I have AVG (free edition) and Ad-Aware 2007 (free edition) installed on my PC

I was on the official joe calzaghe site last night when an AVG pop up told me there was a virus threat and asked me what I wanted to do about it... as usual when I have a virus threat I decided to 'heal' (as opposed to ‘move to vault’ or ‘ignore’) and as usual it told me the heal had been successful.... straight after that though another virus threat came up to which i selected heal again... after this i carried on surfing numerous websites for 30 mins or so thinking the problem had been resolved but when I closed IE7 down I noticed my wallpaper had turned blue with a rectangular box in the middle of the screen... within the rectangle was text saying… 'Warning! Spyware has been detected on your computer. Please install a spyware remover or antivirus programme’…. I decided the best thing to do would be to restart my PC to see if the problem went away but after the reboot the same blue background and text came back up… at this stage a windows error box came up informing me windows could not access a certain file (I cannot remember which file this was!) and then after I selected ‘ok’ to close this box after a few mins I got a number of bugs (looked like cockroaches) walking over my screen eating all the icons on my desktop!... I thought I had serious problems at this stage but was relieved to see after nudging my mouse all the bugs disappeared and the half eaten icons re-appeared so the bugs were obviously just some kind of screensaver that had been installed by whatever was infecting my system.

Then a program called ‘Advanced XP Fixer’ automatically loaded up and began scanning my PC for threats. As I had never installed Advanced XP Fixer myself I did not trust the programme so stopped the scan mid-flow. I also tried closing down the programme completely but could not get rid of the icon from the bottom right of my screen so now the programme is permanently running in the background (in the same way AVG or MSN messenger does).

After investigating Advanced XP Fixer at www.advancedxpfixer.com the whole thing looks so professional I am finding it hard to believe the software isn’t legit…. I am just wary because the software just appeared from nowhere and I did not install it myself!!!

Now I have no idea where to go from here…. Do I let the advanced xp fixer programme run through til the end or do I not trust it?

What I did notice when I allowed Advanced xp fixer to run for a few mins is that it said it had detected a Trojan that allowed others to remotely connect to my PC!!!

I have not used my PC all day because I don’t want to risk anything (I am currently using my dads) but when I checked my email earlier I noticed I had received an email from my bank saying someone had been trying to access my account…. Now I am VERY VERY concerned!!

Please can someone help????

Ps. I have run a full AVG system scan and it came up with no threats (although it did say something like 4 or 5 dll files had been changed) and I am now running a full Ad-Aware scan but am yet to see the results.

You are the victim of a rogue antispyware install.

The message you recieved in regards to unauthorised remote access was more than likely a horrible but very effective scare tactic. They do this in the hope they can scare you into paying for a bogus program that pretends to clean your pc.

You done the correct thing by not allowing the scan to continue because all the warnings you are given telling you your pc is hugely infected are false. Most likely the only infection the pc has is the one telling you these threats.

This threat seems to be relatively new but a couple of good anti-spyware programs should be able to remove it.

First thing to do is download install and update a couple of very good free antimalware programs but don't run them just yet.

SUPERAntispyware (SAS) and Malware Bytes AntiMalware (MBAM) are at the links below:

Download SAS Free Edition from here

Click here to to start MBAM download

Download, install and update don't run the scans yet.

Next go to the control panel > add remove programs and have a look for advanced xp fixer. Remove if found.

Next reboot your pc into safe mode. Use the tap F8 during startup method Don't use msconfig to select startup type "safe mode".

Once in "Safe mode" run the SAS complete scan and then run the MBAM Full scan. Remove everything they find.

When MBAM has finished you should get a notepad document open up. Save it to your desktop and reboot the pc normally.

Once your pc has restarted paste the contents of the notepad document back here and let us know how things are running.

cheers btk1w1.

i followed your instructions and below is a print of the MBAM scan results:

-----

Malwarebytes' Anti-Malware 1.12
Database version: 777

Scan type: Full Scan (C:\|)
Objects scanned: 132075
Time elapsed: 2 hour(s), 1 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

-----

it looks (i think) as though your advice has worked.... thanks again.

i still have a few concerns though.... would it be possible for you to answer me a few more questions?:

1- I was told having AVG on my PC would make it impossible for any virus to get through but obviously it wasn't so effective here!!! Can you recommend any other free anti-virus software that is more effective?

