Tech Support Team

~~Edcondi~~ · #1 (**permalink**) **Top** 26th March 2009, 09:41 PM

I would be most grateful for your kind help with removing the problem with Win PC Defender that has been unexpectedly downloaded on to my PC. The error message is as follows every time a web link is tried:

Title of web page is “Reported Insecure Browsing: Navigation blocked – Windows Internet Explorer”
The URL always changes to:
Can't find annotations!
With the warning in the web page showing:

Insecure Internet activity. Threat of virus attack

Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, activate WinPC Defender.
We recommend you to protect your PC now and continue safe Internet browsing.
Click here to get full advanced real-time protection and continue browsing.
Continue to this website unprotected (not recommended).

I would appreciate your kind help to resolve this problem.
Thank you very much
Edcondi

**evilfantasy** · #2 (**permalink**) **Top** 26th March 2009, 10:00 PM

Download Malwarebytes' Anti-Malware (MBAM)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download TrendMicro HijackThis.exe (HJT) to the Desktop.

Double-click on HJTInstall.
Click on the Install button.
It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
Upon install, HijackThis should open for you.
Click on the Do a system scan and save a log file button
HijackThis will scan and then a log will open in notepad.
Copy and then paste the entire contents of the log in your post.
Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

~~Edcondi~~ · #3 (**permalink**) **Top** 26th March 2009, 11:57 PM

I downloaded both the mbam-setup.exe and the HJTInstall.exe files to the desktop. The MBAM file installs and has a desktop shortcut, but the second file does not get installed. However, the MBMA installation does not work afterwards. I dont know what's wrong since the WinPC Defender problem. Please help, if possible.
Thank you again for your kind help.
Kind regards
Edcondi

**evilfantasy** · #4 (**permalink**) **Top** 27th March 2009, 12:17 AM

Go to My Computer->Tools->Folder Options->View tab:

Under the Hidden files and folders heading:
Select Show hidden files and folders.
Uncheck Hide protected operating system files (recommended) option.
Also, make sure there is no checkmark beside Hide file extensions for known file types.
Click OK

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code:

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\ext\stats\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12]

[-HKEY_CURRENT_USER\software\winpc defender]

[-HKEY_LOCAL_MACHINE\software\classes\clsid\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}\programmable]

[-HKEY_LOCAL_MACHINE\software\classes\typelib\{a54dc52d-7aad-4d40-a126-337211631edc}]

[-HKEY_LOCAL_MACHINE\software\classes\typelib\{a54dc52d-7aad-4d40-a126-337211631edc}\1.0\0]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96ad72e4-2e2b-4ffc-a5bb-279c2714af12}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Content"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"sysav"=-

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Now try MBAM again. You might need to restart the computer if it doesn't run after running the fixme.reg.

~~Edcondi~~ · #5 (**permalink**) **Top** 27th March 2009, 12:38 AM

Just to confirm that the success message did show. I'm going ahead to follow the rest of your advice. Thanhs again for looking into this.
Kind regards
Edcondi

~~Edcondi~~ · #6 (**permalink**) **Top** 27th March 2009, 01:04 AM

Tried MBAM again, but it did not work. Neither did the HJTInstall.exe install.
Please help if possible
Kind regards
Edcondi

**evilfantasy** · #7 (**permalink**) **Top** 27th March 2009, 01:06 AM

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:

- Seneka.sys <- Or anything beginning with Seneka
- clbdriver.sys <- Or anything beginning with clbdriver
- TDSSserv.sys <- Or anything beginning with TDSS

* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Let me know if you find them or not.

If found restart the computer and try MBAM again.

~~Edcondi~~ · #8 (**permalink**) **Top** 27th March 2009, 01:27 AM

The drivers that you referred to, as below, were not there.
Seneka.sys <- Or anything beginning with Seneka
- clbdriver.sys <- Or anything beginning with clbdriver
- TDSSserv.sys <- Or anything beginning with TDSS

Thanks again for the continued help.
Edcondi

**evilfantasy** · #9 (**permalink**) **Top** 27th March 2009, 01:30 AM

Download SDFix by AndyManchesta and save it to your desktop.

* Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
* A window will now open showing SDFix being extracted into the C:\SDFix folder.

