Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 08:16:35, on 31/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toysrus.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\cmwxoiih.dll
O2 - BHO: (no name) - {CF93F1AD-DD15-4E54-8BA2-BEA456C2958B} - C:\WINDOWS\system32\ddayw.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MGSysCtrl] "C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\pfstvohr.dll",realset
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toysrus.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe

--
End of file - 4810 bytes







I would very much appreciate if anyone can help me get rid of it, I've tried full and updated scans with AVG, Ad Aware, System Mechanic 7, Spybot etc etc and even deleted some files with my basic knowledge of Hi Jack This, but the trojan keeps reappearing.

Thanks for your help.

I carried out the SDFix instructions from a similar thread and now have my SD Fix Report File and my new HiJackThis Log, here they both are.. thanks if anyone can help soon.





SDFix Report File..









SDFix: Version 1.85

Run by Mark M - 31/05/2007 - 9:00:48.59

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\MARKM~1\Desktop\SDFix\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\wr.txt - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Mark M\\Shared\\utorrent.exe"="C:\\Documents and Settings\\Mark M\\Shared\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6 Pro\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.2.6 Pro\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\PPStream\\PPStream.exe"="C:\\Program Files\\PPStream\\PPStream.exe:*:Enabled:PPStream"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avgine t.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgam svr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.ex e"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc. exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\MARKM~1\Desktop\SDFix\SDFix\backups\ba ckups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\system32\geedc.dll
C:\Program Files\iolo\System Mechanic Professional 7\unins000.exe

Finished







New Hijack This Log..









Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 09:16:14, on 31/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toysrus.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {9C8FF4FE-4770-44F5-AF2E-244659813DA7} - C:\WINDOWS\system32\ddayw.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\cmwxoiih.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MGSysCtrl] "C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\pfstvohr.dll",realset
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toysrus.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe

--
End of file - 4876 bytes

Someone and try and help me soon eh, the Trojan's drivin me nuts.

Thanks,


Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Post a new hijackthis log also please. The version of HJT you have is a beta version and we prefere you use the current proven version 1.99.1 which is available from my signature that says "Read First"



Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.

Thanks for your help I appreciate it mate..




Vundo Fix log






VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 17:10:38 31/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\awbatlhw.dll
C:\WINDOWS\system32\axgbxvcm.ini
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\csloolqn.ini
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\eyclsfdg.ini
C:\WINDOWS\system32\gdfslcye.dll
C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\mcvxbgxa.dll
C:\WINDOWS\system32\mljkjkl.dll
C:\WINDOWS\system32\nqloolsc.dll
C:\WINDOWS\system32\pfstvohr.dll
C:\WINDOWS\system32\rhovtsfp.ini
C:\WINDOWS\system32\whltabwa.ini
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\acbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\awbatlhw.dll
C:\WINDOWS\system32\awbatlhw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\axgbxvcm.ini
C:\WINDOWS\system32\axgbxvcm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\csloolqn.ini
C:\WINDOWS\system32\csloolqn.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\ddayw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eyclsfdg.ini
C:\WINDOWS\system32\eyclsfdg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gdfslcye.dll
C:\WINDOWS\system32\gdfslcye.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\system32\gebca.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mcvxbgxa.dll
C:\WINDOWS\system32\mcvxbgxa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqloolsc.dll
C:\WINDOWS\system32\nqloolsc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pfstvohr.dll
C:\WINDOWS\system32\pfstvohr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rhovtsfp.ini
C:\WINDOWS\system32\rhovtsfp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\whltabwa.ini
C:\WINDOWS\system32\whltabwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\wyadd.ini Has been deleted!

Performing Repairs to the registry.
Done!





