication Service;c:\program files\hauri\virobot desktop 5.5\hpcsvc.exe [2010-3-2 513616]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2009-12-23 14976]
R2 ViRobot Common Scan Service;ViRobot Common Scan Service;c:\program files\hauri\common\base\vrscan.exe [2010-3-2 172032]
R3 DlinkUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\DlinkUDSMBus.sys [2008-11-11 74624]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100304.005\NAVENG.sys [2010-3-5 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100304.005\NAVEX15.sys [2010-3-5 1324720]
R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;c:\windows\system32\drivers\VRFWNTD5.SYS [2010-3-2 84736]
R3 vrrepair;ViRobot Repairing Service;c:\program files\hauri\common\base\vrrepair.exe [2010-3-2 502368]
R3 VRsecos;VRsecos;c:\windows\system32\drivers\VRsecos.sys [2010-3-2 21016]
S2 TVService;TVService;c:\program files\team mediaportal\mediaportal tv server\TvService.exe [2009-5-9 192512]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-12-27 1684736]
S3 benqusbser;BenQ Handset USB Device for Legacy Serial Communication;c:\windows\system32\drivers\BenQusbser.sys [2008-3-26 100992]
S3 DlinkUDSTcpBus;DlinkUDSTcpBus;c:\windows\system32\drivers\DlinkUDSTcpBus.sys [2008-11-11 97664]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168]
S3 getPlus® Installer;getPlus® Installer;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2009-11-10 572544]
S3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\drivers\u3kmini.sys [2009-9-26 352000]

=============== Created Last 30 ================

2010-03-03 07:21:17 244 ---ha-w- C:\sqmnoopt11.sqm
2010-03-03 07:21:17 232 ---ha-w- C:\sqmdata11.sqm
2010-03-02 09:46:31 40 ----a-w- c:\windows\HEPMain.INI
2010-03-02 05:47:09 0 d-----w- c:\docume~1\sharon\applic~1\HAURI
2010-03-02 05:16:52 33080 ------w- c:\windows\system32\drivers\vracfil.sys
2010-03-02 05:16:51 21016 ------w- c:\windows\system32\drivers\VRsecos.sys
2010-03-02 05:16:50 84736 ----a-w- c:\windows\system32\drivers\VRFWNTD5.SYS
2010-03-02 05:16:48 115072 ----a-w- c:\windows\system32\drivers\vradfil.sys
2010-03-02 05:16:41 403051 ------w- c:\windows\system32\drivers\virobot.vib
2010-03-02 01:31:57 869768 ----a-w- c:\windows\system32\lsuni2.exe
2010-03-02 01:17:46 0 d-----w- c:\windows\system32\LcSkin
2010-03-02 01:17:45 0 d-----w- c:\program files\HAURI
2010-02-28 08:57:09 0 d-----w- c:\program files\Everything
2010-02-28 06:10:05 77312 ----a-w- c:\windows\MBR.exe
2010-02-28 06:10:04 261632 ----a-w- c:\windows\PEV.exe
2010-02-28 05:31:59 0 d-----w- c:\windows\system32\appmgmt
2010-02-28 02:37:48 424 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-02-28 02:36:58 2200 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-28 02:16:30 0 d-sha-r- C:\cmdcons
2010-02-28 02:13:11 98816 ----a-w- c:\windows\sed.exe
2010-02-28 02:13:11 161792 ----a-w- c:\windows\SWREG.exe
2010-02-27 13:40:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-27 10:50:20 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-02-27 10:49:24 0 d-----w- c:\program files\common files\iS3
2010-02-27 10:49:24 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-02-27 09:26:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-02-27 09:26:12 0 d-----w- c:\program files\Security Task Manager
2010-02-27 06:10:13 0 d-----w- c:\program files\Spyware Doctor
2010-02-27 06:10:13 0 d-----w- c:\docume~1\sharon\applic~1\PC Tools
2010-02-27 06:10:13 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-02-25 16:06:54 0 d-----w- c:\program files\Trend Micro
2010-02-24 13:53:41 244 ---ha-w- C:\sqmnoopt10.sqm
2010-02-24 13:53:41 232 ---ha-w- C:\sqmdata10.sqm
2010-02-09 13:26:41 0 d-----w- c:\program files\common files\PCSuite
2010-02-09 13:26:36 0 d-----w- c:\program files\common files\Nokia
2010-02-09 13:26:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-02-09 13:26:18 0 d-----w- c:\program files\PC Connectivity Solution
2010-02-09 13:25:55 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-02-09 13:25:54 0 d-----w- c:\program files\Nokia