Go to Start > Run and type: C:\SDFix\RunThis.bat, then press Ok.
Type S, then press Enter to switch to the safe mode menu screen.
Type Y to begin the cleanup process.
Please be patient as the scan may take up to 20 minutes to complete.
SDFix will remove any Trojan services or registry entries found, then prompt you to "press any key..." to Reboot.
At this point, Press any key to continue and restart the computer.
When the computer restarts, the tool will run again to complete the removal process.
When the script is complete, it will display Finished...press any key...
Again, Press any key to end the script and load your desktop icons.
Once the desktop icons load, The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
Please copy and paste the contents of Report.txt in your next reply.

~~Edcondi~~ · #10 (**permalink**) **Top** 27th March 2009, 02:12 AM

I double clicked theSDFix.exe (1.46 MB) icon, but it did not extract and there is no folder C:\SDFix.
Please help.
Kind regards
Edcondi

PS This PC is slowing down and freezing up at times, too

**evilfantasy** · #11 (**permalink**) **Top** 27th March 2009, 02:18 AM

Lets try this.

Download the NVT Malware Remover Tool to your desktop.

Unzip the file and then run the installer.
Once installed click on the Update tab and check for updates.
Next click the Scan tab and then click Scan button to begin the scanner.
If any threats are found select the Remove button and then click Apply
Next select the button next to Copy in DETECTED folder then click Apply
Next at the top of the scanner window click Menu then select Open DETECTED folder
Post that log back here.

Restart the computer.

Let me know if anything was found.

~~Edcondi~~ · #12 (**permalink**) **Top** 27th March 2009, 02:47 AM

The download of the NVT Malware Remover Too went throughl to the desktop. I unziped the file and then ran the installer as you require. The tool is scanning and has found the threat Antivirus 360 so far.
Thanks for this progress with the problem.
Kind regards
Edcondi

PS the RUN dialog box for ' SDFix\RunThis.bat ' is now showing. It is late because the PC is slowing down, I suppose

**evilfantasy** · #13 (**permalink**) **Top** 27th March 2009, 02:50 AM

OK after the NVT tool is done try running SDFix again.

~~Edcondi~~ · #14 (**permalink**) **Top** 27th March 2009, 03:12 PM

hijackthis.log was saved. So was the SDFixreport.txt. How should they be sent to you for your ready reference? Thanks for helping with this problem.
Kind regards
Edcondi

**evilfantasy** · #15 (**permalink**) **Top** 27th March 2009, 04:03 PM

Just copy and paste them into the reply.

~~Edcondi~~ · #16 (**permalink**) **Top** 27th March 2009, 07:32 PM

The required log files are below:

SDFix: Version 1.240
Run by Owner on 27/03/2009 at 06:00

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 06:15:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Owner\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\Owner\\Desktop\\DcShare42.zip\\DCShare42 .exe"="C:\\Documents and Settings\\Owner\\Desktop\\DcShare42.zip\\DCShare42 .exe:*

isabled:Share Internet Connection"
"C:\\Documents and Settings\\Owner\\Desktop\\DcShare42.1.zip\\DCShare 42.exe"="C:\\Documents and Settings\\Owner\\Desktop\\DcShare42.1.zip\\DCShare 42.exe:*

isabled:Share Internet Connection"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\ \system32\\sessmgr.exe:*

isabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Java\\jdk1.6.0_07\\bin\\javaw.exe"="C:\\Pro gram Files\\Java\\jdk1.6.0_07\\bin\\javaw.exe:*:Enabled :Java(TM) Platform SE binary"
"C:\\Program Files\\Java\\jdk1.6.0_07\\jre\\bin\\java.exe"="C:\ \Program Files\\Java\\jdk1.6.0_07\\jre\\bin\\java.exe:*:Ena bled:Java(TM) Platform SE binary"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjou r"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\dlcccoms.exe"="C:\\WINDOWS \\system32\\dlcccoms.exe:*:Enabled

ell 924 Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

Remaining Files :

Files with Hidden Attributes :

