Hijack this print out for review pls

bargainbird

Have rid the PC of system tool 2011.
Have now Hi-jacked it pls see below

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:29:12, on 08/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\Program Files\PC Tools Security\BDT\FGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\PC Tools Security\Update.exe
C:\Program Files\PC Tools Security\Alert.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.search.yahoo.com/?fr=w3i&type=W3i_SP,204,0_0,StartPage,20110310,16939,0,8,0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: NetAssistantBHO Class - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll
R3 - URLSearchHook: PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: NetAssistantBHO - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\NetAssistant\NetAssistant.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Nuance PDF Reader-reminder] "C:\Program Files\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users.WINDOWS\Application Data\Nuance\PDF Reader\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Security\pctsGui.exe" /hideGUI
O4 - HKLM\..\Run: [PCTools FGuard] C:\Program Files\PC Tools Security\BDT\FGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InstallIQUpdater] "C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe" /silent /autorun
O4 - HKCU\..\Run: [ISUSPM] C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet\Connect\11\ISUSPM.exe -scheduler
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/PreQual/files/MotivePreQual.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\System32\CSHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7697 bytes

Many thanks

bargainbird

Ignore have gone to How to speed up etc

aliEnRIK

Youd be far better off running combofix so we can determine if its gone or not

Also resetting the HOSTS file which just about always gets changed

bargainbird

Do you have a link for combofix ?

Also how do i change HOST files ?

Thanks

aliEnRIK

1st up, have you run malwarebytes? if so, please open malwarebytes, goto LOGS and post the WHOLE of the last log
if you havnt -

Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM FULL SCAN then click SCAN
Remove everything thats found (needs to be ticked)
Post the COMPLETE log here AFTER youve deleted everything it finds

..............................................................

Download HostsXpert (US MIRROR)
http://www.softpedia.com/progDownload/Hoster-Download-27041.html
and then follow the below steps.

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program


..............................................................

Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)

bargainbird

Hi,
Have done all of the above. Print out as follows :eek:
ComboFix 11-03-08.06 - CLARE SMITH 09/03/2011 9:52.1.1 - x86
Running from: c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\My Documents\Downloads\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Application Data\Adobe\plugs
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.

---

\Legacy_MYWEBSEARCHSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-09 07:21 . 2011-03-09 07:21

---

d

---

w- c:\windows\LastGood.Tmp
2011-03-08 19:47 . 2011-03-08 19:47

---

d

---

w- c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Application Data\Avira
2011-03-08 19:45 . 2011-03-08 19:46

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\MFAData
2011-03-08 14:27 . 2011-03-08 14:27 388096 ----a-r- c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-08 14:27 . 2011-03-08 14:27

---

d

---

w- c:\program files\Trend Micro
2011-03-08 14:00 . 2011-03-08 14:00 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-08 13:59 . 2011-03-08 13:59

---

d

---

w- c:\program files\Hitman Pro 3.5
2011-03-08 13:59 . 2011-03-08 14:09

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\Hitman Pro
2011-03-08 13:53 . 2011-03-08 13:53

---

d

---

w- c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Local Settings\Application Data\Threat Expert
2011-03-08 13:17 . 2011-03-08 13:17

---

d

---

w- c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Application Data\Malwarebytes
2011-03-08 13:17 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-08 13:17 . 2011-03-08 13:17

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-03-08 13:17 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-08 12:56 . 2011-01-07 14:54 767952 ----a-w- c:\windows\BDTSupport.dll
2011-03-08 12:56 . 2011-01-07 14:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-03-08 12:56 . 2011-01-07 14:54 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-03-08 12:56 . 2011-01-07 14:54 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-03-08 12:53 . 2010-07-16 14:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-03-08 12:53 . 2010-07-16 14:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-03-08 12:53 . 2011-01-17 09:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-03-08 12:53 . 2010-12-10 16:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-03-08 12:53 . 2010-12-10 13:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-03-08 12:53 . 2010-12-16 08:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-03-08 12:53 . 2011-03-08 12:53

---

d

---

w- c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Application Data\PC Tools
2011-03-08 12:53 . 2011-03-09 08:05

---

d

---

w- c:\program files\PC Tools Security
2011-03-08 12:53 . 2011-03-09 10:10

---

d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2011-03-08 12:51 . 2011-03-08 12:53

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2011-03-08 09:22 . 2011-03-08 13:30

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\hFcIcBb18100
2011-03-08 09:21 . 2011-03-08 09:22

---

d

---

w- c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Application Data\Sql
2011-03-03 14:31 . 2011-03-03 14:31

---

d

---

w- c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Application Data\FLEXnet
2011-03-03 14:31 . 2011-03-03 14:31

---

d

---

w- c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Application Data\Nuance
2011-03-03 14:27 . 2011-03-03 14:27

---

d

---

w- c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Application Data\Zeon
2011-03-03 14:27 . 2011-03-03 14:31

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\Nuance
2011-03-03 14:26 . 2011-03-03 14:26

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\ScanSoft
2011-03-03 14:25 . 2011-03-03 14:25

---

d

---

w- c:\program files\Nuance
2011-03-03 14:25 . 2011-03-03 14:25

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\FLEXnet
2011-03-03 14:25 . 2011-03-03 14:25

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\Downloaded Installations
2011-03-03 14:12 . 2011-03-03 14:12

