VopThis,

FixWareOut ran fine in Normal mode this time...

So the computer ran up and then my AVG suddenly found setup.exe on all the partitions and 'healed' them.

The strange thing is, before that the setup.exe files had been on the drives but AVG hadn't blinked an eye and even said that they were fine when I individually scanned them?!??!

To answer your question as to 'adverse affects' from having setup.exe and autorun.inf in the root folder of the drive, the answer is no.. there are no adverse affects that I can ascertain. However, I've always been under the impression that this is generally a bad thing. I would assume a nasty keylogging trojan would try and affect your computer as little as possible in order to operate for longer without bringing itself to the attention of the computer user??

Anyways... fixwareout has completed successfully, here is the log it left:
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

What now?

Many thanks

AVG suddenly found setup.exe on all the partitions and 'healed' them.

I would continue to monitor this. Let us know if 'setup.exe' returns. Unfortunately, such a file name is so common across so many installs as to make researching such an item so very unmatchable as to possible causes.

VopThis

At the time of this going to press they haven't returned. However I've had it before whereby I've been online for an hour or more before the files have appeared so I'll continue to monitor the situation.

I'm working away for a week so won't be at this computer but on my return (a week on Monday or so) I'll post a report to let you know whether the problem is still there or if its gone.

Many thanks and fingers crossed....

VopThis

The setup.exe files and the autorun.inf files are back. The strange thing about these files is that sometimes AVG sees them as virii (just the setup.exe file... not the autorun.inf file) and offers to 'heal' them. Other times AVG doesn't see them as virii although the files are identical??

Its as though it's somehow blocking AVG from seeing them?

Any other idea's how I can get rid of these pests...?

Many thanks

'Setup.exe' is such a common file name to make any simple assessment. The next time it appears, suggest that you not heal it and submit it to VirusTotal for their immediate feedback from multiple antivirus engines. Post that feedback here.


For now, suggest you run the following scan and at its next occurance to see what else was recently installed files at the time:

1. Download combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply (logfile is located at C:\ComboFix.txt).


Note:
Do not mouse click combofix's window whilst it's running. That may cause it to stall.


Please provide:

- a fresh HijackThis log
- combofix log

Combofix won't run in normal mode. It will run in Safe Mode but I'm not sure if this is any good. Presumably, whatever is causing the virii to appear will not be processed in safe mode so Combofix won't fix it... (do you think?)

In normal mode, when combofix is run I see the command window open but it just hangs there. No text appears. This has happened before with command window programs. Is there a way to fix this or have you any idea why combofix won't run in normal mode?

Thanks

Combofix won't run in normal mode.

That is never a good sign and often the sign of complex malware.

Please post what is available in SAFE MODE and your latest HJT LOG in NORMAL MODE.

Firstly, here is my HJT log in Normal Mode....

Logfile of HijackThis v1.99.1
Scan saved at 23:51:09, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\Calendarscope\cs.exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Advanced Task Scheduler\advscheduler.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Siemens\Sqlany\dbsrv7.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Systran50premi.IEPlugIn - {9A0844DB-84CF-4440-BDB1-1F4F7C4F7FB0} - C:\Program Files\SYSTRAN\5.0\Premium\IEPlugIn.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SaiSmart] "C:\Program Files\Saitek\Software\SaiSmart.exe"
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [S7UB Start] "C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" -StartDB
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DS Clock] "C:\Program Files\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [Calendarscope] "C:\Program Files\Calendarscope\cs.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [iIWiper] "C:\Program Files\iISystem Wiper\SystemWiper.exe" m
O4 - HKCU\..\Run: [Advanced Task Scheduler] "C:\Program Files\Advanced Task Scheduler\advscheduler.exe" noshow
O4 - Global Startup: Instant Update Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open and Translate in Word - res://C:\Program Files\SYSTRAN\5.0\Premium\IEShellExt.dll /10
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.tescophoto.com/wpp/tesco/...pcuploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF285995-1B22-4E95-B5E7-0089B71D667B}: NameServer = 212.139.132.4 212.139.132.5
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automation License Manager Service (almservice) - SIEMENS AG - C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: OpcEnum - OPC Foundation - C:\Program Files\Citect\CitectSCADA\Bin\OPCENUM.EXE
O23 - Service: S7 Global Services (s7asysvx) - SIEMENS AG - C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
O23 - Service: SIMATIC IEPG Help Service (s7oiehsx) - SIEMENS AG - C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Now here is my ComboFix log from Safe Mode... I did notice when it was running that it popped up some path and then "infected" but it flashed in the command window too quick for me to see 'what' was infected... here's the log....

