Zeke_Zane

ok i have done both scans and also done the online eset one again, and all have come back clean, and everything seems to be working normal and at normal speeds again. so its looking good at the moment.

i am now able to create system resore points, and i havnt had any google redirects since the rouguefix and combofix scans. avira did a smart scan that found nothing last night, which is a first for a while. i will do a full scan with avira and malwarebytes anti-malware this afternoon and let you know if they find anything. thanks for all the help with this, been trying to fix it for weeks and got nowhere untill i asked for help here.

i use bittorrent for downloading oblivion mods and very occasionally a music video if i cant find one i want to see on youtube or anywhere else, but i scan them fully before i use them. all my games i pay for, not worth the fines if you get caught downloading illigal software.

S3 dpK0Bx01;Fingerprint Reader Filter Driver;c:\windows\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 32640] S3 UsbdpFP;Fingerprint Reader Class Driver;c:\windows\system32\DRIVERS\UsbdpFP.sys [2004-08-04 34560] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-05-03 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28] 2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-05-03 c:\windows\Tasks\User_Feed_Synchronization-{6711E175-A50D-432D-90AC-39AAC3EAF968}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 03:31] . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.vampirefreaks.com/ uInternet Settings,ProxyOverride = *.local;<local> uInternet Settings,ProxyServer = webcache.virginmedia.com:8080 IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000 LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-03 18:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1547161642-2111687655-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:ad,a3,b8,e4,4f,7f,b0,ab,ae,c2,1e,b9,a7,e1,78,14,00,d3,82,3d,2b,6b,1e, 66,bd,84,0b,81,59,d5,50,8f,4c,89,09,2b,5e,16,25,00,94,48,ae,06,ff,1e,05,5e,\ "??"=hex:90,64,52,bc,8f,d1,0b,c9,01,f6,6c,76,c3,8b,5b,e5 [HKEY_USERS\S-1-5-21-1547161642-2111687655-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:a3,c5,7b,a0,ee,10,ea,67,c9,c7,61,d0,96,c7,ab,ba,a5,92,2e,03,24, 6c,9e,bc,ae,27,c8,49,69,2c,5f,3c,eb,07,1f,99,87,e1,ad,c3,64,a8,bc,37,7c,b5,\ "rkeysecu"=hex:25,e1,26,5d,59,6e,42,ff,c8,5c,05,47,7e,d6,05,42 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1336) c:\windows\system32\DPGINA.dll c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\DPWLEvHd.dll - - - - - - - > 'lsass.exe'(1488) c:\windows\DPPWDFLT.dll - - - - - - - > 'Explorer.exe'(1048) c:\program files\DigitalPersona\Bin\DpOFeedb.dll c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Intel\IDU\awServ.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\DigitalPersona\Bin\DpHost.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\Microsoft LifeCam\MSCamS32.exe c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe c:\windows\system32\nvsvc32.exe c:\program files\DigitalPersona\Bin\DPFUSMgr.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-05-03 18:15 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-03 17:14 Pre-Run: 192,694,534,144 bytes free Post-Run: 192,499,822,592 bytes free Current=6 Default=6 Failed=3 LastKnownGood=7 Sets=1,2,3,4,5,6,7 338 --- E O F --- 2009-04-29 00:45