==================== Find3M ====================

2010-03-01 03:24:18 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-07 05:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 05:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 00:59:46 737280 ----a-w- c:\windows\iun6002.exe
2009-12-18 07:15:30 1324504 ----a-w- c:\windows\system32\hIns2p.exe
2009-12-11 05:46:27 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-08-13 18:18:32 88 --sh--r- c:\windows\system32\A0EC11609E.sys

============= FINISH: 21:13:16.70 ===============

Here is the GMER file, unforutunately I had problems running it, so had to remove the files and registry option.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-05 22:20:54
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Sharon\LOCALS~1\Temp\kfwyipoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs vracfil.sys (VRAC Filter for Windows NT/2K/XP/HAURI)
AttachedDevice \FileSystem\Ntfs \Ntfs VRADFIL.SYS (VR Filter for Windows NT/2K/XP/Vista/Win7/Hauri, Inc.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort2 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort3 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat vracfil.sys (VRAC Filter for Windows NT/2K/XP/HAURI)
AttachedDevice \FileSystem\Fastfat \Fat VRADFIL.SYS (VR Filter for Windows NT/2K/XP/Vista/Win7/Hauri, Inc.)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

You did fine, we'll go with ComboFix next:



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi,

Just wanted to let you know I am having trouble running the combofix exe as it keeps hanging... any ideas on what I can do.

Are you disabling both Symantec and TeaTimer first?

Symantec was disabled, and I believe I deleted tea timer. I downloaded the second link and it appears to have work, now I am not sure if I managed to disable Hauri. It kept coming up saying it was still active, but I went into the software and stopped the real time scanning...

Here is the log file... thanks

ComboFix 10-03-04.05 - Sharon 06/03/2010 2:32.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.1540 [GMT 11:00]
Running from: c:\documents and settings\Sharon\Desktop\New Folder\ComboFix.exe
AV: HAURI AntiVirus ViRobot *On-access scanning enabled* (Updated) {0E1A4B6B-60E9-4B3A-8031-1950BD69B260}
.