Thu 9 Oct 2008 6,108,728 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Tue 11 Sep 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 27 Jan 2005 26,112 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0005.tmp"
Mon 24 Nov 2008 57,856 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0099.tmp"
Mon 24 Nov 2008 57,856 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0202.tmp"
Mon 19 Jul 2004 188,928 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0377.tmp"
Mon 19 Jul 2004 184,832 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0566.tmp"
Mon 19 Jul 2004 189,952 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0781.tmp"
Sat 17 Nov 2007 132,608 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1193.tmp"
Mon 19 Jul 2004 24,064 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1208.tmp"
Mon 24 Nov 2008 62,464 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1516.tmp"
Mon 24 Nov 2008 62,976 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1848.tmp"
Sun 6 Jun 2004 25,600 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2074.tmp"
Thu 3 Jan 2008 31,232 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2181.tmp"
Sun 6 Jun 2004 24,064 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2236.tmp"
Sun 6 Jun 2004 27,648 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2285.tmp"
Mon 24 Nov 2008 68,096 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2900.tmp"
Sun 6 Jun 2004 27,136 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2916.tmp"
Mon 24 Nov 2008 52,224 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2981.tmp"
Sun 6 Jun 2004 27,136 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3061.tmp"
Sun 6 Jun 2004 28,160 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3346.tmp"
Sun 13 Jul 2008 166,400 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3397.tmp"
Mon 19 Jul 2004 190,976 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3462.tmp"
Mon 24 Nov 2008 58,368 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3581.tmp"
Sun 6 Jun 2004 30,720 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3723.tmp"
Sun 6 Jun 2004 30,208 A..H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3878.tmp"
Sat 17 Nov 2007 40,960 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL4056.tmp"
Sat 22 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 1 Jun 2008 27,648 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL0004.tmp"
Sun 10 Aug 2008 31,744 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL0263.tmp"
Sun 1 Jun 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL0341.tmp"
Sun 10 Aug 2008 28,672 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL0461.tmp"
Sun 10 Aug 2008 31,232 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL0502.tmp"
Sun 1 Jun 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL0614.tmp"
Sun 10 Aug 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL0854.tmp"
Sun 10 Aug 2008 27,648 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1082.tmp"
Sun 10 Aug 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1136.tmp"
Sun 10 Aug 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1209.tmp"
Sun 10 Aug 2008 30,208 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1227.tmp"
Sun 1 Jun 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1258.tmp"
Sun 1 Jun 2008 28,672 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1286.tmp"
Sun 10 Aug 2008 28,672 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1400.tmp"
Sun 10 Aug 2008 28,672 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1410.tmp"
Sun 1 Jun 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1533.tmp"
Sun 10 Aug 2008 31,744 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1646.tmp"
Sun 1 Jun 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1734.tmp"
Sun 1 Jun 2008 28,672 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1770.tmp"
Sun 10 Aug 2008 31,744 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1960.tmp"
Sun 10 Aug 2008 28,672 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL1999.tmp"
Sun 10 Aug 2008 30,720 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL2264.tmp"
Sun 10 Aug 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL2583.tmp"
Sun 10 Aug 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL2711.tmp"
Sun 10 Aug 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL3119.tmp"
Sun 10 Aug 2008 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL3293.tmp"
Sun 10 Aug 2008 28,672 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL3549.tmp"
Sun 10 Aug 2008 30,208 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL3566.tmp"
Sun 10 Aug 2008 31,744 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\~WRL3735.tmp"
Sun 25 Jun 2006 39,424 A..H. --- "C:\Documents and Settings\Owner.STUDIES-ST97KSU\My Documents\Mr Williams+bullying\~WRL0552.tmp"
Sun 25 Jun 2006 39,936 A..H. --- "C:\Documents and Settings\Owner.STUDIES-ST97KSU\My Documents\Mr Williams+bullying\~WRL1748.tmp"
Thu 26 Mar 2009 192,000 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2580.tmp"
Thu 3 Jan 2008 82,432 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2825.tmp"
Thu 26 Mar 2009 190,464 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3491.tmp"
Tue 30 Dec 2008 62,976 A..H. --- "C:\Documents and Settings\Owner\Desktop\Computer Notes\JAVA\~WRL0111.tmp"
Tue 30 Dec 2008 55,808 A..H. --- "C:\Documents and Settings\Owner\Desktop\Computer Notes\JAVA\~WRL1512.tmp"
Tue 30 Dec 2008 52,736 A..H. --- "C:\Documents and Settings\Owner\Desktop\Computer Notes\JAVA\~WRL1613.tmp"
Tue 30 Dec 2008 59,392 A..H. --- "C:\Documents and Settings\Owner\Desktop\Computer Notes\JAVA\~WRL1750.tmp"
Tue 30 Dec 2008 62,976 A..H. --- "C:\Documents and Settings\Owner\Desktop\Computer Notes\JAVA\~WRL2085.tmp"
Tue 30 Dec 2008 60,928 A..H. --- "C:\Documents and Settings\Owner\Desktop\Computer Notes\JAVA\~WRL2088.tmp"
Tue 30 Dec 2008 64,512 A..H. --- "C:\Documents and Settings\Owner\Desktop\Computer Notes\JAVA\~WRL2550.tmp"
Mon 29 Dec 2008 84,992 A..H. --- "C:\Documents and Settings\Owner\Desktop\Computer Notes\JAVA\~WRL3383.tmp"
Tue 30 Dec 2008 72,192 A..H. --- "C:\Documents and Settings\Owner\Desktop\Computer Notes\JAVA\~WRL3868.tmp"
Wed 4 Mar 2009 26,112 ...H. --- "C:\Documents and Settings\Owner\Desktop\Planning\Land Registry\~WRL1113.tmp"
Tue 23 Aug 2005 45,056 A..H. --- "C:\Documents and Settings\Owner.STUDIES-ST97KSU\My Documents\Amanda's Files\Psychology\~WRL2339.tmp"
Wed 19 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