HiJackThis Log







Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:23:52, on 31/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {EED040D1-C6E9-4991-A87A-CBEFE0792A0B} - C:\WINDOWS\system32\ddayw.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MGSysCtrl] "C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe

--
End of file - 4217 bytes

Combo Fix Log






"Mark M" - 2007-05-31 17:32:30 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Mark M\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))) )))))


C:\WINDOWS\system32\bctkecdh.dll
C:\WINDOWS\system32\cmwxoiih.dll
C:\WINDOWS\system32\rvnrtxtq.dll
C:\WINDOWS\system32\xqdboole.dll
C:\WINDOWS\system32\xyuqnbro.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-31 ))))))))))))))))))))))))))))))))))


2007-05-31 17:10 <DIR> d-------- C:\VundoFix Backups
2007-05-31 16:44 1,145,896 --a------ C:\Program Files\GoogleToolbarInstaller.exe
2007-05-31 09:30 720,010 --a------ C:\Program Files\SDFix.exe
2007-05-30 17:19 <DIR> d-------- C:\Program Files\backups
2007-05-30 01:42 435,816 --a------ C:\WINDOWS\system32\Incinerator.dll
2007-05-30 01:42 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2007-05-30 01:42 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2007-05-30 01:42 <DIR> d-------- C:\Program Files\iolo
2007-05-30 01:39 41,430,232 --a------ C:\Program Files\SystemMechanic7Pro.exe
2007-05-30 01:21 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-30 01:16 <DIR> d-------- C:\Documents and Settings\Mark M\.housecall6.6
2007-05-30 01:16 <DIR> d-------- C:\DOCUME~1\MARKM~1\.housecall6.6
2007-05-28 11:47 1,308,216 --a------ C:\Program Files\HiJackThis_v2.exe
2007-05-27 01:32 696,320 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-27 01:32 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-05-27 01:32 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\iolo
2007-05-27 01:30 17,420,928 --a------ C:\Program Files\SystemMechanic7.exe
2007-05-27 01:25 <DIR> d-------- C:\DOCUME~1\MARKM~1\APPLIC~1\iolo
2007-05-27 01:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo
2007-05-27 01:24 491,120 --a------ C:\Program Files\sm_dm.exe
2007-05-26 01:25 164 --a------ C:\install.dat
2007-05-26 01:14 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2007-05-23 20:34 <DIR> d-------- C:\Temp
2007-05-23 20:33 389,158 --a------ C:\Program Files\TalkAny.exe
2007-05-20 21:16 <DIR> d-------- C:\DOCUME~1\MARKM~1\APPLIC~1\Uniblue
2007-05-20 21:15 5,229,160 --a------ C:\Program Files\speedupmypc3ppc.exe
2007-05-20 21:15 <DIR> d-------- C:\Program Files\Uniblue
2007-05-20 13:44 802,672 --a------ C:\Program Files\hideippla.exe
2007-05-20 13:44 <DIR> d-------- C:\WINDOWS\vf_hip
2007-05-20 13:44 <DIR> d-------- C:\Program Files\Hide IP Platinum
2007-05-08 09:38 928 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-04-24 17:15 <DIR> d-------- C:\AudioConverter
2007-04-24 17:13 2,563,792 --a------ C:\Program Files\audioconverter.exe
2007-04-24 17:13 <DIR> d-------- C:\Program Files\easetech
2007-04-23 02:17 9,173,860 --a------ C:\Program Files\isnk1856V.exe
2007-04-23 02:17 2,919,899 --a------ C:\Program Files\isnk1856.exe
2007-04-14 09:49 <DIR> d-------- C:\WINDOWS\system32\cache
2007-04-14 03:11 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-04-14 00:21 <DIR> d-------- C:\Program Files\ntl
2007-04-13 20:54 <DIR> d--hs---- C:\WINDOWS\TWFyayBN
2007-04-13 03:46 <DIR> d-------- C:\DOCUME~1\MARKM~1\APPLIC~1\Vidalia
2007-04-13 03:46 <DIR> d-------- C:\DOCUME~1\MARKM~1\APPLIC~1\Tor
2007-04-04 16:46 1,843,584 --a------ C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2007-05-31 1643 19,936 ----a-w C:\WINDOWS\system32\MGHwTemp.sys
2007-05-31 15:46:55 -------- d-----w C:\Program Files\Google
2007-05-27 01:10:22 -------- d-----w C:\DOCUME~1\MARKM~1\APPLIC~1\uTorrent
2007-05-27 01:10:22 -------- d-----w C:\DOCUME~1\MARKM~1\APPLIC~1\FrostWire
2007-05-26 05:59:33 -------- d-----w C:\Program Files\SpywareBlaster
2007-05-25 05:09:15 -------- d-----w C:\DOCUME~1\MARKM~1\APPLIC~1\AdobeUM
2007-05-23 15:34:02 487 ----a-w C:\Program Files\CR-DX8MP.reg
2007-05-20 2004 -------- d-----w C:\Program Files\PC MightyMax
2007-05-20 14:49:29 -------- d-----w C:\Program Files\MSN Messenger
2007-05-20 13:03:49 -------- d-----w C:\DOCUME~1\MARKM~1\APPLIC~1\ppstream
2007-05-20 13:03:26 1,872,464 ----a-w C:\Program Files\ppstreamsetup.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-13 01:54:12 -------- d-----w C:\Program Files\Yahoo!
2007-04-13 01:54:09 -------- d--h--w C:\Program Files\NewLive All Audio To Mp3 Converter
2007-04-13 01:54:09 -------- d-----w C:\Program Files\QuickTime
2007-04-13 01:54:00 -------- d-----w C:\Program Files\BitComet
2007-04-04 06:55:03 -------- d-----w C:\Program Files\NCH Swift Sound
2007-04-04 06:55:02 -------- d-----w C:\DOCUME~1\MARKM~1\APPLIC~1\NCH Swift Sound
2007-04-04 06:40:55 130,048 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-03-22 08:34:18 6,469,352 ----a-w C:\Program Files\avgas-setup-7.5.0.50.exe
2007-03-22 08:29:04 19,755,560 ----a-w C:\Program Files\avg75free_446a965.exe
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-02 10:29:56 536,064 ----a-w C:\Program Files\GIFAnimator.exe
2005-07-29 15:24:26 472 --sha-r C:\WINDOWS\TWFyayBN\nqIVuV1h.vbs