((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-03 23:21 . 2010-03-03 23:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-02 05:47 . 2010-03-05 02:28 -------- d-----w- c:\documents and settings\Sharon\Application Data\HAURI
2010-03-02 05:16 . 2010-01-04 23:32 33080 ------w- c:\windows\system32\drivers\vracfil.sys
2010-03-02 05:16 . 2010-01-04 23:32 21016 ------w- c:\windows\system32\drivers\VRsecos.sys
2010-03-02 05:16 . 2010-01-04 23:32 84736 ----a-w- c:\windows\system32\drivers\VRFWNTD5.SYS
2010-03-02 05:16 . 2010-03-02 05:35 115072 ----a-w- c:\windows\system32\drivers\vradfil.sys
2010-03-02 01:31 . 2010-03-02 01:31 869768 ----a-w- c:\windows\system32\lsuni2.exe
2010-03-02 01:17 . 2010-03-02 04:30 -------- d-----w- c:\windows\system32\LcSkin
2010-03-02 01:17 . 2010-03-02 05:15 -------- d-----w- c:\program files\HAURI
2010-02-28 13:29 . 2010-02-28 13:31 -------- d-----w- C:\rsit
2010-02-28 08:57 . 2010-02-28 11:56 -------- d-----w- c:\program files\Everything
2010-02-28 02:55 . 2010-02-28 02:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-27 13:40 . 2010-03-03 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-27 10:50 . 2010-02-27 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-02-27 10:49 . 2010-02-28 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-27 10:49 . 2010-02-27 10:49 -------- d-----w- c:\program files\Common Files\iS3
2010-02-27 06:14 . 2010-02-27 06:14 -------- d-----w- c:\documents and settings\Sharon\Local Settings\Application Data\Threat Expert
2010-02-27 06:10 . 2010-03-03 02:05 -------- d-----w- c:\program files\Spyware Doctor
2010-02-27 06:10 . 2010-02-27 06:10 -------- d-----w- c:\documents and settings\Sharon\Application Data\PC Tools
2010-02-27 06:10 . 2010-02-27 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-25 16:06 . 2010-02-25 16:06 -------- d-----w- c:\program files\Trend Micro
2010-02-09 13:28 . 2010-02-09 13:33 -------- d-----w- c:\documents and settings\Sharon\Application Data\Nokia
2010-02-09 13:28 . 2010-02-09 13:28 -------- d-----w- c:\documents and settings\Sharon\Application Data\PC Suite
2010-02-09 13:28 . 2010-02-09 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\Common Files\PCSuite
2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\Common Files\Nokia
2010-02-09 13:26 . 2008-08-25 22:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\PC Connectivity Solution
2010-02-09 13:25 . 2009-10-06 00:52 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-02-09 13:25 . 2010-02-09 13:26 -------- d-----w- c:\program files\Nokia
2010-02-09 13:25 . 2010-02-09 13:24 34399664 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng_web.exe
2010-02-09 13:25 . 2010-02-09 13:25 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
2010-02-09 13:25 . 2010-02-09 13:25 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
2010-02-09 13:25 . 2010-02-09 13:25 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-02-09 13:25 . 2010-02-09 13:25 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
2010-02-09 13:25 . 2010-02-09 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 13:40 . 2009-11-03 22:54 -------- d-----w- c:\documents and settings\Sharon\Application Data\Canon
2010-03-03 02:10 . 2008-12-26 15:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 05:15 . 2008-08-01 16:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-01 03:24 . 2009-08-13 18:18 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-01 03:23 . 2009-04-03 03:17 -------- d-----w- c:\documents and settings\Sharon\Application Data\Azureus
2010-03-01 03:23 . 2010-01-03 01:04 -------- d-----w- c:\documents and settings\Sharon\Application Data\vlc
2010-02-28 02:56 . 2010-01-08 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-28 02:46 . 2010-02-28 02:36 2200 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-28 02:45 . 2010-02-28 02:37 424 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-02-27 10:38 . 2010-02-27 09:26 -------- d-----w- c:\program files\Security Task Manager
2010-02-27 10:38 . 2010-02-27 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-02-09 13:26 . 2009-06-25 16:48 -------- d-----w- c:\program files\DIFX
2010-01-24 08:44 . 2008-08-01 15:59 128728 ----a-w- c:\documents and settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-24 08:41 . 2008-10-31 19:47 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-23 06:00 . 2010-01-23 05:59 -------- d-----w- c:\program files\Adobe Media Player
2010-01-08 22:06 . 2009-09-25 15:56 -------- d-----w- c:\program files\Microsoft SQL Server
2010-01-08 15:58 . 2010-01-08 06:48 -------- d-----w- c:\program files\PlayBox
2010-01-08 15:20 . 2010-01-08 15:20 -------- d-----w- c:\documents and settings\Sharon\Application Data\Malwarebytes
2010-01-08 15:19 . 2010-01-08 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 06:48 . 2010-01-08 06:48 -------- d-----w- c:\documents and settings\Sharon\Application Data\PlayBox