--------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15:33, on 27/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\Windows\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Radialpoint\Radialpoint Security Services\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Radialpoint\Radialpoint Security Services\rps.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Radialpoint\Radialpoint Security Services\SafeConnect\Bin\SanaAgent.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Radialpoint\Radialpoint Security Services\RpsSecurityAwareR.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
C:\Program Files\Radialpoint\Radialpoint Security Services\SafeConnect\Bin\SanaMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/too...l?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/too...l?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server.toolbar.rediff.com/too...l?mode=toolbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Welcome to rediff.com India
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server.toolbar.rediff.com/too...l?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Live Search:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IEocx Class - {06ec6572-7280-485a-a712-c380526bc048} - C:\WINDOWS\ieocx.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files\SmartShopper\Bin\2.5.0\SmrtShpr.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Radialpoint\Radialpoint Security Services\pkR.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Windows Live Family Safety Browser Helper Class - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: XBTBPos00 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {df379062-bf9b-47f1-8c68-69994404ebd0} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {960177af-12a9-4504-a636-2ded32ad4a82} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Radialpoint\Radialpoint Security Services\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Radialpoint\Radialpoint Security Services\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-329068152-606747145-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-329068152-606747145-839522115-1003\..\RunOnce: [IndexCleaner] "C:\Program Files\Radialpoint\Radialpoint Security Services\IdxClnR.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - Add to Windows Live Favorites
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\2.5.0\SmrtShpr.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\SmartShopper\Bin\2.5.0\SmrtShpr.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: Personal Banking - Barclays Personal Banking
O15 - Trusted Zone: Land Registry : We underpin the title to registered land in England and Wales and hold records for land ownership and interests.
O15 - Trusted Zone: MSN.com
O15 - Trusted Zone: Radialpoint - Managed end-to-end Internet VAS
O15 - Trusted Zone: Under Construction
O15 - Trusted Zone: Spyware Removal Instructions :: Uninstall, Delete and Get Rid Of Spyware and Adware
O15 - Trusted Zone: The Daily Mass-Multimedia Site
O15 - Trusted Zone: Help - Virgin Media
O15 - Trusted Zone: Virgin Media - digital TV, broadband, phone and mobile
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: World of Su
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/...osticsxp2k.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Security Services - Radialpoint SafeCare Inc. - C:\Program Files\Radialpoint\Radialpoint Security Services\RpsSecurityAwareR.exe
O23 - Service: Radialpoint Security Services SafeConnectAgent (RadialpointSafeConnectAgent) - Sana Security - C:\Program Files\Radialpoint\Radialpoint Security Services\SafeConnect\Bin\SanaAgent.exe
O23 - Service: Radialpoint Security Services Firewall (RP_FWS) - Radialpoint SafeCare Inc. - C:\Program Files\Radialpoint\Radialpoint Security Services\Fws.exe

--
End of file - 10961 bytes

**evilfantasy** · #17 (**permalink**) **Top** 27th March 2009, 09:01 PM

This is not looking good. We will know more after we run ComboFix.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: XBTBPos00 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - (no file)
O2 - BHO: (no name) - {df379062-bf9b-47f1-8c68-69994404ebd0} - (no file)
O3 - Toolbar: (no name) - {960177af-12a9-4504-a636-2ded32ad4a82} - (no file)
O3 - Toolbar: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

~~Edcondi~~ · #18 (**permalink**) **Top** 28th March 2009, 03:28 AM

The Pc is in Safe Mode with networking and the download of ComboFix.exe is at the desktop. I've double clicked it but nothing happens. I've right clicked the icon and opened the file to run it, but again nothing happens. Kindly help, if possible.
Thanks again and kind regards
Edcondi

**evilfantasy** · #19 (**permalink**) **Top** 28th March 2009, 03:47 AM

Try renaming ComboFix to Combo-Fix.

