Redirected Links 2

Hewlett-packard / PAVILION
January 30, 2009 at 19:42:16
Specs: Windows XP, AMD 3100 2.2GHZ 704RAM
I have had this problem before and a kind,Jabuck, helped me out. Maybe we can try again. Running IE7, after doing searches on google, any/all links are being redirected,404 page not found or page could not be found. Tried Adaware, Spybot, System Mecahnic, Trend Micro Internet security,Tune Up Utilities, and Malwarebytes' Anti-Malware. No Luck

See More: Redirected Links 2

Report •


#1
January 31, 2009 at 09:53:33
Launch Notepad, and copy/paste all the instructions between the X’s below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
January 31, 2009 at 13:07:09
Here are the logs you requested

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:04:26, on 1/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Documents and Settings\HP_Owner\Desktop\tools.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {7EA1262C-7865-4D3F-9955-12D359CA1C91} - C:\WINDOWS\system32\catsr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - (no file)
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - (no file)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se...
O4 - HKUS\S-1-5-21-3119658614-1899647474-260270903-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3119658614-1899647474-260270903-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-3119658614-1899647474-260270903-1009\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se... (User '?')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framewor...
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/h...
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp...
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_ins...
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adob...
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 10424 bytes

Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 2

1/31/2009 3:53:29 PM
mbam-log-2009-01-31 (15-53-29).txt

Scan type: Quick Scan
Objects scanned: 64797
Time elapsed: 12 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wmi94999.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fef3a02d-17ee-32f4-91bd-73eb5195555f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fef3a02d-17ee-32f4-91bd-73eb5195555f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{fd0bffa9-e4b2-331f-9427-02a8f1ce7697} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ac8325fe-9897-3173-bd88-f17fa7aa1af9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fef3a02d-17ee-32f4-91bd-73eb5195555f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{311fd521-fa4e-30ef-a7bc-152af479b190} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{57d7cb9c-186c-3b9e-9eaf-e8422b22bedc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0ebcf9c6-1cd6-3889-9230-3b32c4914415} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ebcf9c6-1cd6-3889-9230-3b32c4914415} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\HP_Owner\Application Data\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\ErrorKiller\Log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\ErrorKiller\Registry Backups (Rogue.ErrorKiller) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wmi94999.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mi94999.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tx65336.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtx65336.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\ErrorKiller\Log\2008 Nov 24 - 03_51_26 PM_203.log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\ErrorKiller\Registry Backups\2008-11-23_16-55-03.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\CriticalProcesses.dll (Rogue.EAntiSpy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ESignature.dll (Rogue.EAntiSpy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RSignature.dll (Rogue.EAntiSpy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FSignature.dll (Rogue.EAntiSpy) -> Quarantined and deleted successfully.
C:\reset.cmd (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\KB29211.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\KB33482.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\KB36166.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\KB48056.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\KB55236.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.


Report •

#3
January 31, 2009 at 13:29:52
Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":

O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)


O2 - BHO: (no name) - {7EA1262C-7865-4D3F-9955-12D359CA1C91} - C:\WINDOWS\system32\catsr.dll (file missing)

O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - (no file)


O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - (no file)

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - (no file)


O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - (no file)


O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se...

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll


O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - <a href="http://www.eset.eu/OnlineScanner.cab

