My AV (Symantec Corp) found a number of nasties in static mode earlier this evening, so I thought a full scan was worth doing. This turned up 4 more nasties, it quarantined them and I have just removed them permanently, I hope.
Puzzle is it gave the original location as C:\Recyclers blah blah blah. I looked on my C drive and I don't have a folder called recyclers. So where/what is Recyclers?

Recyclers should be your trash can on your desktop.



Please download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:TrendSecure | Download TrendMicro HijackThis

1. Save HJTInstall.exe to your desktop.
2. Double-click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
8. Come back here to this thread and paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Hi Neal,
Here follows the HijackThis log as requested.
Please see also my recent post in XP help about probems with a 3rd party app, I suspect this may all be tied together.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:14 AM, on 26/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Westnet Usage Grabber\wug.exe
C:\WINDOWS\system32\CNAB3RPK.EXE
C:\Documents and Settings\Russell Chapman\Desktop\VirtualDub 1.6.14.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Russell Chapman\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11 SE DVD\uvPL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Westnet Usage Grabber.lnk = C:\Program Files\Westnet Usage Grabber\wug.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1245576894785
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 12196 bytes
Thanks for being there, look forwaed to what you may see.

Hi Neal,
I guess I got things in the wrong order here.
I did run AV and Spybot scans last night, prior to my post. I have just completed a malwarebytes scan. While the scan was in progress the AV went off a couple of times an said it had dealt with things by deletion.
MBAM turned up one item, which it removed at my request (found in system volume information an the E: drive, I use that drive for backups), the log follows:

Malwarebytes' Anti-Malware 1.38
Database version: 2335
Windows 5.1.2600 Service Pack 3

26/06/2009 10:33:33 AM
mbam-log-2009-06-26 (10-33-33).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 286385
Time elapsed: 1 hour(s), 21 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
e:\system volume information\_restore{e004d452-2be5-4d3e-8a75-e9ee847ec264}\rp46\A0008209.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Sorry for not getting things in the right order, especially since I did read the appropriate sticky.
mbam asked for a restart and I obliged.

I'm not seeing anything in hijackthis.

Do you have symantec firewall running if it has one?

I see Comodo running and should only be one firewall running.

Let's dig a little bit deeper and see if anything may be hideing in the bushes.



Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix




If you have previously downloaded ComboFix,please delete that version now.



It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now


How To Disable



Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.