Couldnt fit log in 1 message so will post in 2 ComboFix 09-05-02.4 - Whysper Lupus 03/05/2009 18:04.1 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1758 [GMT 1:00] Running from: c:\documents and settings\Whysper Lupus\My Documents\Downloads\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) FW: Avira Firewall *disabled* WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Internet Explorer\setup.exe c:\windows\system32\_000003_.tmp.dll c:\windows\system32\_000005_.tmp.dll c:\windows\system32\_000006_.tmp.dll c:\windows\system32\_000007_.tmp.dll c:\windows\system32\_000008_.tmp.dll c:\windows\system32\_000009_.tmp.dll c:\windows\system32\_000010_.tmp.dll c:\windows\system32\_000011_.tmp.dll c:\windows\system32\_000012_.tmp.dll c:\windows\system32\_000013_.tmp.dll c:\windows\system32\_000014_.tmp.dll c:\windows\system32\_000015_.tmp.dll c:\windows\system32\_000017_.tmp.dll c:\windows\system32\_000018_.tmp.dll c:\windows\system32\_000020_.tmp.dll c:\windows\system32\_000021_.tmp.dll c:\windows\system32\_000022_.tmp.dll c:\windows\system32\_000023_.tmp.dll c:\windows\system32\_000029_.tmp.dll c:\windows\system32\lmppcsetup.exe c:\windows\system32\ovfsthxehrqqwci.dat c:\windows\system32\ovfsthxlog.dat c:\windows\system32\ovfsthxnkvixmyq.dat c:\windows\system32\ovfsthxowbslsoa.dat . ((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 ))))))))))))))))))))))))))))))) . 2009-05-02 19:24 . 2009-05-02 19:24 -------- d-----w c:\program files\DivX 2009-05-02 19:24 . 2009-05-02 19:24 -------- d-----w c:\program files\Common Files\DivX Shared 2009-05-02 09:44 . 2009-05-02 18:06 -------- d-----w c:\documents and settings\Whysper Lupus\DoctorWeb 2009-05-02 02:14 . 2009-05-02 02:14 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts 2009-05-01 17:27 . 2009-05-01 17:27 -------- d-----w c:\documents and settings\Whysper Lupus\Application Data\Xilisoft Corporation 2009-05-01 17:21 . 2002-01-05 21:37 344064 ----a-w c:\windows\system32\msvcr70.dll 2009-05-01 17:21 . 2009-05-01 17:23 -------- d-----w c:\program files\Audio Convert Master 2009-04-30 20:00 . 2009-04-30 20:00 -------- d-----w c:\program files\Trend Micro 2009-04-30 19:53 . 2009-04-30 19:57 -------- d-----w C:\fixwareout 2009-04-30 17:51 . 2009-04-30 17:51 -------- d-----w c:\documents and settings\Whysper Lupus\Application Data\Avira 2009-04-30 17:45 . 2009-04-30 17:43 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys 2009-04-30 17:45 . 2009-04-30 17:43 69632 ----a-w c:\windows\system32\drivers\avfwim.sys 2009-04-30 17:45 . 2009-04-30 17:43 97480 ----a-w c:\windows\system32\drivers\avfwot.sys 2009-04-30 17:45 . 2009-04-30 17:45 -------- d-----w c:\documents and settings\All Users\Application Data\Avira 2009-04-30 17:45 . 2009-04-30 17:45 -------- d-----w c:\program files\Avira 2009-04-29 11:46 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-29 11:46 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-29 11:46 . 2009-04-29 11:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-28 20:22 . 2009-04-28 20:22 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-28 20:21 . 2009-04-30 16:03 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-28 20:21 . 2009-04-29 11:52 -------- d-----w c:\documents and settings\Whysper Lupus\Application Data\SUPERAntiSpyware.com 2009-04-28 19:26 . 2009-04-28 19:26 -------- d-----w c:\documents and settings\Whysper Lupus\Application Data\Malwarebytes 2009-04-28 19:26 . 2009-04-28 19:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-27 13:11 . 2009-04-27 13:11 -------- d-sh--w c:\documents and settings\Whysper Lupus\IECompatCache 2009-04-27 13:08 . 2009-04-27 13:08 -------- d-sh--w c:\documents and settings\Whysper Lupus\PrivacIE 2009-04-27 13:08 . 2009-04-27 13:08 -------- d-sh--w c:\documents and settings\LocalService\IETldCache 2009-04-27 13:06 . 2009-04-27 13:06 -------- d-sh--w c:\documents and settings\Whysper Lupus\IETldCache 2009-04-27 13:03 . 2009-04-27 13:03 -------- d-----w c:\windows\ie8updates 2009-04-27 13:01 . 2009-04-27 13:03 -------- dc-h--w c:\windows\ie8 2009-04-27 12:59 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll 2009-04-21 22:14 . 2009-04-21 22:16 -------- d-----w c:\windows\system32\NtmsData 2009-04-21 15:38 . 2009-04-21 15:38 -------- d-----w c:\documents and settings\Whysper Lupus\Application Data\PCToolsFirewallPlus 2009-04-21 15:38 . 2009-04-21 15:38 -------- d-----w c:\documents and settings\Whysper Lupus\Application Data\PCToolsSpamMonitorPlus 2009-04-21 15:36 . 2009-04-21 15:36 -------- d-----w c:\documents and settings\Whysper Lupus\Local Settings\Application Data\Threat Expert 2009-04-21 15:35 . 2009-04-28 02:43 -------- d-----w c:\program files\Browser Defender 2009-04-21 15:35 . 2009-05-02 13:54 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools 2009-04-21 15:02 . 2009-04-21 15:02 -------- d-----w c:\documents and settings\All Users\Application Data\sentinel 2009-04-21 14:53 . 