2010-01-08 00:51 . 2009-04-03 03:14 -------- d-----w- c:\program files\Vuze
2010-01-07 05:07 . 2010-01-08 15:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 05:07 . 2010-01-08 15:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 23:29 . 2010-03-02 05:16 403051 ------w- c:\windows\system32\drivers\virobot.vib
2010-01-03 00:59 . 2010-01-03 01:00 737280 ----a-w- c:\windows\iun6002.exe
2009-12-18 07:15 . 2009-12-18 07:15 1324504 ----a-w- c:\windows\system32\hIns2p.exe
2009-12-15 12:32 . 2009-12-15 12:32 3638 ----a-r- c:\documents and settings\Sharon\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2009-12-11 05:46 . 2009-12-11 05:46 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-08-13 18:18 . 2009-08-13 18:18 88 --sh--r- c:\windows\system32\A0EC11609E.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-28_06.48.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-05 15:12 . 2010-03-05 15:12 16384 c:\windows\Temp\Perflib_Perfdata_714.dat
- 2001-08-23 12:00 . 2010-02-28 05:53 90340 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2010-03-05 15:16 90340 c:\windows\system32\perfc009.dat
+ 2005-02-13 18:55 . 2005-02-13 18:55 126976 c:\windows\system32\vrpacker.dll
+ 2001-08-23 12:00 . 2010-03-05 15:16 491506 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-02-28 05:53 491506 c:\windows\system32\perfh009.dat
+ 2002-05-12 23:24 . 2002-05-12 23:24 155648 c:\windows\system32\HVrunzip.dll
+ 2009-08-04 23:53 . 2009-08-04 23:53 543416 c:\windows\system32\hksec.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]
2010-02-16 06:55 2349080 ----a-w- c:\program files\Mininova-Vuze\tbMin1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D51D388B-F5DC-471A-A1CE-5E2D671091C0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-20 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-06-04 1400944]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-20 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-20 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-20 138008]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"SetDefPrt2"="c:\program files\Brother\Brmfl06b\BrStDvPt.exe" [2005-01-26 49152]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-03-27 181544]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-06 18750976]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Vrmon"="c:\program files\Hauri\Common\Base\VRMONNT.EXE" [2010-01-06 314080]
"HEProtect"="c:\program files\Hauri\ViRobot Desktop 5.5\AntiSpam\HSockPE.exe" [2010-01-04 385112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-12-11 66864]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2009-9-19 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2009-9-19 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\D-Link\\SharePort\\SharePort Network USB Utility.exe"=
"c:\\Program Files\\Aurora\\Aurora.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
"67:UDP"= 67:UDP:DHCP Discovery Service
"58905:TCP"= 58905:TCP:Pando
"58905:UDP"= 58905:UDP:Pando
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 1:03 PM 169312]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 3:16 PM 79432]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [29/08/2009 3:27 PM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [29/08/2009 3:28 PM 234888]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [27/03/2009 4:54 PM 165160]
R2 hpcsvc;ViRobot Communication Service;c:\program files\HAURI\ViRobot Desktop 5.5\hpcsvc.exe [2/03/2010 4:16 PM 513616]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [23/12/2009 4:11 PM 14976]
R3 DlinkUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\DlinkUDSMBus.sys [11/11/2008 4:01 PM 74624]
R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;c:\windows\system32\drivers\VRFWNTD5.SYS [2/03/2010 4:16 PM 84736]
S2 TVService;TVService;c:\program files\Team MediaPortal\MediaPortal TV Server\TvService.exe [9/05/2009 9:36 AM 192512]
S2 ViRobot Common Scan Service;ViRobot Common Scan Service;c:\program files\HAURI\Common\Base\vrscan.exe [2/03/2010 4:16 PM 172032]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [27/12/2008 3:23 PM 1684736]
S3 benqusbser;BenQ Handset USB Device for Legacy Serial Communication;c:\windows\system32\drivers\BenQusbser.sys [26/03/2008 7:48 AM 100992]
S3 DlinkUDSTcpBus;DlinkUDSTcpBus;c:\windows\system32\drivers\DlinkUDSTcpBus.sys [11/11/2008 4:01 PM 97664]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [18/08/2005 7168]
S3 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [10/11/2009 1:46 PM 572544]
S3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\drivers\u3kmini.sys [26/09/2009 3:10 AM 352000]
S3 vrrepair;ViRobot Repairing Service;c:\program files\HAURI\Common\Base\vrrepair.exe [2/03/2010 4:16 PM 502368]
S3 VRsecos;VRsecos;c:\windows\system32\drivers\VRsecos.sys [2/03/2010 4:16 PM 21016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