*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

Hi Neal,
Here is the Combofix log, let me know if you see any wascally wabbits in the bushes.
ComboFix 09-06-26.02 - Russell Chapman 28/06/2009 14:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.411 [GMT 8:00]
Running from: c:\documents and settings\Russell Chapman\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Russell Chapman\Application Data\inst.exe
c:\windows\Help\agt0405.hlp
c:\windows\Help\agt0408.hlp
c:\windows\Help\agt0415.hlp
c:\windows\Help\agt0419.hlp
c:\windows\system32\systeminfo3.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-26 14:47 . 2008-05-28 11:13 2097152 ----a-w- c:\temp\autorun.bin
2009-06-26 14:47 . 2008-05-20 09:59 1570816 ----a-w- c:\temp\TSDNWIN.exe
2009-06-26 14:46 . 2009-06-26 14:46 -------- d-----w- c:\program files\ACW
2009-06-26 01:10 . 2009-06-26 01:10 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-25 13:30 . 2009-06-25 13:30 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-06-25 06:19 . 2009-06-25 06:20 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\vlc
2009-06-25 02:24 . 2009-06-25 02:24 -------- d-----w- c:\documents and settings\Russell Chapman\dwhelper
2009-06-24 07:52 . 2005-03-22 16:00 65536 ----a-w- c:\windows\system32\CNAB3SMK.DLL
2009-06-24 07:52 . 2005-03-22 16:00 57344 ----a-w- c:\windows\system32\CNAB3RPK.EXE
2009-06-24 07:52 . 2005-03-22 16:00 28672 ----a-w- c:\windows\system32\CNAB3PTU.DLL
2009-06-24 07:52 . 2005-03-22 16:00 28672 ----a-w- c:\windows\system32\CNAB3LMK.DLL
2009-06-24 07:52 . 2005-03-22 16:00 135168 ----a-w- c:\windows\system32\CNAB3EMU.DLL
2009-06-24 07:38 . 2009-06-24 07:38 -------- d-----w- C:\spoolerlogs
2009-06-24 00:10 . 2003-11-06 06:09 2108068 ----a-w- c:\windows\system32\cl32.dll
2009-06-24 00:10 . 2003-01-26 05:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2009-06-24 00:10 . 2009-06-24 10:17 -------- d-----w- c:\program files\Westnet Usage Grabber
2009-06-23 23:59 . 2008-04-13 21:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-23 14:37 . 2004-05-02 08:47 23040 ----a-r- c:\windows\system32\drivers\GVCplDrv.sys
2009-06-23 04:57 . 2009-06-23 04:57 -------- d-----w- c:\program files\Common Files\iulab
2009-06-23 04:57 . 2009-06-23 04:57 -------- d-----w- c:\program files\iuLAB
2009-06-22 09:38 . 2009-06-22 09:38 -------- d-----w- c:\program files\MSXML 4.0
2009-06-22 07:42 . 2008-04-13 16:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-06-21 17:26 . 2007-09-21 07:53 600 ----a-w- c:\documents and settings\Russell Chapman\Application Data\uTorrent\IP filter ozzy µpdater.bat
2009-06-21 17:26 . 2007-09-09 07:58 90624 ----a-w- c:\documents and settings\Russell Chapman\Application Data\uTorrent\UnRAR.exe
2009-06-21 17:23 . 2007-09-21 13:01 577 ----a-w- c:\documents and settings\Russell Chapman\Application Data\uTorrent\IP filter µpdater.bat
2009-06-21 17:23 . 2005-10-17 03:12 112128 ----a-w- c:\documents and settings\Russell Chapman\Application Data\uTorrent\wget.exe
2009-06-21 17:23 . 2005-04-13 04:57 64000 ----a-w- c:\documents and settings\Russell Chapman\Application Data\uTorrent\ssleay32.dll
2009-06-21 17:23 . 2005-04-13 04:56 343040 ----a-w- c:\documents and settings\Russell Chapman\Application Data\uTorrent\libeay32.dll
2009-06-21 17:23 . 2009-06-21 17:23 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\BitTorrent
2009-06-21 17:23 . 2007-09-21 13:01 577 ----a-w- c:\documents and settings\Russell Chapman\Application Data\BitTorrent\IP filter µpdater.bat
2009-06-21 17:23 . 2007-09-21 07:53 600 ----a-w- c:\documents and settings\Russell Chapman\Application Data\BitTorrent\IP filter ozzy µpdater.bat
2009-06-21 17:23 . 2007-09-09 07:58 90624 ----a-w- c:\documents and settings\Russell Chapman\Application Data\BitTorrent\UnRAR.exe
2009-06-21 17:23 . 2005-10-17 03:12 112128 ----a-w- c:\documents and settings\Russell Chapman\Application Data\BitTorrent\wget.exe
2009-06-21 17:23 . 2005-04-13 04:57 64000 ----a-w- c:\documents and settings\Russell Chapman\Application Data\BitTorrent\ssleay32.dll
2009-06-21 17:23 . 2005-04-13 04:56 343040 ----a-w- c:\documents and settings\Russell Chapman\Application Data\BitTorrent\libeay32.dll
2009-06-21 17:17 . 2009-06-25 02:24 -------- d-----w- C:\Downloads
2009-06-21 17:13 . 2009-06-21 17:13 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\Chestah Software
2009-06-21 17:09 . 2009-06-21 17:09 -------- d-----w- c:\program files\AviSynth 2.5
2009-06-21 17:03 . 2009-06-21 17:03 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\ScanSoft
2009-06-21 17:03 . 2009-06-21 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-06-21 17:03 . 2009-06-21 17:03 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-06-21 17:02 . 2009-06-21 17:02 -------- d-----w- c:\program files\ScanSoft
2009-06-21 17:01 . 2009-06-21 17:01 -------- d-----w- c:\program files\Common Files\CANON
2009-06-21 17:01 . 2001-08-17 13:59 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2009-06-21 17:00 . 2008-04-13 16:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-28 06:35 . 2009-06-21 10:11 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-28 06:31 . 2009-06-21 15:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-28 06:31 . 2009-06-21 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-28 06:21 . 2009-06-21 15:45 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\Free Download Manager