~~Edcondi~~ · #20 (**permalink**) **Top** 28th March 2009, 01:14 PM

Thanks for your further help. The ComboFix log fie saved is as follows:

ComboFix 09-03-26.03 - Owner 2009-03-28 12:02:34.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\RB1.tmp
c:\windows\ieocx.dll
c:\windows\system32\drivers\UACktlwowbp.sys
c:\windows\system32\mdm.exe
c:\windows\system32\system\
c:\windows\system32\UACapyhiymp.log
c:\windows\system32\UACaunmwvbf.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjxvimpqq.dll
c:\windows\system32\UAClnewswst.log
c:\windows\system32\UACnnbmtird.dll
c:\windows\system32\UACsrrojfwq.dll
c:\windows\system32\UACubobxthe.dat
c:\windows\system32\UACupafuxdu.dll
c:\windows\system32\UACxylqibqh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-27 05:46 . 2009-03-27 05:47 <DIR> d-------- c:\windows\ERUNT
2009-03-27 05:14 . 2009-03-27 05:14 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 04:33 . 2009-03-27 06:15 <DIR> d-------- C:\SDFix
2009-03-27 02:25 . 2009-03-27 04:13 <DIR> d-------- c:\program files\NVT Malware Remover Tool
2009-03-26 23:13 . 2009-03-26 23:13 <DIR> d-------- c:\program files\Raxco
2009-03-26 23:13 . 2009-03-26 23:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raxco
2009-03-26 23:13 . 2008-08-28 13:16 71,184 --a------ c:\windows\system32\drivers\DefragFS.sys
2009-03-26 22:37 . 2009-03-26 22:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 22:37 . 2009-03-26 22:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-26 22:37 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 22:37 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-25 13:56 . 2009-03-25 13:59 16,832 --a------ c:\windows\system32\amcompat.tlb
2009-03-25 13:53 . 2009-03-28 12:02 <DIR> d-------- c:\windows\system32\CatRoot2
2009-03-20 19:03 . 2009-03-20 19:06 741 --a------ C:\iexplore.exe.lnk
2009-03-20 19:03 . 2009-03-20 19:19 546 --a------ C:\Mozilla Firefox.lnk
2009-03-18 18:37 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-18 04:13 . 2009-03-18 04:13 <DIR> d-------- C:\e42c1aff98c4b84fb4d3540fb0
2009-03-14 21:45 . 2008-11-26 15:19 53,192 --a------ c:\windows\system32\drivers\rp_skt32.sys
2009-03-14 21:45 . 2008-08-06 21:20 48,384 --a------ c:\windows\system32\drivers\rp_pkt32.sys
2009-03-14 17:40 . 2009-03-14 17:40 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-14 17:28 . 2009-03-14 17:52 <DIR> d-------- c:\program files\NOS
2009-03-14 17:28 . 2009-03-14 17:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-07 16:38 . 2009-03-07 16:38 <DIR> d-------- c:\documents and settings\Owner\Application Data\DriverCure
2009-03-07 16:38 . 2009-03-07 16:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-07 16:38 . 2009-03-07 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverCure
2009-03-06 21:10 . 2009-03-28 12:24 150,318 --a------ c:\windows\system32\oodbs.lor
2009-03-06 21:08 . 2009-03-14 16:19 <DIR> d-------- c:\windows\system32\oodag
2009-03-06 20:33 . 2009-03-06 20:33 <DIR> d-------- c:\program files\OO Software
2009-03-05 15:55 . 2009-03-05 15:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\cs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-28 12:26 63,332,896 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-28 12:23 853,388 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-28 12:23 250,160 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-28 12:23 2,623,520 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-26 22:23 --------- d-----w c:\program files\Enigma Software Group
2009-03-24 22:06 --------- dc-h--w c:\documents and settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2009-03-23 16:30 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-21 18:01 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2009-03-20 12:31 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-17 20:35 --------- d-----w c:\documents and settings\Owner\Application Data\Radialpoint
2009-03-17 20:32 --------- d-----w c:\program files\Radialpoint
2009-03-17 20:30 --------- d-----w c:\documents and settings\All Users\Application Data\Radialpoint
2009-03-17 20:18 --------- d-----w c:\program files\InstallShield Installation Information
2009-03-16 21:40 --------- d-----w c:\documents and settings\Owner\Application Data\Image Zone Express
2009-03-14 21:50 --------- d--h--w c:\documents and settings\Owner\Application Data\GTek
2009-03-14 21:50 --------- d--h--w c:\documents and settings\All Users\Application Data\GTek
2009-03-08 12:23 --------- d-----w c:\documents and settings\Owner\Application Data\alot
2009-03-08 07:02 --------- d-----w c:\program files\SmartShopper
2009-03-07 21:10 --------- d-----w c:\program files\ZumieSearch
2009-03-07 20:06 --------- d-----w c:\documents and settings\Owner\Application Data\SmartShopper
2009-02-23 20:05 37,896 ----a-w c:\windows\system32\drivers\oobctm.sys
2009-02-19 12:05 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-19 12:03 --------- d-----w c:\program files\Microsoft
2009-02-19 12:02 --------- d-----w c:\program files\Windows Live Toolbar
2009-02-19 12:02 --------- d-----w c:\program files\Windows Live
2009-02-19 12:01 --------- d-----w c:\program files\Microsoft Sync Framework
2009-02-18 15:37 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-11 21:55 --------- d-----w c:\program files\Windows Live SkyDrive
2009-02-11 21:46 --------- d-----w c:\program files\Common Files\Windows Live
2009-02-06 19:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 18:08 55,152 ----a-w c:\windows\system32\drivers\fssfltr_tdi.sys
2009-02-02 14:55 --------- d-----w c:\documents and settings\Owner\Application Data\Notepad++
2009-02-02 14:54 --------- d-----w c:\program files\Notepad++
2009-02-01 22:30 --------- d-----w c:\program files\Common Files\HP
2009-02-01 22:28 --------- d-----w c:\program files\Hewlett-Packard
2008-09-24 21:01 16,264,312 -c--a-w c:\program files\7zipfree_8675.exe
2008-05-27 23:37 2,400,784 ----a-w c:\program files\WLinstaller.exe
2008-03-24 02:22 2,585,872 ----a-w c:\program files\WindowsInstaller-KB893803-v2-x86.exe
2008-03-24 02:01 921,696 ----a-w c:\program files\WinQualifier.exe
2008-03-21 19:58 305,672 -c--a-w c:\program files\dxwebsetup.exe
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-05-25 19:51 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052520080 526\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A}]
2008-02-05 17:20 1173024 --a------ c:\program files\SmartShopper\Bin\2.5.0\SmrtShpr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}]
2008-10-31 19:05 759080 --a------ c:\program files\alot\bin\alot.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}"= "c:\program files\alot\bin\alot.dll" [2008-10-31 759080]