2010-03-05 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2010-03-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{0B1DE980-2276-448A-BF6F-46E749383AD0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {BA3ED5CB-4935-4B1C-A418-AC9CCE2275C1} - hxxp://hglobal.globalhauri.com/HProduct/LCS2p/globalhauri/CLIENT/LCS2p/web/hLcs2Pre.cab
FF - ProfilePath - c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\a301cii2.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 02:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8A53B8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9ef6b3a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9dffbb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e0ca21
SendHandler -> NDIS.sys @ 0xb9dea87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(196)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-06 02:45:39
ComboFix-quarantined-files.txt 2010-03-05 15:45
ComboFix2.txt 2010-02-28 06:54
ComboFix3.txt 2010-02-28 06:25
ComboFix4.txt 2010-02-28 02:45

Pre-Run: 10,123,083,776 bytes free
Post-Run: 10,264,637,440 bytes free

- - End Of File - - EA891269D8250223DEE2E5C3F363F5FB

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Here is the log file:

03:09:44:359 2064 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
03:09:44:359 2064 ================================================================================
03:09:44:359 2064 SystemInfo:

03:09:44:359 2064 OS Version: 5.1.2600 ServicePack: 3.0
03:09:44:359 2064 Product type: Workstation
03:09:44:359 2064 ComputerName: SHARON-AVIMTNTW
03:09:44:359 2064 UserName: Sharon
03:09:44:359 2064 Windows directory: C:\WINDOWS
03:09:44:359 2064 Processor architecture: Intel x86
03:09:44:359 2064 Number of processors: 2
03:09:44:359 2064 Page size: 0x1000
03:09:44:375 2064 Boot type: Normal boot
03:09:44:375 2064 ================================================================================
03:09:44:375 2064 UnloadDriverW: NtUnloadDriver error 2
03:09:44:375 2064 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
03:09:44:421 2064 Initialize success
03:09:44:421 2064
03:09:44:421 2064 Scanning Services ...
03:09:44:421 2064 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
03:09:44:421 2064 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
03:09:44:421 2064 wfopen_ex: Trying to KLMD file open
03:09:44:421 2064 wfopen_ex: File opened ok (Flags 2)
03:09:44:421 2064 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
03:09:44:421 2064 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
03:09:44:421 2064 wfopen_ex: Trying to KLMD file open
03:09:44:421 2064 wfopen_ex: File opened ok (Flags 2)
03:09:44:968 2064 GetAdvancedServicesInfo: Raw services enum returned 424 services
03:09:44:984 2064 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
03:09:44:984 2064 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
03:09:44:984 2064
03:09:44:984 2064 Scanning Kernel memory ...
03:09:44:984 2064 Devices to scan: 2
03:09:44:984 2064
03:09:44:984 2064 Driver Name: Disk
03:09:44:984 2064 IRP_MJ_CREATE : BA10EBB0
03:09:44:984 2064 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
03:09:44:984 2064 IRP_MJ_CLOSE : BA10EBB0
03:09:44:984 2064 IRP_MJ_READ : BA108D1F
03:09:44:984 2064 IRP_MJ_WRITE : BA108D1F
03:09:44:984 2064 IRP_MJ_QUERY_INFORMATION : 804F4562
03:09:44:984 2064 IRP_MJ_SET_INFORMATION : 804F4562
03:09:44:984 2064 IRP_MJ_QUERY_EA : 804F4562
03:09:44:984 2064 IRP_MJ_SET_EA : 804F4562
03:09:44:984 2064 IRP_MJ_FLUSH_BUFFERS : BA1092E2
03:09:44:984 2064 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
03:09:44:984 2064 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
03:09:44:984 2064 IRP_MJ_DIRECTORY_CONTROL : 804F4562
03:09:44:984 2064 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
03:09:44:984 2064 IRP_MJ_DEVICE_CONTROL : BA1093BB
03:09:44:984 2064 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
03:09:44:984 2064 IRP_MJ_SHUTDOWN : BA1092E2
03:09:44:984 2064 IRP_MJ_LOCK_CONTROL : 804F4562
03:09:44:984 2064 IRP_MJ_CLEANUP : 804F4562
03:09:44:984 2064 IRP_MJ_CREATE_MAILSLOT : 804F4562
03:09:44:984 2064 IRP_MJ_QUERY_SECURITY : 804F4562
03:09:44:984 2064 IRP_MJ_SET_SECURITY : 804F4562
03:09:44:984 2064 IRP_MJ_POWER : BA10AC82
03:09:44:984 2064 IRP_MJ_SYSTEM_CONTROL : BA10F99E
03:09:44:984 2064 IRP_MJ_DEVICE_CHANGE : 804F4562
03:09:44:984 2064 IRP_MJ_QUERY_QUOTA : 804F4562
03:09:44:984 2064 IRP_MJ_SET_QUOTA : 804F4562
03:09:44:984 2064 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
03:09:44:984 2064 sion
03:09:45:000 2064 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
03:09:45:000 2064
03:09:45:000 2064 Driver Name: atapi
03:09:45:000 2064 IRP_MJ_CREATE : B9EF6B3A
03:09:45:000 2064 IRP_MJ_CREATE_NAMED_PIPE : B9EF6B3A
03:09:45:000 2064 IRP_MJ_CLOSE : B9EF6B3A
03:09:45:000 2064 IRP_MJ_READ : B9EF6B3A
03:09:45:000 2064 IRP_MJ_WRITE : B9EF6B3A
03:09:45:000 2064 IRP_MJ_QUERY_INFORMATION : B9EF6B3A
03:09:45:000 2064 IRP_MJ_SET_INFORMATION : B9EF6B3A
03:09:45:000 2064 IRP_MJ_QUERY_EA : B9EF6B3A
03:09:45:000 2064 IRP_MJ_SET_EA : B9EF6B3A
03:09:45:000 2064 IRP_MJ_FLUSH_BUFFERS : B9EF6B3A
03:09:45:000 2064 IRP_MJ_QUERY_VOLUME_INFORMATION : B9EF6B3A
03:09:45:000 2064 IRP_MJ_SET_VOLUME_INFORMATION : B9EF6B3A
03:09:45:000 2064 IRP_MJ_DIRECTORY_CONTROL : B9EF6B3A
03:09:45:000 2064 IRP_MJ_FILE_SYSTEM_CONTROL : B9EF6B3A
03:09:45:000 2064 IRP_MJ_DEVICE_CONTROL : B9EF6B3A
03:09:45:000 2064 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9EF6B3A
03:09:45:000 2064 IRP_MJ_SHUTDOWN : B9EF6B3A
03:09:45:000 2064 IRP_MJ_LOCK_CONTROL : B9EF6B3A
03:09:45:000 2064 IRP_MJ_CLEANUP : B9EF6B3A
03:09:45:000 2064 IRP_MJ_CREATE_MAILSLOT : B9EF6B3A
03:09:45:000 2064 IRP_MJ_QUERY_SECURITY : B9EF6B3A
03:09:45:000 2064 IRP_MJ_SET_SECURITY : B9EF6B3A
03:09:45:000 2064 IRP_MJ_POWER : B9EF6B3A
03:09:45:000 2064 IRP_MJ_SYSTEM_CONTROL : B9EF6B3A
03:09:45:000 2064 IRP_MJ_DEVICE_CHANGE : B9EF6B3A
03:09:45:000 2064 IRP_MJ_QUERY_QUOTA : B9EF6B3A
03:09:45:000 2064 IRP_MJ_SET_QUOTA : B9EF6B3A
03:09:45:000 2064 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
03:09:45:000 2064 TDL3_IrpHookDetect: New IrpHandler addr: 8A53B8C8
03:09:45:000 2064 ihd: 10, FFDF0308, 510, 134, 3, 120, 0
03:09:45:000 2064 Driver "atapi" Irp handler infected by TDSS rootkit ... 03:09:45:000 2064 cured
03:09:45:000 2064 siohd: 0
03:09:45:015 2064 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
03:09:45:015 2064 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 03:09:45:015 2064 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
03:09:45:015 2064 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
03:09:45:421 2064 vfvi6
03:09:45:484 2064 !dsvbh1
03:09:51:734 2064 dsvbh2
03:09:51:734 2064 fdfb2
03:09:51:734 2064 Backup copy found, using it..
03:09:51:781 2064 will be cured on next reboot
03:09:51:781 2064 Reboot required for cure complete..
03:09:51:796 2064 Cure on reboot scheduled successfully
03:09:51:796 2064
03:09:51:796 2064 Completed
03:09:51:796 2064
03:09:51:796 2064 Results:
03:09:51:796 2064 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
03:09:51:796 2064 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
03:09:51:796 2064 File objects infected / cured / cured on reboot: 1 / 0 / 1
03:09:51:796 2064
03:09:51:796 2064 UnloadDriverW: NtUnloadDriver error 1
03:09:51:796 2064 KLMD_Unload: UnloadDriverW(klmd21) error 1
03:09:51:796 2064 KLMD(ARK) unloaded successfully