Cathy - 06-12-10 23:43:06.95 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Cathy\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\taskmgr.com


((((((((((((((((((((((((((((((( Files Created from 2006-11-10 to 2006-12-10 ))))))))))))))))))))))))))))))))))


2006-12-10 23:40 <DIR> dr-h----- C:\Documents and Settings\Cathy\Recent
2006-12-10 14:24 <DIR> d-------- C:\avenger
2006-11-30 10:49 146,432 --a------ C:\WINDOWS\REGEDIT.COM
2006-11-30 10:49 146,432 --a------ C:\WINDOWS\R.COM
2006-11-30 10:49 135,680 --a------ C:\WINDOWS\system32\T.COM
2006-11-30 09:12 <DIR> d-------- C:\Program Files\XoftSpy
2006-11-29 18:23 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2006-11-29 18:23 <DIR> d-------- C:\Program Files\TuneUp Utilities 2006
2006-11-29 18:23 <DIR> d-------- C:\Documents and Settings\Cathy\Application Data\TuneUp Software
2006-11-29 18:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-29 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2006-11-29 17:27 <DIR> d-------- C:\Program Files\foobar2000
2006-11-29 17:27 <DIR> d-------- C:\Documents and Settings\Cathy\Application Data\foobar2000
2006-11-29 17:04 <DIR> d-------- C:\WINDOWS\S7reg
2006-11-28 15:04 <DIR> d-------- C:\HJT
2006-11-28 14:01 <DIR> d-------- C:\Program Files\Java
2006-11-28 14:00 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-28 12:45 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-28 12:45 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-24 09:18 259,354 --a------ C:\reg_backup241106.reg
2006-11-23 19:16 <DIR> d-------- C:\fixwareout
2006-11-21 11:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-11-21 10:52 <DIR> d-------- C:\Program Files\Advanced Task Scheduler
2006-11-20 17:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-11 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2006-11-11 18:29 <DIR> d-------- C:\kav


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2006-12-10 23:39 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-12-10 18:16 -------- d-------- C:\Documents and Settings\Cathy\Application Data\MailWasherPro
2006-12-10 17:00 -------- d-------- C:\Program Files\Instant Quote 2000
2006-12-10 02:09 -------- d-------- C:\Program Files\ParadisePoker
2006-12-08 23:20 -------- d-------- C:\Program Files\Shareaza
2006-11-29 23:29 -------- d-------- C:\Program Files\WinRAR
2006-11-29 23:27 -------- d-------- C:\Program Files\Spyware Doctor
2006-11-29 23:27 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-29 23:16 -------- d-------- C:\Program Files\QuickTime
2006-11-29 22:57 -------- d-------- C:\Program Files\Internet Explorer
2006-11-29 22:57 -------- d-------- C:\Program Files\iISystem Wiper
2006-11-29 22:56 -------- d-------- C:\Program Files\DS Clock
2006-11-29 22:56 -------- d-------- C:\Program Files\Common Files\System
2006-11-29 22:53 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2006-11-29 22:50 -------- d-------- C:\Program Files\Calendarscope
2006-11-29 22:50 -------- d-------- C:\Program Files\CachemanXP
2006-11-29 22:42 -------- d-------- C:\Program Files\ABBYY FineReader 8.0 Professional Edition
2006-11-29 18:22 -------- d-------- C:\Program Files\Common Files
2006-11-29 17:52 -------- d-------- C:\Documents and Settings\Cathy\Application Data\Canon
2006-11-28 12:45 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-28 12:45 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-28 12:45 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-28 12:45 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-20 17:06 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-11-20 17:00 -------- d-------- C:\Program Files\Grisoft
2006-10-18 16:30 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-17 21:04 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2006-10-15 21:02 -------- d-------- C:\Documents and Settings\Cathy\Application Data\Skype
2006-09-20 11:46 2508 --a------ C:\Documents and Settings\Cathy\Application Data\$_hpcst$.hpc
2006-09-19 19:10 8 --a------ C:\WINDOWS\ctrdmrd3.sys
2006-09-18 13:09 34308 --a------ C:\WINDOWS\system32\bassmod.dll
2006-09-12 18:03 107134 --a------ C:\WINDOWS\UninstallFirefox.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"DS Clock"="\"C:\\Program Files\\DS Clock\\dsclock.exe\""
"Calendarscope"="\"C:\\Program Files\\Calendarscope\\cs.exe\""
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"iIWiper"="\"C:\\Program Files\\iISystem Wiper\\SystemWiper.exe\" m"
"Advanced Task Scheduler"="\"C:\\Program Files\\Advanced Task Scheduler\\advscheduler.exe\" noshow"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run\AutorunsDisabled]
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc. exe /STARTUP"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"DiskeeperSystray"="\"C:\\Program Files\\Executive Software\\Diskeeper\\DkIcon.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SaiSmart"="\"C:\\Program Files\\Saitek\\Software\\SaiSmart.exe\""
"LogitechCameraAssistant"="C:\\Program Files\\Logitech\\Video\\CameraAssistant.exe"
"LogitechVideo[inspector]"="C:\\Program Files\\Logitech\\Video\\InstallHelper.exe /inspect"
"LogitechCameraService(E)"="C:\\WINDOWS\\system32\ \ElkCtrl.exe /automation"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroChec k.exe"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SoundMan"="SOUNDMAN.EXE"
"S7UB Start"="\"C:\\Program Files\\Common Files\\Siemens\\S7ubtoox\\s7ubtstx.exe\" -StartDB"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\win patrol.exe"
"JeticoPFStartup"="\"C:\\Program Files\\Jetico\\Jetico Personal Firewall\\fwsrv.exe\""
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\AutorunsDisabled]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOK IAP~1\\LAUNCH~1.EXE -onlytray"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"GSICONEXE"="GSICON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00 ,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23 ,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EX E"
"Spyware Doctor"=""
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EX E"
"Spyware Doctor"=""
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoLowDiskSpaceChecks"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylastusername"=dword:00000001
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Shareaza.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 06-12-10 23:45:34.39
C:\ComboFix.txt ... 06-12-10 23:45
C:\ComboFix2.txt ... 06-11-24 09:34