[HKEY_CLASSES_ROOT\clsid\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
path=
backup=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^StarOffice 8.lnk]
backup=c:\windows\pss\StarOffice 8.lnkStartup
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\StarOffice 8.lnk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMM2007RT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B'sCLiP]
--a------ 2003-05-22 19:20 1310720 c:\progra~1\B'SCLI~1\Win2K\BsCLiP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fssui]
--a------ 2007-12-17 10:12 243240 c:\program files\Windows Live\Family Safety\fssui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2009-02-06 18:51 3885408 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-19 21:49 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-15 20:02 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"usnjsvc"=3 (0x3)
"SysmonLog"=2 (0x2)
"SwPrv"=3 (0x3)
"SNMPTRAP"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"PNRPSvc"=3 (0x3)
"p2pimsvc"=3 (0x3)
"p2pgasvc"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"GoogleDesktopManager-022208-143751"=3 (0x3)
"Dot3svc"=3 (0x3)
"dmserver"=3 (0x3)
"AppMgmt"=2 (0x2)
"ZumieSearch Service"=2 (0x2)
"TapiSrv"=3 (0x3)
"seclogon"=2 (0x2)
"PDEngine"=3 (0x3)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"PDAgent"=2 (0x2)
"SeaPort"=2 (0x2)
"PD91Engine"=3 (0x3)
"PD91Agent"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"p2psvc"=3 (0x3)
"O&O Defrag"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
R3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-09-22 910600]
R3 Radialpoint Security Services;Radialpoint Security Services;c:\program files\Radialpoint\Radialpoint Security Services\RpsSecurityAwareR.exe [2009-03-02 170736]
R4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-07-13 29744]
R4 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S0 BsStor;B.H.A Storage Helper Driver; [x]
S2 BsUDF;B.H.A UDF Filesystem; [x]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssflt r_tdi.sys [2009-02-06 55152]
S2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-09-22 693512]
S2 RadialpointSafeConnectAgent;Radialpoint Security Services SafeConnectAgent; [x]
S3 RadialpointSafeConnectDriver;RadialpointSafeConnec tDriver;c:\program files\Radialpoint\Radialpoint Security Services\SafeConnect\Driver\platform_XP\SafeConnec tDriver.sys [2008-11-14 161304]
S3 RadialpointSafeConnectFilter;RadialpointSafeConnec tFilter;c:\program files\Radialpoint\Radialpoint Security Services\SafeConnect\Driver\platform_XP\SafeConnec tFilter.sys [2008-11-14 29720]
S3 RadialpointSafeConnectShim;RadialpointSafeConnectS him;c:\program files\Radialpoint\Radialpoint Security Services\SafeConnect\Driver\platform_XP\SafeConnec tShim.sys [2008-11-14 27376]