2- Since this all happened the PC/Activity LED on my cable modem has been continuously flickering on and off where as before it only rarely flickered… could this mean there is still something wrong??

3- Now that (hopefully) everything is sorted why has it not reverted back to my previous wallpaper? Is this a sign there is still a problem?

4- Am I now completely safe to resume shopping online, internet banking etc?

cheers

jeff

I was told having AVG on my PC would make it impossible for any virus to get through but obviously it wasn't so effective here!!! Can you recommend any other free anti-virus software that is more effective?

There is really no product that will completely protect you of all malware (viruses, trojans, spyware and adware). This is because they are always changing how they infect a system, where one hole might be plugged, malware writers will seek out other vulnerabilities to infect a system. Antivirus vendors really have a job keeping up with them... kind of like a dog chasing it's tail.
AVG is a very good antivirus program and alot of computing.net regulars have it as their AV of choice. My AV of choice is Avast AV, I feel it offers better protection and has a few more features. It is a little more resource hungry though.

You say there is activity still showing on your modem... I will have a look at another log to see if your pc is clean.

Have you tried changing your wallpaper back?... If it reverts back to the one the malware planted this would be an obvious sign. If the image that the desktop is using as its wallpaper isn't itself laced with malicious code the anti-malware program won't have detected it as a threat and would have scanned past it.

I can't advise you to do online financial transactions until a couple of scans have been run, and especially because the activity light on your modem is busier than normal.

The next thing to do is run a HiJackThis scan so I can have a look to see if there is any processes running that shouldn't be.

Click here to download HiJackthis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Post Hijackthis Log in your next reply

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:13:40, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\Powercinema\PCMService.exe
C:\apps\ABoard\AOSD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Microsoft MSJava 32 - {43F7497C-7687-4DEA-A057-F21BD81BC896} - C:\WINDOWS\system32\msjava32.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] "c:\apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5c39.dll"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5c39.dll"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.co...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.com/egather/IbmEgath.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptem...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideo...
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/file...
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD1F45C3-D15B-46B5-822C-E20DD3C56D0F}: NameServer = 62.31.144.39,195.188.53.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 11229 bytes

I have to go out for a little bit, but there are a couple of things you can do in the mean time.

There are still a couple of nasties on your system.

First we will deal with Download Accelerator Plus and see if combofix will catch any of the others.

Go to the control panel > add / remove programs and remove "Download Accelerator Plus". Don't worry if it is not there. Your HJT log indicates a .dll file which belongs to it. This could be causing the internet activity you see. It reports back to base and keeps a port open for its communications. It is not reported as a keylogger and its online communication is described as non-malicious. It is an undesired application which can be the result of unwanted pop-ups.

Download Combofix to your desktop.

Note: It is important that it is saved directly to your desktop

Click here to download Combofix by sUBs

Close any open browsers and windows except fo Combofix

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note: Do not mouseclick combofix's window while it's running it can cause the program to freeze/hang.

In some cases your Antivirus or other realtime scanner will display an alert after you downloaded Combofix or while you use Combofix, please disable your scanners, delete the copy off the desktop and download Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them. There's nothing wrong with Combofix, heuristic detection can report this false positive because of combofixs removal technique.

Post a fresh HJT log along with the Combofix log.

Nightmare!

I have now got a completely un-related problem that seems much worse than the above!

Like a complete idiot I opened an '.exe' file which I downloaded from a torrent site.... the exe was disguised as a txt file but still i should have known better!!

i knew as soon as I'd done it I had made a mistake!! initially i thought i had got a similar problem to the one I explained earlier in this thread because the screen once again went blue and cockroaches came up as a screensaver.... now i have discovered that this problem is far worse!!

all kinds have things have occurred since opening the exe... i am constantly getting error messages, icons have been deleted from my desktop, other icons have appeared, all programs have disappeared from my start menu, I can no longer access word files, the virus is continuously trying to change my homepage, and many many more problems (too many to mention!). Even in safe mode I am experiencing problems!!

In the old days (when I used to know a bit about PC’s!) I would have just Fdisked my hard drive and started over again from scratch…. I am tempted to do the same now but I do not have the xp installation cd so would not know where to start!!!

Do you recommend trying to clean my PC or just start from scratch?

I bought my PC from PC World a couple of years ago now but like I say the XP installation disk wasn’t included it just came pre-installed… if I were to start over how would I go about it? I’m assuming there must be a way without the installation disk?