That looks good, please rerun ComboFix and post the log it produces.

Here is the scan:

ComboFix 10-03-04.05 - Sharon 06/03/2010 3:27.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.1403 [GMT 11:00]
Running from: c:\documents and settings\Sharon\Desktop\New Folder\ComboFix.exe
AV: HAURI AntiVirus ViRobot *On-access scanning enabled* (Updated) {0E1A4B6B-60E9-4B3A-8031-1950BD69B260}
.

((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-03 23:21 . 2010-03-03 23:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-02 05:47 . 2010-03-05 02:28 -------- d-----w- c:\documents and settings\Sharon\Application Data\HAURI
2010-03-02 05:16 . 2010-01-04 23:32 33080 ------w- c:\windows\system32\drivers\vracfil.sys
2010-03-02 05:16 . 2010-01-04 23:32 21016 ------w- c:\windows\system32\drivers\VRsecos.sys
2010-03-02 05:16 . 2010-01-04 23:32 84736 ----a-w- c:\windows\system32\drivers\VRFWNTD5.SYS
2010-03-02 05:16 . 2010-03-02 05:35 115072 ----a-w- c:\windows\system32\drivers\vradfil.sys
2010-03-02 01:31 . 2010-03-02 01:31 869768 ----a-w- c:\windows\system32\lsuni2.exe
2010-03-02 01:17 . 2010-03-02 04:30 -------- d-----w- c:\windows\system32\LcSkin
2010-03-02 01:17 . 2010-03-02 05:15 -------- d-----w- c:\program files\HAURI
2010-02-28 13:29 . 2010-02-28 13:31 -------- d-----w- C:\rsit
2010-02-28 08:57 . 2010-02-28 11:56 -------- d-----w- c:\program files\Everything
2010-02-28 02:55 . 2010-02-28 02:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-27 13:40 . 2010-03-03 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-27 10:50 . 2010-02-27 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-02-27 10:49 . 2010-02-28 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-27 10:49 . 2010-02-27 10:49 -------- d-----w- c:\program files\Common Files\iS3
2010-02-27 06:14 . 2010-02-27 06:14 -------- d-----w- c:\documents and settings\Sharon\Local Settings\Application Data\Threat Expert
2010-02-27 06:10 . 2010-03-03 02:05 -------- d-----w- c:\program files\Spyware Doctor
2010-02-27 06:10 . 2010-02-27 06:10 -------- d-----w- c:\documents and settings\Sharon\Application Data\PC Tools
2010-02-27 06:10 . 2010-02-27 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-25 16:06 . 2010-02-25 16:06 -------- d-----w- c:\program files\Trend Micro
2010-02-09 13:28 . 2010-02-09 13:33 -------- d-----w- c:\documents and settings\Sharon\Application Data\Nokia
2010-02-09 13:28 . 2010-02-09 13:28 -------- d-----w- c:\documents and settings\Sharon\Application Data\PC Suite
2010-02-09 13:28 . 2010-02-09 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\Common Files\PCSuite
2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\Common Files\Nokia
2010-02-09 13:26 . 2008-08-25 22:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\PC Connectivity Solution
2010-02-09 13:25 . 2009-10-06 00:52 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-02-09 13:25 . 2010-02-09 13:26 -------- d-----w- c:\program files\Nokia
2010-02-09 13:25 . 2010-02-09 13:24 34399664 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng_web.exe
2010-02-09 13:25 . 2010-02-09 13:25 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
2010-02-09 13:25 . 2010-02-09 13:25 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
2010-02-09 13:25 . 2010-02-09 13:25 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-02-09 13:25 . 2010-02-09 13:25 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
2010-02-09 13:25 . 2010-02-09 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 16:17 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-03 13:40 . 2009-11-03 22:54 -------- d-----w- c:\documents and settings\Sharon\Application Data\Canon
2010-03-03 02:10 . 2008-12-26 15:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 05:15 . 2008-08-01 16:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-01 03:24 . 2009-08-13 18:18 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-01 03:23 . 2009-04-03 03:17 -------- d-----w- c:\documents and settings\Sharon\Application Data\Azureus
2010-03-01 03:23 . 2010-01-03 01:04 -------- d-----w- c:\documents and settings\Sharon\Application Data\vlc
2010-02-28 02:56 . 2010-01-08 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-28 02:46 . 2010-02-28 02:36 2200 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-28 02:45 . 2010-02-28 02:37 424 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-02-27 10:38 . 2010-02-27 09:26 -------- d-----w- c:\program files\Security Task Manager
2010-02-27 10:38 . 2010-02-27 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-02-09 13:26 . 2009-06-25 16:48 -------- d-----w- c:\program files\DIFX
2010-01-24 08:44 . 2008-08-01 15:59 128728 ----a-w- c:\documents and settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-24 08:41 . 2008-10-31 19:47 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-23 06:00 . 2010-01-23 05:59 -------- d-----w- c:\program files\Adobe Media Player
2010-01-08 22:06 . 2009-09-25 15:56 -------- d-----w- c:\program files\Microsoft SQL Server