---

d

---

w- c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Local Settings\Application Data\Yahoo
2011-03-03 14:12 . 2011-03-03 14:12

---

d

---

w- c:\program files\File Type Assistant
2011-03-03 14:10 . 2011-03-03 14:10

---

d

---

w- c:\program files\W3i
2011-03-03 14:10 . 2011-03-03 14:10

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\W3i
2011-03-03 14:09 . 2011-03-03 14:09

---

d

---

w- c:\program files\Freeze.com
2011-03-03 14:09 . 2011-03-03 14:13

---

d

---

w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2011-02-21 13:23 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-02-16 07:25 . 2011-02-16 07:25

---

d

---

w- c:\program files\Common Files\Java
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 21:40 . 2011-01-17 10:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2011-01-17 10:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44 . 2003-03-31 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-06 11:54 . 2011-03-08 12:56 2125 ----a-w- c:\windows\UDB.zip
2010-12-31 13:10 . 2003-03-31 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2006-06-23 10:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2003-03-31 12:00 1469440

---

w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2003-03-31 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2003-03-31 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 01:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"= "c:\program files\Freeze.com\NetAssistant\NetAssistant.dll" [2010-11-09 371320]
.
[HKEY_CLASSES_ROOT\clsid\{e38fa08e-f56a-4169-abf5-5c71e3c153a1}]
[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{1E8FC16F-4C51-49C4-BC9B-4FC24BDDCEE7}]
[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
2010-11-09 10:21 371320 ----a-w- c:\program files\Freeze.com\NetAssistant\NetAssistant.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-02-22 1151488]
"ISUSPM"="c:\documents and settings\All Users.WINDOWS\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Nuance PDF Reader-reminder"="c:\program files\Nuance\PDF Reader\Ereg\Ereg.exe" [2008-11-03 328992]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2589:TCP"= 2589:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [08/03/2011 12:53 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [08/03/2011 12:53 338880]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [08/03/2011 12:56 247760]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [02/10/2009 06:48 266240]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [17/03/2009 18:55 37120]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [08/03/2011 14:00 16968]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [08/03/2011 12:53 366840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 03:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-08 c:\windows\Tasks\Norton Security Scan for CLARE SMITH.job
- c:\program files\Norton Security Scan\Engine\3.0.0.103\Nss.exe [2011-01-15 07:25]
.
2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{D2C0FB33-80CA-40EA-9D34-2626F30E7EA0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://uk.search.yahoo.com/?fr=w3i&type=W3i_SP,204,0_0,StartPage,20110310,16939,0,8,0
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchAssistant =
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\CLARE SMITH.ME-IZ8T1WZEN94L\Application Data\Mozilla\Firefox\Profiles\9qxnyk9a.default\
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZNfox000&fl=0&ptb=cSRRN79CGbTU1na3nfS30w&st=kwd&o=kwd&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&searchfor=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\PC Tools Security\BDT\Firefox
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-09 10:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.

---

DLLs Loaded Under Running Processes

---

.
- - - - - - - > 'lsass.exe'(564)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(2624)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

---

Other Running Processes

---

.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2011-03-09 10:17:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-09 10:17
.
Pre-Run: 30,499,889,152 bytes free
Post-Run: 31,842,074,624 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - E5DAC1A0185F9A43639A5DC1C4EC9CC2

:cool:

Thank-You x

aliEnRIK

Delete this folder -
c:\documents and settings\All Users.WINDOWS\Application Data\hFcIcBb18100

bargainbird

yep...done that thanks :cool:

aliEnRIK

What happened to the malwarebytes log?

bargainbird

1st
Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org

Database version: 5988

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/03/2011 21:28:19
mbam-log-2011-03-08 (21-28-19).txt

Scan type: Full scan (C:\|)
Objects scanned: 193148
Time elapsed: 1 hour(s), 31 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{feeb26cf-689e-44bb-b345-f28fc8938dc9}\RP612\A0167624.dll (Trojan.Genome) -> Quarantined and deleted successfully.
c:\system volume information\_restore{feeb26cf-689e-44bb-b345-f28fc8938dc9}\RP614\A0169659.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{feeb26cf-689e-44bb-b345-f28fc8938dc9}\RP614\A0169660.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

bargainbird

2nd
Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org

Database version: 5988

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

08/03/2011 13:40:58
mbam-log-2011-03-08 (13-40-58).txt

Scan type: Quick scan
Objects scanned: 162689
Time elapsed: 9 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Registry Helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Web Search Bar (Adware.MyWebSearch) -> Value: My Web Search Bar -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\A360 (Rogue.A360AntiVirus) -> Quarantined and deleted successfully.
c:\program files\registry helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\virusremover2009 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\clare smith.me-iz8t1wzen94l\my documents\downloads\pdfconvertersetup.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\clare smith.me-iz8t1wzen94l\start menu\Programs\Startup\AdbUpd.lnk (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\program files\registry helper\advisorletters.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\background.jpg (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\delete_invalid_entries_grey.jpg (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\errorfound.wav (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\header.gif (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\help.chm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\iehandler.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter1.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter2.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter3.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter4.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter5.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\logo.jpg (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\print_16.gif (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registry helper screen saver setup.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelper.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelperbundle.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelperservice.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelpersetupcb.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelpersetuptr.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelperuninstaller.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\Starter.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\vbrun60sp5.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.