And if the best option is to try clean my PC how should I go about it? Shall I run the same scans as informed previously in this thread and post the new results?

Ps. If it helps I can tell you where to find the virus that infected my PC?

It's all good... No need to know where the infection came from, someone may inadvertantly click the link or look out of curiosity.

A fresh HJT log should be able to identify the malware by name.

Go to C:\Program Files and delete the Trend Micro folder. Delete the HJT installer from your desktop. Go to the same download location you got HJT from earlier and download and install it again. Post the log back here.

If you wanted to go the option of re-installing your operating system, you will probably have to go back to PC World and get them to reinstall it for you. They will likely charge a fee for this unfortunately, but a fresh operating system install is usually done as a last resort.

Post your log anyways to see if we can remove the malware.

In the mean time it might pay to back your data up to external media such as a cd. If you are losing desktop items the malware might be destructive, saving data to cd will preserve it. Just remember to scan the backed up data before copying it back over to a pc hard-drive.

If you are still there... an idea might be for you to uninstall AVG and install Avast in it's place.

Once the installation has completed let Avast schedule a boot-time scan and let it reboot your pc. It will run the scan before windows fully loads.

To effectively clean a pc of infections it is important to follow up all steps until scans show no more malware.

You didn't say whether you run combofix, and after your last HJT log there was still spyware present. Unfortunately if you don't completely get rid of some forms of malware they can re-populate.

Thanks again for your quick reply.

I got the 2nd virus before getting chance to run combofix.... I figured after getting the 2nd virus I would do all the scans you advised for my original problem over again... I don't know if this is what you would have advised but my PC is in such a state I figured I had nothing to lose!

These are the results of the new scans (after 2nd virus):

Malwarebytes' Anti-Malware 1.12
Database version: 793

Scan type: Full Scan (C:\|)
Objects scanned: 131554
Time elapsed: 2 hour(s), 1 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00d53a76 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0\Source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\BackupWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM03e609ea (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yjvegdpu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\updgevjy.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP12\A0000175.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP13\A0000186.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP13\A0000194.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP13\A0000206.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP13\A0000224.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP8\A0000107.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kjqaajil.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xmpstean.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Loll_l\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:05: VIRUS ALERT!, on 29/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\apps\Powercinema\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.ph...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Microsoft MSJava 32 - {43F7497C-7687-4DEA-A057-F21BD81BC896} - C:\WINDOWS\system32\msjava32.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] "c:\apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5c39.dll"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5c39.dll"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.co...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.com/egather/IbmEgath.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptem...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideo...
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/file...
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD1F45C3-D15B-46B5-822C-E20DD3C56D0F}: NameServer = 62.31.144.39,195.188.53.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 10810 bytes

Please advise further

Couple of things i forgot to mention in my last post.

- I ran the SUPERAntiSpyware Free Edition scan before the 2 scans logged above.

- I uninstalled Download Accelerator Plus as advised.

As I (un-unusually) have some time at the moment I have decided to show you exactly what damage has been done....

Here is a screenshot of my desktop: http://img249.imageshack.us/img249/...

A list of problems that the scans haven’t cleared up are: (there may still be other problems I am unaware of)

- start menu has no programs or access to control panel, network places etc
- it says virus alert in bottom right corner
- many desktop icons have disappeared including shortcuts to hard drive, floppy drive and cd drive, windows explorer, control panel etc… also some shortcut to word files have disappeared.
- the virus is still continually trying to change my home page to http://www.ucleaner.com/main.php?wm...

Apart from that the scans seem to have fixed all the other problems… at one stage I was getting all kinds of error messages and the virus even somehow managed to change my wallpaper into some kind of active folder!!!

I don’t know if this extra information will help you get to the bottom of my problem but I figured there was no harm in posting it.

once again i have been an idiot!! the virus alert message is obviously coming from AVG so it is detecting a virus after all!!

I am running a full system scan now through AVG... once it has finished I will post results.

after the scan how will i know if everything is cleared up? which logs shall i post so you can tell?

Heya bigjeff,

MBAM and SAS are tools designed for everyday use. They are both very good if updated and used periodically.

Looking at the MBAM log alot of junk was cleaned off your pc, this also includes the spyware which was present after the last scan.