2009-04-21 14:53 -------- d-----w c:\documents and settings\All Users\Application Data\Backup 2009-04-21 14:51 . 2009-04-21 15:43 -------- d-----w c:\program files\Common Files\Panda Software 2009-04-21 13:09 . 2009-04-21 13:09 -------- d-----w c:\windows\system32\Service 2009-04-20 20:37 . 2009-04-20 20:37 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Windows Search 2009-04-16 21:47 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-16 21:47 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-16 21:47 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-16 21:47 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-16 21:47 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-16 21:47 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-16 21:47 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-16 21:47 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-16 21:47 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-16 21:47 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-16 21:47 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-14 15:46 . 2009-04-14 15:47 -------- d-----w c:\documents and settings\Whysper Lupus\Application Data\IGN_DLM 2009-04-11 15:04 . 2009-04-11 15:04 -------- d-----w c:\program files\Jowood 2009-04-11 14:05 . 2009-04-11 14:05 -------- d-----w c:\program files\iPod 2009-04-11 14:05 . 2009-04-11 14:05 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-11 14:05 . 2009-04-11 14:05 -------- d-----w c:\program files\iTunes 2009-04-07 12:54 . 2008-10-10 03:52 2036576 ----a-w c:\windows\system32\D3DCompiler_40.dll 2009-04-07 12:54 . 2008-10-10 03:52 452440 ----a-w c:\windows\system32\d3dx10_40.dll 2009-04-07 12:53 . 2008-10-27 09:04 235856 ----a-w c:\windows\system32\xactengine3_3.dll 2009-04-06 12:40 . 2009-04-06 12:40 -------- d-----w c:\program files\Community Patch Manager 2009-04-06 12:38 . 2009-04-06 12:38 -------- d-----w c:\documents and settings\All Users\Application Data\InstallShield 2009-04-06 12:14 . 2009-04-06 12:14 -------- d-----w c:\program files\Rockstar Games 2009-04-06 11:46 . 2009-04-06 11:46 271360 ----a-w c:\windows\system32\drivers\atksgt.sys 2009-04-06 11:46 . 2009-04-06 11:46 18048 ----a-w c:\windows\system32\drivers\lirsgt.sys 2009-04-06 11:23 . 2009-04-06 13:06 -------- d-----w c:\program files\Gothic III 2009-04-05 20:04 . 2009-04-05 21:01 -------- d-----w c:\documents and settings\Whysper Lupus\Local Settings\Application Data\Oblivion 2009-04-03 20:42 . 2008-10-22 04:27 63040 ----a-w c:\windows\system32\PnkBstrA.exe 2009-04-03 20:42 . 2009-04-03 20:42 138184 ----a-w c:\windows\system32\drivers\PnkBstrK.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-03 17:10 . 2008-12-12 02:13 502 ----a-w c:\windows\Tasks\1-Click Maintenance.job 2009-05-03 17:10 . 2008-12-08 01:33 6 ---ha-w c:\windows\Tasks\SA.DAT 2009-05-03 16:26 . 2009-04-27 13:11 438 ---ha-w c:\windows\Tasks\User_Feed_Synchronization-{6711E175-A50D-432D-90AC-39AAC3EAF968}.job 2009-05-02 14:09 . 2009-01-10 07:53 -------- d-----w c:\program files\Common Files\Adobe 2009-05-02 13:52 . 2008-12-08 02:36 -------- d-----w c:\program files\MSBuild 2009-05-02 10:20 . 2008-12-08 01:35 -------- d--h--w c:\program files\InstallShield Installation Information 2009-05-02 10:14 . 2009-02-28 16:53 -------- d-----w c:\program files\Firefly Studios 2009-05-02 10:07 . 2008-12-29 16:16 -------- d-----w c:\program files\Bethesda Softworks 2009-05-01 20:52 . 2009-01-28 21:42 -------- d-----w c:\program files\ffdshow 2009-04-29 18:20 . 2008-12-08 12:25 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job 2009-04-29 11:47 . 2008-12-08 01:41 664 ----a-w c:\windows\system32\d3d9caps.dat 2009-04-29 11:16 . 2009-01-18 15:29 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-21 13:41 . 2009-04-02 12:58 361600 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL 2009-04-21 13:41 . 2004-08-04 12:00 361600 ----a-w c:\windows\system32\drivers\TCPIP.SYS 2009-04-20 12:27 . 2008-12-08 10:00 -------- d-----w c:\program files\BitTorrent 2009-04-11 14:05 . 2008-12-08 12:25 -------- d-----w c:\program files\Common Files\Apple 2009-04-06 12:37 . 2008-12-08 01:50 -------- d-----w c:\program files\Common Files\InstallShield 2009-04-03 20:42 . 2009-02-26 19:59 183112 ----a-w c:\windows\system32\PnkBstrB.exe 2009-04-02 17:01 . 2009-04-02 17:01 210672 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-04-02 12:34 . 2009-04-02 12:34 410984 ----a-w c:\windows\system32\deploytk.dll 2009-04-02 12:34 . 2009-04-02 12:34 -------- d-----w c:\program files\Java 2009-04-02 00:12 . 2009-04-02 00:12 -------- d-----w c:\program files\DAEMON Tools Lite 2009-03-31 20:26 . 2008-12-08 09:49 82440 ----a-w c:\documents and settings\Whysper Lupus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-31 17:15 . 2009-03-31 17:15 -------- d-----w c:\program files\Microsoft Works 2009-03-31 17:13 . 2009-03-31 17:13 -------- d-----w c:\program files\Microsoft.NET 2009-03-31 16:51 . 