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-31 16:46]
{EED040D1-C6E9-4991-A87A-CBEFE0792A0B}=C:\WINDOWS\system32\ddayw.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" []
"AGRSMMSG"="AGRSMMSG.exe" []
"MGSysCtrl"="C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe" [2004-08-04 00:07]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 04:24]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-14 03:06]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-29 05:24]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe" [2007-03-27 10:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-05-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 15:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark M^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Mark M\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark M^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Mark M\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark M^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Mark M\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThePrivacyGuard]
"C:\Program Files\The Privacy Guard\ThePrivacyGuard.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-04 16:15:00 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-05-20 20:16:14 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-05-20 20:16:10 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job

************************************************** ******************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 17:39:56
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQuerySystemInformation

scanning hidden processes ...

ioloDMVSvc.exe [1200]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


************************************************** ******************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N NServ]
"ImagePath"="\"C:\Program Files\NewDotNet\nnrun.exe\" \"C:\Program Files\NewDotNet\nncore.dll\" ServiceStart"

Completion time: 2007-05-31 17:44:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-31 17:43

--- E O F ---






HiJackThis Log








Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:46:59, on 31/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\FoolYou.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {EED040D1-C6E9-4991-A87A-CBEFE0792A0B} - C:\WINDOWS\system32\ddayw.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MGSysCtrl] "C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe

--
End of file - 4256 bytes









Once again, thanks very much your help.

Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

Originally Posted by Neal

Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

Here it is..









µTorrent
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Shockwave Player
Adobe Stock Photos 1.0
Audacity 1.2.6
AVG 7.5
AVG Anti-Spyware 7.5
BroadJump Client Foundation
Creatix 2.0 AC'97 Modem
DFX 8 for Windows Media Player
DivX
DivX Player
Ease Audio Converter 4.20
Express Burn
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hide IP Platinum 3.42
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.0
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Informations about your PC
iolo technologies' System Mechanic Professional 7
iSnooker
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
LimeWire
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
MSN Messenger 7.5
Nero Suite
PIXresizer 1.0.9
PowerDVD
QuickTime
RealPlayer
Realtek AC'97 Audio
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB932168)
SiS VGA Utilities
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Switch
System Control Manager
Uniblue SpeedUpMyPC 3
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.5
WavePad Uninstall
Windows Backup Utility
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger with BT Communicator
Yahoo! Toolbar

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done


You need to get rid of new.net/newdotnet, it looks like it is turned off thru
thru misconfig.

Delete this folder:from safe mode

C:\Program Files\NewDotNet

Reboot and tell me how things are now please