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - aspnet_state
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - BsUDF
*Deregistered* - Cdfs
*Deregistered* - COMSysApp
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - DefragFS
*Deregistered* - Dhcp
*Deregistered* - dlcc_device
*Deregistered* - Dnscache
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - fssfltr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - gusvc
*Deregistered* - HTTP
*Deregistered* - ip6fw
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - Kbdclass
*Deregistered* - KLIF
*Deregistered* - KSecDD
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - MSDTC
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - OMCI
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - PD91Agent
*Deregistered* - PD91Engine
*Deregistered* - PfModNT
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RadialpointSafeConnectAgent
*Deregistered* - RadialpointSafeConnectDriver
*Deregistered* - RadialpointSafeConnectFilter
*Deregistered* - RadialpointSafeConnectShim
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RP_FWS
*Deregistered* - RpcSs
*Deregistered* - RPPKT
*Deregistered* - RPSKT
*Deregistered* - SamSs
*Deregistered* - SimpTcp
*Deregistered* - SNMP
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tunmp
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - WS2IFSL
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{203eb6de-7ba7-11dd-95a2-806d6172696f}]
\Shell\AutoRun\command - D:\Install.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\Antispyware Scheduled Scan.job
- c:\program files\AntiSpywareApp\AntiSpyware.exe []

2009-03-28 c:\windows\Tasks\Antispyware Scheduled Scan.job
- c:\program files\AntiSpywareApp []

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-03-26 c:\windows\Tasks\ErrorFix Scan.job
- c:\program files\ErrorFix\ErrorFix.exe []

2009-03-26 c:\windows\Tasks\ErrorFix Scan.job
- c:\program files\ErrorFix []

2009-03-27 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2009-03-27 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []

2009-03-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 17:31]

2009-03-27 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll []

2009-03-28 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe []

2009-03-27 c:\windows\Tasks\RegClean Scheduled Scan.job
- c:\program files\RegClean\RegClean.exe []

2009-03-27 c:\windows\Tasks\RegClean Scheduled Scan.job
- c:\program files\RegClean []
.
- - - - ORPHANS REMOVED - - - -

BHO-{06ec6572-7280-485a-a712-c380526bc048} - c:\windows\ieocx.dll
Toolbar-SITEguard - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
MSConfigStartUp-sysav - c:\documents and settings\Owner\Application Data\pcdefender.exe