2008-12-09 02:00 715248 ----a-w c:\windows\system32\drivers\sptd.sys 2009-03-29 21:53 . 2009-01-03 03:56 -------- d-----w c:\program files\Windows Desktop Search 2009-03-29 19:41 . 2004-08-04 12:00 67 --sha-w c:\windows\Fonts\desktop.ini 2009-03-29 19:39 . 2008-12-08 01:25 23348 ----a-w c:\windows\system32\emptyregdb.dat 2009-03-19 15:32 . 2008-12-08 12:26 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-17 19:05 . 2009-03-17 19:05 413696 ----a-w c:\windows\system32\wrap_oal.dll 2009-03-17 19:05 . 2009-03-17 19:05 110592 ----a-w c:\windows\system32\OpenAL32.dll 2009-03-13 12:42 . 2008-12-08 12:26 -------- d-----w c:\program files\QuickTime 2009-03-13 12:33 . 2009-03-13 12:33 -------- d-----w c:\program files\Bonjour 2009-03-08 03:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 03:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 03:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 03:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 03:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 03:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 03:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 03:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 03:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 03:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-05 21:44 . 2009-03-05 21:27 5632 ----a-w c:\windows\system32\drivers\StarOpen.sys 2009-03-04 23:53 . 2009-03-03 00:00 -------- d-----w c:\program files\Microsoft Games 2009-02-28 22:37 . 2009-02-28 22:37 107888 ----a-w c:\windows\system32\CmdLineExt.dll 2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-06 19:03 . 2009-02-06 19:03 307576 ----a-w c:\windows\WLXPGSS.SCR 2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll 2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe 2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll . ------- Sigcheck ------- [7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys [7] 2004-08-04 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748$\tcpip.sys [7] 2004-08-04 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748_0$\tcpip.sys [7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS [-] 2009-04-21 13:41 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\dllcache\TCPIP.SYS [-] 2009-04-21 13:41 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DPAgnt"="c:\program files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 913408] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-04-30 209153] c:\documents and settings\All Users\Start Menu\Programs\Startup\ NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2008-12-8 884838] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ] 2004-10-13 18:29 102400 ----a-w c:\windows\system32\DPWLEvHd.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli DPPWDFLT [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=c:\windows\system32\ctfmon.exe "autochk"=rundll32.exe c:\docume~1\LOCALS~1\protect.dll,_IWMPEvents@16 "SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup "ISTray"="c:\program files\PC Tools Internet Security\pctsTray.exe" "autochk"=rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16 "High Definition Audio Property Page Shortcut"=HDAudPropShortcut.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Firefly Studios\\Stronghold Legends\\StrongholdLegends.exe"= "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"= "c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:TCP"= 5353:TCP:Adobe CSI CS4 R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.SYS [2003-07-24 17149] R3 pctplsg;pctplsg; [x] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408] R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys [2005-09-26 362944] S1 avfwot;avfwot;c:\windows\system32\DRIVERS\avfwot.sys [2009-04-30 97480] S1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-11-11 12298] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944] S2 AntiVirFirewallService;Avira Firewall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [2009-04-30 388865] S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-04-30 194817] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-30 108289] S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-04-30 432897] S2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-06-30 7296] S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656] S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-12-12 603904] S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys [2009-04-30 69632]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ logfile of scans by Roguefix V2.243 Scan performed on The current date is: 03/05/2009 The current time is: 17:58:59.68 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~ Files found ~~~~ checking size of beep.sys 04/08/2004 01:00 PM 4,224 beep.sys 1 File(s) 4,224 bytes beep.sys is not infected Cleaned Temporary files Cleaned Prefetch folder Registry was cleaned and repaired