2009-06-28 05:34 . 2009-06-21 12:26 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-28 00:13 . 2009-06-21 15:49 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\uTorrent
2009-06-26 01:10 . 2009-06-21 15:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 07:04 . 2009-06-21 12:33 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\Vso
2009-06-25 01:25 . 2009-06-21 15:40 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\AccurateRip
2009-06-24 10:50 . 2009-06-21 15:51 -------- d-----w- c:\program files\VideoLAN
2009-06-24 10:18 . 2009-06-21 14:51 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\Ahead
2009-06-24 09:54 . 2009-06-21 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-06-24 07:53 . 2009-06-21 16:27 -------- d-----w- c:\program files\Canon
2009-06-24 07:45 . 2009-06-21 09:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-23 14:40 . 2009-06-21 09:32 -------- d-----w- c:\program files\GIGABYTE
2009-06-21 16:59 . 2009-06-21 16:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-06-21 16:58 . 2009-06-21 16:58 -------- d--h--w- c:\program files\CanonBJ
2009-06-21 16:47 . 2009-06-21 16:47 -------- d-----w- c:\program files\VeryPDF PDF2Word v3.0
2009-06-21 16:41 . 2009-06-21 16:41 -------- d-----w- c:\program files\Fear-Otaku Software
2009-06-21 16:28 . 2009-06-21 13:07 101384 ----a-w- c:\documents and settings\Russell Chapman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-21 16:24 . 2009-06-21 16:23 -------- d-----w- c:\program files\QuarkXPress
2009-06-21 16:22 . 2009-06-21 16:22 -------- d-----w- c:\program files\CCleaner
2009-06-21 16:17 . 2009-06-21 16:04 -------- d-----w- c:\program files\Common Files\InterVideo
2009-06-21 16:17 . 2009-06-21 16:17 -------- d-----w- c:\program files\InterVideo
2009-06-21 16:17 . 2009-06-21 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-06-21 16:17 . 2009-06-21 09:38 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-21 16:16 . 2009-06-21 16:10 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\Ulead Systems
2009-06-21 16:16 . 2009-06-21 10:58 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-06-21 16:13 . 2009-06-21 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-06-21 16:11 . 2009-06-21 16:01 -------- d-----w- c:\program files\Ulead Systems
2009-06-21 16:05 . 2009-06-21 16:05 -------- d-----w- c:\program files\SmartSound Software
2009-06-21 16:05 . 2009-06-21 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-06-21 16:05 . 2009-06-21 16:05 -------- d-----w- c:\program files\QuickTime
2009-06-21 16:04 . 2009-06-21 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-21 16:04 . 2009-06-21 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\InterVideo
2009-06-21 16:02 . 2009-06-21 16:02 -------- d-----w- c:\program files\Windows Media Components
2009-06-21 15:49 . 2009-06-21 15:49 -------- d-----w- c:\program files\uTorrent
2009-06-21 15:49 . 2009-06-21 15:49 -------- d-----w- c:\program files\Unlocker
2009-06-21 15:47 . 2009-06-21 15:47 -------- d-----w- c:\program files\VS Revo Group
2009-06-21 15:47 . 2009-06-21 15:47 -------- d-----w- c:\program files\Xiph.Org
2009-06-21 15:46 . 2009-06-21 15:46 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\Malwarebytes
2009-06-21 15:46 . 2009-06-21 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-21 15:45 . 2009-06-21 15:45 -------- d-----w- c:\program files\Free Download Manager
2009-06-21 15:45 . 2009-06-21 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-06-21 15:39 . 2009-06-21 15:39 -------- d-----w- c:\program files\Illustrate
2009-06-21 15:39 . 2009-06-21 15:39 -------- d-----w- c:\program files\Microsoft Corporation
2009-06-21 15:39 . 2009-06-21 15:39 -------- d-----w- c:\program files\ERUNT
2009-06-21 15:37 . 2009-06-21 15:34 -------- d-----w- c:\program files\DVDlabPro2
2009-06-21 15:32 . 2009-06-21 15:32 -------- d-----w- c:\program files\Womble Multimedia
2009-06-21 15:30 . 2009-06-21 15:30 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\LEAPS
2009-06-21 15:26 . 2009-06-21 15:26 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\Pegasys Inc
2009-06-21 15:22 . 2009-06-21 15:20 -------- d-----w- c:\program files\Pegasys Inc
2009-06-21 15:22 . 2009-06-21 15:22 59488 ----a-w- c:\windows\system32\GenSvcInst.exe
2009-06-21 15:22 . 2009-06-21 15:22 33408 ----a-w- c:\windows\system32\drivers\CDRBSDRV.SYS
2009-06-21 15:22 . 2009-06-21 15:22 145504 ----a-w- c:\windows\system32\bgsvcgen.exe
2009-06-21 15:18 . 2009-06-21 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\MAGIX
2009-06-21 15:18 . 2009-06-21 15:16 -------- d-----w- c:\program files\MAGIX
2009-06-21 15:17 . 2009-06-21 15:17 -------- d-----w- c:\program files\Common Files\xara
2009-06-21 15:15 . 2009-06-21 15:15 -------- d-----w- c:\program files\DVD Shrink
2009-06-21 15:15 . 2009-06-21 15:15 -------- d-----w- c:\program files\DVD Decrypter
2009-06-21 15:08 . 2009-06-21 14:48 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-21 15:07 . 2009-06-21 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-06-21 15:07 . 2009-06-21 15:07 -------- d-----w- c:\program files\Nero
2009-06-21 14:50 . 2009-06-21 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-06-21 14:39 . 2009-06-21 12:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-21 13:31 . 2009-06-21 13:31 -------- d-----w- c:\program files\Common Files\Vbox
2009-06-21 13:30 . 2009-06-21 13:26 -------- d-----w- c:\program files\Macromedia
2009-06-21 13:29 . 2009-06-21 13:28 -------- d-----w- c:\program files\Common Files\Macromedia