2010-01-08 15:58 . 2010-01-08 06:48 -------- d-----w- c:\program files\PlayBox
2010-01-08 15:20 . 2010-01-08 15:20 -------- d-----w- c:\documents and settings\Sharon\Application Data\Malwarebytes
2010-01-08 15:19 . 2010-01-08 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 06:48 . 2010-01-08 06:48 -------- d-----w- c:\documents and settings\Sharon\Application Data\PlayBox
2010-01-08 00:51 . 2009-04-03 03:14 -------- d-----w- c:\program files\Vuze
2010-01-07 05:07 . 2010-01-08 15:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 05:07 . 2010-01-08 15:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 23:29 . 2010-03-02 05:16 403051 ------w- c:\windows\system32\drivers\virobot.vib
2010-01-03 00:59 . 2010-01-03 01:00 737280 ----a-w- c:\windows\iun6002.exe
2009-12-18 07:15 . 2009-12-18 07:15 1324504 ----a-w- c:\windows\system32\hIns2p.exe
2009-12-15 12:32 . 2009-12-15 12:32 3638 ----a-r- c:\documents and settings\Sharon\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2009-12-11 05:46 . 2009-12-11 05:46 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-08-13 18:18 . 2009-08-13 18:18 88 --sh--r- c:\windows\system32\A0EC11609E.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-28_06.48.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-05 16:18 . 2010-03-05 16:18 16384 c:\windows\Temp\Perflib_Perfdata_704.dat
- 2001-08-23 12:00 . 2010-02-28 05:53 90340 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2010-03-05 16:23 90340 c:\windows\system32\perfc009.dat
+ 2005-02-13 18:55 . 2005-02-13 18:55 126976 c:\windows\system32\vrpacker.dll
+ 2001-08-23 12:00 . 2010-03-05 16:23 491506 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-02-28 05:53 491506 c:\windows\system32\perfh009.dat
+ 2002-05-12 23:24 . 2002-05-12 23:24 155648 c:\windows\system32\HVrunzip.dll
+ 2009-08-04 23:53 . 2009-08-04 23:53 543416 c:\windows\system32\hksec.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]
2010-02-16 06:55 2349080 ----a-w- c:\program files\Mininova-Vuze\tbMin1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D51D388B-F5DC-471A-A1CE-5E2D671091C0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-20 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-06-04 1400944]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-20 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-20 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-20 138008]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"SetDefPrt2"="c:\program files\Brother\Brmfl06b\BrStDvPt.exe" [2005-01-26 49152]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-03-27 181544]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-06 18750976]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-12-11 66864]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2009-9-19 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2009-9-19 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\D-Link\\SharePort\\SharePort Network USB Utility.exe"=
"c:\\Program Files\\Aurora\\Aurora.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
"67:UDP"= 67:UDP:DHCP Discovery Service
"58905:TCP"= 58905:TCP:Pando
"58905:UDP"= 58905:UDP:Pando
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 1:03 PM 169312]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 3:16 PM 79432]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [29/08/2009 3:27 PM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [29/08/2009 3:28 PM 234888]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [27/03/2009 4:54 PM 165160]
R2 hpcsvc;ViRobot Communication Service;c:\program files\HAURI\ViRobot Desktop 5.5\hpcsvc.exe [2/03/2010 4:16 PM 513616]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [23/12/2009 4:11 PM 14976]
R2 ViRobot Common Scan Service;ViRobot Common Scan Service;c:\program files\HAURI\Common\Base\vrscan.exe [2/03/2010 4:16 PM 172032]
R3 DlinkUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\DlinkUDSMBus.sys [11/11/2008 4:01 PM 74624]
R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;c:\windows\system32\drivers\VRFWNTD5.SYS [2/03/2010 4:16 PM 84736]
S2 TVService;TVService;c:\program files\Team MediaPortal\MediaPortal TV Server\TvService.exe [9/05/2009 9:36 AM 192512]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [27/12/2008 3:23 PM 1684736]
S3 benqusbser;BenQ Handset USB Device for Legacy Serial Communication;c:\windows\system32\drivers\BenQusbser.sys [26/03/2008 7:48 AM 100992]
S3 DlinkUDSTcpBus;DlinkUDSTcpBus;c:\windows\system32\drivers\DlinkUDSTcpBus.sys [11/11/2008 4:01 PM 97664]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [18/08/2005 7168]
S3 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [10/11/2009 1:46 PM 572544]
S3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\drivers\u3kmini.sys [26/09/2009 3:10 AM 352000]
S3 vrrepair;ViRobot Repairing Service;c:\program files\HAURI\Common\Base\vrrepair.exe [2/03/2010 4:16 PM 502368]
S3 VRsecos;VRsecos;c:\windows\system32\drivers\VRsecos.sys [2/03/2010 4:16 PM 21016]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