kaspersky online scan found nothing, but i still have the same problem

while doing dr web scan my avira premium internet security suite found a few things dr web seemed to miss, so will post those at bottom after dr web log just so you can see what else is being found, quick scan result is earlier in the day as first full scan didnt complete so had to run twice. will complete kaspersky online scan now and post those results asap. Dr Web Quick Scan Log ovfsthxjwswulvh.sys;c:\windows\system32\drivers;BackDoor.Tdss.115;Deleted.; Dr Web Full Scan Log ConTest.dll;C:\WINDOWS\system32;Program.Fakespeedup;Deleted.; ovfsthxmehpxjig.dll;C:\WINDOWS\system32;BackDoor.Tdss.141;Deleted.; ovfsthxomhxafuw.dll;C:\WINDOWS\system32;BackDoor.Tdss.115;Deleted.; ovfsthxwabvttvt.dll;C:\WINDOWS\system32;BackDoor.Tdss.115;Deleted.; ovfsthxxbrqgqcs.dll;C:\WINDOWS\system32;BackDoor.Tdss.141;Deleted.; ovfsthxyvetehhb.dll;C:\WINDOWS\system32;BackDoor.Tdss.115;Deleted.; Avira Premium Internet Secuirity Log 02/05/2009 18:32 [Guard] Malware found Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]' detected in file 'C:\System Volume Information\_restore{CEFA4C9F-5C30-483E-8AF5-E40B6C9D05EF}\RP1\A0002384.dll. Action performed: Overwrite file 02/05/2009 18:31 [Guard] Malware found Virus or unwanted program 'APPL/NirCmd.2 [program]' detected in file 'C:\System Volume Information\_restore{CEFA4C9F-5C30-483E-8AF5-E40B6C9D05EF}\RP1\A0002369.exe. Action performed: Overwrite file 02/05/2009 18:31 [Guard] Malware found Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]' detected in file 'C:\WINDOWS\system32\ovfsthxrrftqjip.dll. Action performed: Overwrite file 02/05/2009 15:35 [Guard] Malware found Virus or unwanted program 'APPL/NirCmd.2 [program]' detected in file 'C:\fixwareout\FindT\nircmd.exe. Action performed: Overwrite file 02/05/2009 14:39 [Guard] Malware found Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]' detected in file 'C:\WINDOWS\system32\ovfsthxioeiuwqp.dll. Action performed: Delete file 02/05/2009 01:39 [Webguard] Malware found When accessing data from the URL, "Deleted link to malware site for safety reasons= 303585&s=183&e=google&v=icv13040901ie&q=the+elder+scrolls+5" a virus or unwanted program 'HTML/Crypted.Gen' [virus] was found. Action taken: Blocked file 02/05/2009 01:39 [Webguard] Malware found When accessing data from the URL, "Deleted link to malware site for safety reasons=303585&s=183&e=google&v=icv13040901ie&q=oblivion+5" a virus or unwanted program 'HTML/Crypted.Gen' [virus] was found. Action taken: Blocked file 02/05/2009 01:38 [Webguard] Malware found When accessing data from the URL, "Deleted link to malware site for safety reasons= 303585&s=183&e=google&v=icv13040901ie&q=oblivion+what+next" a virus or unwanted program 'HTML/Crypted.Gen' [virus] was found. Action taken: Blocked file 02/05/2009 01:35 [Webguard] Malware found When accessing data from the URL, "Deleted link to malware site for safety reasons= 303585&s=183&e=google&v=icv13040901ie&q=oblivion+champion+what+next" a virus or unwanted program 'HTML/Crypted.Gen' [virus] was found. Action taken: Blocked file