There are still a couple of issues left but we will hit them directly with HJT then run an online scan to see if there are any hidden nasties.

Open up HJT from the icon that was placed on the desktop and select "Do a system scan only".

Next select the bolded lines below with HJT. Please be careful the right lines are selected. As HJT does the repair at the registry level this is very important.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.ph...

O2 - BHO: Microsoft MSJava 32 - {43F7497C-7687-4DEA-A057-F21BD81BC896} - C:\WINDOWS\system32\msjava32.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5c39.dll"

O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5c39.dll"

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptem...

O24 - Desktop Component 0: Privacy Protection - (no file)

Close all windows except for HJT and select "Fix Checked"

Next download ATF Cleaner by Atribune to your desktop

Click here to download ATF Cleaner by Atribune

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" and choose "Select All".

Click the Empty Selected button.

ATF cleaner will remove alot of junk from your temporary and cache files where some nasties love to lurk. This will also help speed up the online scan.

Do an online scan with Kaspersky

Click here to go to Kaspersky Online Scanner

Please be patient with the online scan as they can take a while to complete.

1.Click on "Kaspersky Online Scanner".
2.You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
3.The program will launch and then begin downloading the latest definition files.
4.Once the files have been downloaded click on "NEXT".
5.Now click on "Scan Settings".
6.In the scan settings make that the following are selected:
7.Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
8.Scan Options:
Scan Archives
Scan Mail Bases
9.Click OK.
10.Under select a target to scan, select "My Computer".
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Upon completion, click on the "Save as Text" button.
Save the file to your desktop.

Copy and paste that information in your next reply.

Also run a fresh HJT scan and paste its contents also with your next reply.

Heya bigjeff,

You got the last 2 posts in as I was preparing further instructions.

Let AVG do the scan and fix what-ever it can. It will do no harm.

After the scan though there maybe HJT entries that you have been instructed to fix that are no longer there. That's alright still fix whatever is present. Please be careful to select the correct lines.

Continue with the post above and post the 2 logs when finished.

---------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 30, 2008 8:56:15 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 813483
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 86981
Number of viruses found: 9
Number of infected objects: 18
Number of suspicious objects: 2
Duration of the scan process: 03:32:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Loll_l\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Loll_l\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-5-30-2008( 0-32-6 ).LOG Object is locked skipped
C:\Documents and Settings\Loll_l\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Loll_l\Incomplete\Preview-T-3545425-pearl river.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Identities\{88211156-4518-46D2-9782-BF291C0EAD00}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "HSBC Bank PLC" <hsbc-email@hsbc.co.uk>][Date Fri, 16 May 2008 20:35:10 +0200]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Identities\{88211156-4518-46D2-9782-BF291C0EAD00}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx MailMSOutlook5: suspicious - 1 skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Messenger\loll_l@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Messenger\loll_l@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Messenger\loll_l@hotmail.com\SharingMetadata\Working\database_BA00_D577_D5_3AD9\dfsr.db Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Messenger\loll_l@hotmail.com\SharingMetadata\Working\database_BA00_D577_D5_3AD9\fsr.log Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Messenger\loll_l@hotmail.com\SharingMetadata\Working\database_BA00_D577_D5_3AD9\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Messenger\loll_l@hotmail.com\SharingMetadata\Working\database_BA00_D577_D5_3AD9\tmp.edb Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Windows Live Contacts\loll_l@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Application Data\Microsoft\Windows Live Contacts\loll_l@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0003 Infected: Trojan-Downloader.Win32.Small.alx skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0004/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0004 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\UpdatedUpdaterInstall.exe/data0005 Infected: Trojan.Win32.Keenval.b skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\UpdatedUpdaterInstall.exe NSIS: infected - 8 skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\~DF3D3F.tmp Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\~DF3D4D.tmp Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\~DFAD3.tmp Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\~DFAE4.tmp Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\~DFF360.tmp Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Temp\~DFF3D7.tmp Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Loll_l\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Loll_l\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Loll_l\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_570.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_612.trc Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP13\A0000227.dll Object is locked skipped
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP14\A0001242.dll Object is locked skipped
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP14\A0001249.dll Object is locked skipped
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP15\A0001314.exe/WISE0009.BIN Infected: not-a-virus:AdTool.Win32.MyWebSearch.bk skipped
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP15\A0001314.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP15\A0001314.exe WiseSFXDropper: infected - 1 skipped
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP15\A0001349.exe Object is locked skipped
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP16\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\RESTORE.INS/C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\WINDOWS\RESTORE.INS ARJ: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{ED05E7C6-7E52-404E-93CA-293C276D40E3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system\RESTORE.INS/C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\WINDOWS\system\RESTORE.INS ARJ: infected - 1 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\sfg4d82.dll Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\4289e4f4-4dd2-44dc-bdca-43eca8813edb.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\wmsetup.log Object is locked skipped