2009-06-21 13:06 . 2009-06-21 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-21 13:03 . 2009-06-21 13:03 -------- d-----w- c:\program files\Bonjour
2009-06-21 12:55 . 2009-06-21 12:55 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-21 12:51 . 2009-06-21 12:47 -------- d-----w- c:\program files\coolpro2
2009-06-21 12:49 . 2009-06-21 12:49 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\Syntrillium
2009-06-21 12:43 . 2009-06-21 12:40 -------- d-----w- c:\program files\CyberLink
2009-06-21 12:39 . 2009-06-21 12:39 10128 ----a-w- c:\documents and settings\All Users\Application Data\DVDXStudio\CloneDVD4\MainApp.dll
2009-06-21 12:39 . 2009-06-21 12:38 -------- d-----w- c:\program files\CloneDVD
2009-06-21 12:38 . 2009-06-21 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DVDXStudio
2009-06-21 12:37 . 2009-06-21 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-06-21 12:35 . 2009-06-21 12:35 -------- d-----w- c:\program files\SlySoft
2009-06-21 12:33 . 2009-06-21 12:33 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-21 12:33 . 2009-06-21 12:33 47360 ----a-w- c:\documents and settings\Russell Chapman\Application Data\pcouffin.sys
2009-06-21 12:33 . 2009-06-21 12:33 47360 ----a-w- c:\documents and settings\Russell Chapman\Application Data\pcouffin.sys
2009-06-21 12:33 . 2009-06-21 12:32 -------- d-----w- c:\program files\VSO
2009-06-21 12:26 . 2009-06-21 12:26 -------- d-----w- c:\documents and settings\Russell Chapman\Application Data\Thunderbird
2009-06-21 12:25 . 2009-06-21 12:25 0 ----a-w- c:\windows\nsreg.dat
2009-06-21 11:38 . 2009-06-21 11:38 -------- d-----w- c:\program files\MSECache
2009-06-21 11:38 . 2009-06-21 11:38 -------- d-----w- c:\program files\Microsoft Math Add-in for Word 2007
2009-06-21 11:36 . 2009-06-21 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-21 11:32 . 2009-06-21 11:19 -------- d-----w- c:\program files\Microsoft Works
2009-06-21 11:19 . 2009-06-21 10:03 -------- d-----w- c:\program files\MSBuild
2009-06-21 11:18 . 2009-06-21 11:18 -------- d-----w- c:\program files\Microsoft.NET
2009-06-21 11:16 . 2009-06-21 11:16 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-06-21 11:03 . 2009-06-21 11:03 -------- d-----w- c:\program files\PowerISO
2009-06-21 10:58 . 2009-06-21 10:58 -------- d-----w- c:\program files\WinFast
2009-06-21 10:21 . 2009-06-21 10:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-06-21 10:18 . 2009-06-21 09:38 -------- d-----w- c:\program files\ATI Technologies
2009-06-21 10:16 . 2009-06-21 10:16 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-06-21 10:16 . 2009-06-21 10:16 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-06-21 10:16 . 2009-06-21 10:16 168208 ----a-w- c:\windows\system32\guard32.dll
2009-06-21 10:16 . 2009-06-21 10:16 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-05-29 2931648]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-06-21 1794320]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-11-16 90112]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-11-15 2850816]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11 SE DVD\uvPL.exe" [2007-04-12 341488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Russell Chapman\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Westnet Usage Grabber.lnk - c:\program files\Westnet Usage Grabber\wug.exe [2009-6-24 458752]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-6-21 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-21 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\CNAB3RPK.EXE"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [21/06/2009 6:16 PM 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [21/06/2009 6:16 PM 24096]
R1 wfcxacap;WinFast TV PCI Audio Capture Driver;c:\windows\system32\drivers\wfcxacap.sys [21/06/2009 6:51 PM 9856]
R2 wfcxatun;WinFast TV Analog Tuner Driver;c:\windows\system32\drivers\wfcxatun.sys [21/06/2009 6:51 PM 31744]
R2 WFCXVCAP;WinFast TV Video Capture Driver;c:\windows\system32\drivers\wfcxvcap.sys [21/06/2009 6:51 PM 167040]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [21/06/2009 6:15 PM 101936]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;c:\windows\system32\drivers\wfcxdtun.sys [21/06/2009 6:51 PM 21248]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;c:\windows\system32\drivers\wfcxtcap.sys [21/06/2009 6:51 PM 15872]
R3 wfcxxbar;WinFast TV Crossbar Driver;c:\windows\system32\drivers\wfcxxbar.sys [21/06/2009 6:51 PM 10496]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [7/10/2007 8:48 PM 116664]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFDTV\WFIOCTL.sys [21/06/2009 6:58 PM 9446]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Russell Chapman\Application Data\Mozilla\Firefox\Profiles\rsbtzxag.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-28 14:46
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{ABCA10D1-EEEB-A201-3264-E99DD75230D7}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"pacjionnkecdacfhijhbjeolfimdafji"=hex:6a,61,6f,6e ,6c,67,68,6c,63,70,70,6d,70,
65,66,67,61,67,61,6d,00,00
"oamakmfnkcebingnhafklcgkolmmfm"=hex:6a,61,6f,6e,6 c,67,68,6c,63,70,70,6d,70,65,
66,67,61,67,61,6d,00,00
"kaejojpjambnnfdambiflp"=hex:62,61,61,6f,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(888)
c:\windows\system32\guard32.dll
.
Completion time: 2009-06-28 14:48
ComboFix-quarantined-files.txt 2009-06-28 06:48