ok thanks for the fast reply, will do my best to stay in safe mode as much as possible. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:59:11, on 01/05/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\avmailc.exe C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Intel\IDU\awServ.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\DigitalPersona\Bin\DpHost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\Explorer.EXE C:\Program Files\DigitalPersona\Bin\DPAgnt.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NETGEAR\WPN111\wpn111.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\TUProgSt.exe C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = VampireFreaks.com - Gothic Industrial Culture R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.virginmedia.com:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local> O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'Default user') O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ? O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000 O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe -- End of file - 11519 bytes

ok i have just tried to install spyware doctor and been told that it is already installed as part of pc tools internet security so that had a full scan yesterday morning. i have also tried using a different internet security suite from yesterday as i read a couple of really bad reviews of pc tools internet security so have upgraded to avira premium security suite, and run full scans which found the same infections as pc tools, but it found and removed more infected files.

thanks for reply guys, full scan picks up same things, except a couple more infected files, will download spyware doctor and post results. i do have external hd's but none are conected at the moment or have been recently. i am not networked to any other computers. i scanned all drives. apart freom system restore not working, i am still having problems with google redirecting to ads and since i have run all the scans on here, my computer is taking a lot longer to boot, boots up to desktop and just sits there, takes it about 60 seconds just to launch IE for the first time, but i dont see how that can be related to scans so thats probably something seperate that i can sort myself once i get the redirecting problem sorted.