2010-03-05 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2010-03-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{0B1DE980-2276-448A-BF6F-46E749383AD0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {BA3ED5CB-4935-4B1C-A418-AC9CCE2275C1} - hxxp://hglobal.globalhauri.com/HProduct/LCS2p/globalhauri/CLIENT/LCS2p/web/hLcs2Pre.cab
FF - ProfilePath - c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\a301cii2.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 03:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3344)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-06 03:36:25
ComboFix-quarantined-files.txt 2010-03-05 16:36
ComboFix2.txt 2010-03-05 15:45
ComboFix3.txt 2010-02-28 06:54
ComboFix4.txt 2010-02-28 06:25
ComboFix5.txt 2010-03-05 16:27

Pre-Run: 10,291,388,416 bytes free
Post-Run: 10,277,724,160 bytes free

- - End Of File - - C1BAD4A13F445F1A81BB4C991DB128D4

I notice you are using P2P programs such as Limewire. These programs present a danger to your machine and leaves you open to possible infection. Whether you continue to use them is of course up to you but I do want to give you the following information on them.


Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case Limewire ). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the Malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology.




You also have the ports listed below open which can sometimes lead to problems. If you want to leave them open let me know, if not I can script them closed:



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
"67:UDP"= 67:UDP:DHCP Discovery Service
"58905:TCP"= 58905:TCP:Pando
"58905:UDP"= 58905:UDP:Pando
"5353:TCP"= 5353:TCP:Adobe CSI CS4






When you reply also let me know if the redirections have stopped yet.

The redirecting seems to have been fixed....

I actually dont use limewire, I probably should delete it.

As for the ports open on the following:

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
"67:UDP"= 67:UDP:DHCP Discovery Service
"58905:TCP"= 58905:TCP:Pando
"58905:UDP"= 58905:UDP:Pando
"5353:TCP"= 5353:TCP:Adobe CSI CS4


Shareport I used that to connect to the usb on the router

Have no idea what DHCP discovery service is, Pando, I will probably uninstall, but I normally disable when I log on.

I would say the adobe is their for when I upload pages.

If you scripted them closed, would that present a problem when I run the program, would it open the ports.

Could you please tell me with the programs we ran, what appeared to be the problem with this machine was it a virus, spyware etc..

And I currently use Nortons, but obviously that hasnt been doing the job, what is the best program to protect my machine.

Thanks again for all your help