Pre-Run: 57,247,240,192 bytes free
Post-Run: 57,227,448,320 bytes free

284

Thank you

Looks good, how is she performeing now?

I thought I already replied to that post. Hmm ...
In a nutshell she is not performing well at all, despite what those logs show.
An example is that this morning on startup I had multiple instances of W32.Imaut.AS and the AV asked for a restart.
Since then everytime I open Firefox it asks if I want to use it as my default browser, usually only does that after the initial installation so a reinstalling I am going.
Thanks for you help with this, it is appreciated.

Sorry to hear that, below is a good and agressive virus scanner, I use it myself from time to time.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:

* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:


This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Hi Neal,
Thanks for the link, I have downloaded Dr Web, and will post in due course.
Seeing Spybot mentioned in your sig reminded me of something rather strange that happened last evening.
While downloading the latest from Microsoft I got an alert from Spybot saying it had detected and blocked Virtumonde in one of the downloading files, it was a in a NET framework update or service pack. I was thunderstruck, don't think I have seen malware caught in the act before.
After the restart Spybot took command of the computer and ran a full scan lasting over an hour, which turned up nothing.
Not sure what to make of this, I doubt it was actually from Microsoft. Or if it was I don't know how to contact them, they are so bureaucratic, a "Contact us" button perhaps? (joke). So is this how the things get in, they "see" a download in progress, and slip in hoping not to be noticed?