Scan process completed.
------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:57: VIRUS ALERT!, on 30/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\apps\ABoard\ABoard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\apps\Powercinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] "c:\apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.co...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.com/egather/IbmEgath.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideo...
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/file...
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD1F45C3-D15B-46B5-822C-E20DD3C56D0F}: NameServer = 62.31.144.39,195.188.53.175
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 10717 bytes
------

The 2 scan results are displayed above.

Visible problems that still remain are:

1- still saying 'virus alert' in the bottom right corner of my screen (next to the time)

2- programs have not re-appeared in start menu

3- icons have not re-appeared on desktop

4- cant get into task manager (ctrl + alt + del) as it says it has been disabled by administrator

Heya Jeff,

Sorry for the delay. The online scan shows there are still a couple of infections, suspect deleted emails and your restore points have been infected.

After the infected files have been removed we will work on restoring your desktop and Task Manager. If the malware has physically deleted your desktop icons they will need to be manually replaced.

When you say there are no programs in the start menu is that when you click start > all programs, they are not there?, or is it the list of most recently used applications that are missing?

Go into Outlook Express and clean out your Deleted Items folder. If you are unsure whether you want to remove all the emails remove this one:

HSBC Bank PLC - Date Fri, 16 May 2008

Now navigate to these two files and delete them:

C:\Documents and Settings\Loll_l\Incomplete\[Preview-T-3545425-pearl river.mp3] <-- Delete this file

C:\Documents and Settings\Loll_l\Local Settings\Temp\[UpdatedUpdaterInstall.exe] <-- Delete this file

Your System Restore points have been compromised we'll purge those.

Click on "Start" > "All Programs" > "Accessories" > "System Tools" > "System Restore". Click on "System Restore Settings"
on the left and put a tick in "Turn off System Restore", when prompted click "Yes" then reboot your pc.

Go back and turn system restore back on.

Run HJT and Fix this line

O24 - Desktop Component 0: Privacy Protection - (no file)

Let me know if you have any trouble deleting any of the items and if AVG is still alerting you with a pop-up.

as you can see here http://img249.imageshack.us/img249/... there was not even an option to go to 'all programs' from the start menu... also all options from the right side of the start menu (ie. my documents, control panel, search etc) had dissaperared!!!

i have since kept running all the different scans and now fortunately the above problem has been rectified... the virus alert message in the bottom right of the screen has now also gone.... worrying though everytime i do any of the scans they are still finding infections!!!

i have deleted all emails now including the HSBC one (i only kept that one because i was worried somebody had tried accessing my bank account due to the virus)... i have also deleted the contents of the incomplete folder (including the mp3) but i cannot find the file C:\Documents and Settings\Loll_l\Local Settings\Temp\[UpdatedUpdaterInstall.exe].... maybe this has been erased by one of the scans i have run since posting here last??

I have reset system restore by switching it off and on.

I tried fixing the line O24 - Desktop Component 0: Privacy Protection - (no file) in HJT but it keeps coming back!!!

I also noticed when in HJT this line: O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe … I may be dreaming it but isn’t ctfmon the name of a virus?? And if it is shall I select to fix it?

So basically to sum up whilst I am happy that some have the problems have been fixed I remain concerned that everytime I do a scan infections are being found (or maybe the same ones coming back?)…. Please can you advise me where to go from here.

Cheers

Jeff

Ps. I never got round to running Combofix…. Do you still want me to do that at any stage??

-------------------------

I have posted results of a new HJT scan below just in case it helps:

-------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:49:49, on 31/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\apps\Powercinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] "c:\apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.co...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.com/egather/IbmEgath.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideo...
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/file...
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD1F45C3-D15B-46B5-822C-E20DD3C56D0F}: NameServer = 62.31.144.39,195.188.53.175
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 10793 bytes

just looked up ctfmon and discovered it isnt a virus so forget i said that mate

Heya