ok this is all done now, and here are the logs for scans - Malwarebytes' Anti-Malware 1.36 Database version: 2058 Windows 5.1.2600 Service Pack 3 29/04/2009 14:52:32 mbam-log-2009-04-29 (14-52-32).txt Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|I:\|J:\|) Objects scanned: 341243 Time elapsed: 1 hour(s), 53 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 3 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\LocalService\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\Default User\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\Whysper Lupus\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Whysper Lupus\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\loader49.exe (Trojan.Downloader) -> Quarantined and deleted successfully. SUPERAntiSpyware No malicious items found ESET Win32/Rootkit.Agent.NIZ trojan (unable to clean - deleted (after next restart) C:\WINDOWS\Temp\msb.dll Win32/Rootkit.Agent.NIZ trojan (unable to clean - deleted) C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll Win32/Rootkit.Agent.NIZ trojan (unable to clean - deleted_ C:\WINDOWS\system32\config\systemprofile\protect.dll Win32/Rootkit.Agent.NIZ trojan (unable to clean - deleted) C:\WINDOWS\system32\autochk.dll as soon as i have re-started my internet security, it has initiated a quick scan and is still finding infections and i still have the same problem, here is the log file from that. Pc tools internet security 4/30/2009 17:03:22:890 Scan Started Scan Type - Intelli-Scan 4/30/2009 17:03:24:890 Infection was detected on this computer Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - 2o7.net/ 2o7.net 4/30/2009 17:03:24:890 Infection was detected on this computer Threat Name - Spyware.Known_Bad_Sites Type - Cookie Risk Level - High Infection - 7search.com/ 7search.com 4/30/2009 17:03:24:906 Infection was detected on this computer Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - ad.yieldmanager.com/ ad.yieldmanager.com 4/30/2009 17:03:24:906 Infection was detected on this computer Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - adtech.de/ adtech.de 4/30/2009 17:03:24:921 Infection was detected on this computer Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - atdmt.com/ atdmt.com 4/30/2009 17:03:24:937 Infection was detected on this computer Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - azjmp.com/ azjmp.com 4/30/2009 17:03:24:968 Infection was detected on this computer Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - bs.serving-sys.com/ bs.serving-sys.com 4/30/2009 17:03:25:46 Infection was detected on this computer Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - doubleclick.net/ doubleclick.net 4/30/2009 17:03:25:62 Infection was detected on this computer Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - ehg-eset.hitbox.com/ ehg-eset.hitbox.com 4/30/2009 17:03:25:171 Infection was detected on this computer Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - hitbox.com/ hitbox.com 4/30/2009 17:03:25:203 Infection was detected on this computer Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - imrworldwide.com/ imrworldwide.com 4/30/2009 17:03:25:203 Infection was detected on this computer Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - livenation.122.2o7.net/ livenation.122.2o7.net 4/30/2009 17:03:25:234 Infection was detected on this computer Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - mediaplex.com/ mediaplex.com 4/30/2009 17:03:25:421 Infection was detected on this computer Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - serving-sys.com/ serving-sys.com 4/30/2009 17:03:25:437 Infection was detected on this computer Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - statcounter.com/ statcounter.com 4/30/2009 17:03:25:500 Infection was detected on this computer Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - tribalfusion.com/ tribalfusion.com 4/30/2009 17:09:15:890 Scan Finished Scan Type - Intelli-Scan Items Processed - 287093 Threats Detected - 3 Infections Detected - 16 Infections Ignored - 0 4/30/2009 17:10:14:937 Infection cleaned Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - tribalfusion.com/ tribalfusion.com 4/30/2009 17:10:14:937 Infection cleaned Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - serving-sys.com/ serving-sys.com 4/30/2009 17:10:14:937 Infection cleaned Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - livenation.122.2o7.net/ livenation.122.2o7.net 4/30/2009 17:10:14:937 Infection cleaned Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - imrworldwide.com/ imrworldwide.com 4/30/2009 17:10:14:937 Infection cleaned Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - hitbox.com/ hitbox.com 4/30/2009 17:10:14:937 Infection cleaned Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - ehg-eset.hitbox.com/ ehg-eset.hitbox.com 4/30/2009 17:10:14:937 Infection cleaned Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - doubleclick.net/ doubleclick.net 4/30/2009 17:10:14:937 Infection cleaned Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - bs.serving-sys.com/ bs.serving-sys.com 4/30/2009 17:10:14:937 Infection cleaned Threat Name - Application.TrackingCookies Type - Cookie Risk Level - Low Infection - 2o7.net/ 2o7.net 4/30/2009 17:10:15:0 Infection cleaned Threat Name - Spyware.Known_Bad_Sites Type - Cookie Risk Level - High Infection - 7search.com/ 7search.com 4/30/2009 17:10:15:78 Infection cleaned Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - statcounter.com/ statcounter.com 4/30/2009 17:10:15:78 Infection cleaned Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - mediaplex.com/ mediaplex.com 4/30/2009 17:10:15:78 Infection cleaned Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - azjmp.com/ azjmp.com 4/30/2009 17:10:15:78 Infection cleaned Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - atdmt.com/ atdmt.com 4/30/2009 17:10:15:78 Infection cleaned Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - adtech.de/ adtech.de 4/30/2009 17:10:15:78 Infection cleaned Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - ad.yieldmanager.com/ ad.yieldmanager.com 4/30/2009 17:10:17:109 Infections Quarantined/Removed Summary Quarantined - 0 Quarantine Failed - 0 Removed - 16 Remove Failed - 0 *also, forgot to mention, since doing the scans in safe mode it is no longer alowing me to create system restore points, it just give me an error asking me to restart windows

they were finding the same things that my pc tools internet security is fidning, plus a couple other adware infections. ok thanks will give it a try and see what comes up and let you know. yes intelli-scan is just one of the quick scans pc tools internet security does. i have also just noticed, when i do a search from google or certain links on other sites, when i highlight the link, they show at the bottom of IE as what the link should be, but if i right click and check the links properties it is showing a different site.

when i have re-enabled my internet security it has started an intelli-scan which found the same 3 infections it seems to find everytime i run. if it helps they are - 1) Adware.Advertising 2)Aplication.TrackingCookies 3)Trojan.Adclicker - Also known as: Adware.Hiu.c AdWare.Win32.Agent.ak [Kaspersky] AdWare.Win32.Age

all done, followed steps exactly and am still getting same problem