.
------- Supplementary Scan -------
.
mStart Page = hxxp://in.rediff.com/index.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Windows &Live Favorites - Add to Windows Live Favorites
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - {2260D608-C844-435d-90FD-DC16CFA577F2} - c:\program files\SmartShopper\Bin\2.5.0\SmrtShpr.dll
IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {BCEB373D-A35A-4200-BD43-8586CD9DFAE7} - c:\program files\SmartShopper\Bin\2.5.0\SmrtShpr.dll
Trusted Zone: barclays.co.uk\www.personal
Trusted Zone: co-operativebank.co.uk\welcome26
Trusted Zone: landregistry.gov.uk\www1
Trusted Zone: microsoft.com\www.update
Trusted Zone: msn.com\www
Trusted Zone: radialpoint.com\www
Trusted Zone: redbridge.gov.uk\planning
Trusted Zone: removal-instructions.com\www
Trusted Zone: sch.uk\folders.canonpalmer.redbridge
Trusted Zone: sch.uk\webmail.canonpalmer.redbridge
Trusted Zone: studentfinancedirect.co.uk\secure
Trusted Zone: themass.com\www
Trusted Zone: virginmedia.com\help2
Trusted Zone: virginmedia.com\www
Trusted Zone: windowsupdate.com\download
Trusted Zone: worldofsu.com\www
Trusted Zone: worldpay.com\select
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\magk1fxb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 12:26:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="C258B1F49BFA2731 E692076951478541711A10CAC0BF629195884AAA8317210E51 B3D842166D2D1B7FE6CB0F72F30AE4FDED7BC443E1F76F68F5 F30F9C3AA606D8B5EE9DCDE07471C26E5F0B417D448059B187 8866AF5EDD04862BDEB593E33E644E42423A1AD2547086C7EC 32A5911915D01518C0889A68ED53473325BE2AE50CE241FA11 0F8036CD02AED600DF358845A9240BAB7C1A6C2968C438070B 2C7F644D032B4F6B1CDF2428E2FE26D555F9058FDD0DC5512A 9B44C444ADBAF8FEBC9E127BECC74CFEBC9E127BECC74CFEBC 9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E 127BECC74CA6A0AC4980AC79335D575E7D6A3B9808A2D97226 D213B5559DB7CE019D40AA5CFB8BD99B2548D65B3C886E5723 606E39DB8B9C1929E1526F496C67B1B4044EBEDE5726055BC5 AA7CFDE53CE4352BED5BCC04DC40D9D1297C6E2DE39C65CC53 D6D8F1BD6699D6C066BAD1D80685D417B8E86230D63D24633B E348E05AA93C3560E98152CA5F1ECD9619F8E7738994DF0DA0 F6CAE165465AC286D1C35B4C964BF075FA9931CE52CDBF25D6 0FD95D3603C448E265D986B82ADC1031F2063BB034D0C02FCC 0EAFC07D454E3F79D7C21B8183981EB9AB7912B10C25A2DCB4 087551FBF4BCAAC66CC6DF42E7D5D5029CB79D9FADF208B9BB 7A9781C9B4F0356763C624A298733793583A03A9145760F193 DD24888094D76DAF42A6664C2549358BFCAC3B8B6DADD8FC18 8A2ECA346FEFCA8ECE8C392750D3825E164A21F0A6EE96232E 9533626D1450460DF499A69EE58E3E1282630A5ED858DB9EA5 BED1F8363CA975E97F9F2F3D00577462766E53C7A2BF95979A 8E3487AAEE458E85C75C51CBC483D9B5F79BF450A25FBC2BCC E32DDEAB335A4D07771108103F7DA8D7E42928EE0C66EDBFD2 7F19C09D30D5099C52B05B79C1BE4CBECC107BFBD02F8B16CB 47E3F8751651E6C04590B54BE7ED3D18966F2BA385B99930F7 3096C9F5EDEBEB32266553ED89E0C6D3B36103274A7B80A749 3EBE0B2E09DA09F2E50DAC9054DF89FAA1AB894BB83E58110E AD2D6FFDB409115D32118E7F8CA24C6FA5D687AF9F7DE93312 D3FA617A79D1DB856937E080F833E78227C0E82A33096F7ECB 6CD54B55C0527D09033AF2F2E4A22C9B78B45447DC6F173632 203B41B756EAB8DA11A26B91EB4838519C4294FC692459147D C158023A3EF6D078EFE6AD46A09B741D8DAC311FAFC75652A7 410FF0D48E6C3283A3D943A7FA12B496500317B6C95DAD949D 38C258EF091C85EF562789F667C0F336DF3A67A2EB0F253E13 552DE93E6965D2845DC5BD622BE2AB4F3471A5F08792305200 F6275BB33487FDBF64F7C268D3F637ABE41160A66A143E7021 01F65A054634AC3190DFC480952949A0451EB954C8349F8221 832A6BDC27E90EBFEB821240CE08D6BE"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1740)
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Radialpoint\Radialpoint Security Services\Fws.exe
c:\windows\system32\dlcccoms.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Radialpoint\Radialpoint Security Services\SafeConnect\bin\SanaAgent.exe
c:\windows\system32\verclsid.exe
.
************************************************** ************************
.
Completion time: 2009-03-28 12:33:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 12:33:19

Pre-Run: 21,912,813,568 bytes free
Post-Run: 22,264,266,752 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

446 --- E O F --- 2009-03-18 17:00:11

THank you very much for your most kind help.
Kind regards
Edcondi