<P>Exit Hijack This.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

Related Solutions

#4
January 31, 2009 at 16:27:55
combofix log
ComboFix 09-01-31.01 - HP_Owner 2009-01-31 19:00:21.9 - NTFSx86
Running from: c:\documents and settings\HP_Owner\Desktop\toolbb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_003621_.tmp.dll
c:\windows\system32\_003655_.tmp.dll
c:\windows\system32\_003663_.tmp.dll
c:\windows\system32\_003777_.tmp.dll
c:\windows\system32\_003778_.tmp.dll
c:\windows\system32\_003779_.tmp.dll
c:\windows\system32\_003780_.tmp.dll
c:\windows\system32\_003787_.tmp.dll
c:\windows\system32\_003788_.tmp.dll
c:\windows\system32\_003789_.tmp.dll
c:\windows\system32\_003790_.tmp.dll
c:\windows\system32\_003792_.tmp.dll
c:\windows\system32\_003793_.tmp.dll
c:\windows\system32\_003796_.tmp.dll
c:\windows\system32\_003797_.tmp.dll
c:\windows\system32\_003799_.tmp.dll
c:\windows\system32\_003800_.tmp.dll
c:\windows\system32\_003801_.tmp.dll
c:\windows\system32\_003802_.tmp.dll
c:\windows\system32\_003803_.tmp.dll
c:\windows\system32\_003804_.tmp.dll
c:\windows\system32\_003806_.tmp.dll
c:\windows\system32\_003810_.tmp.dll
c:\windows\system32\_003811_.tmp.dll
c:\windows\system32\_003812_.tmp.dll
c:\windows\system32\_003813_.tmp.dll
c:\windows\system32\_003814_.tmp.dll
c:\windows\system32\_003819_.tmp.dll
c:\windows\system32\_003820_.tmp.dll
c:\windows\system32\_003821_.tmp.dll
c:\windows\system32\_003822_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-31 15:28 . 2009-01-31 15:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 15:28 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 15:28 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 11:41 . 2009-01-31 11:41 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-31 10:49 . 2004-08-04 00:56 380,416 --------- c:\windows\system32\irprops.cpl
2009-01-31 10:47 . 2009-01-31 10:47 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-31 10:44 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]02512_.tmp
2009-01-31 09:02 . 2009-01-31 09:02 300 --a------ c:\windows\system32\Shortcut to subinacl.lnk
2009-01-31 08:11 . 2004-08-04 00:56 4,274,816 --a------ c:\windows\system32\nv4_disp.dll
2009-01-30 20:36 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-01-30 20:36 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2009-01-30 20:36 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2009-01-30 20:36 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2009-01-30 20:36 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedon.reg
2009-01-30 20:36 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedoff.reg
2009-01-30 20:29 . 2004-08-04 00:56 382,464 --a------ c:\windows\system32\SETED2.tmp
2009-01-30 20:29 . 2004-08-04 00:56 351,232 --a------ c:\windows\system32\SETECA.tmp
2009-01-30 20:29 . 2004-08-04 00:56 177,152 --a------ c:\windows\system32\SETED8.tmp
2009-01-30 20:29 . 2004-08-04 00:56 6,656 --a------ c:\windows\system32\SETEC9.tmp
2009-01-30 20:23 . 2004-08-04 00:56 3,003,392 --a------ c:\windows\system32\SET319.tmp
2009-01-30 20:22 . 2004-08-04 00:56 8,384,000 --a------ c:\windows\system32\SET1F3.tmp
2009-01-30 20:20 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]02463_.tmp
2009-01-30 20:19 . 2005-10-20 20:08 986,112 --a--c--- c:\windows\system32\dllcache\DANIM.DLL
2009-01-30 20:19 . 2005-11-29 16:27 364,544 --a--c--- c:\windows\system32\dllcache\npdsplay.dll
2009-01-30 20:18 . 2006-09-13 00:01 1,084,416 --a--c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-30 20:18 . 2006-05-18 00:24 450,560 --a--c--- c:\windows\system32\dllcache\jscript.dll
2009-01-30 20:18 . 2005-10-17 16:14 118,272 --a------ c:\windows\system32\t2embed.dll
2009-01-30 20:18 . 2005-10-17 16:14 118,272 --a--c--- c:\windows\system32\dllcache\t2embed.dll
2009-01-30 20:06 . 2009-01-30 20:06 <DIR> d-------- C:\toolb
2009-01-30 19:51 . 2004-09-01 17:27 209,280 --a--c--- c:\windows\system32\dllcache\update.sys
2009-01-30 19:31 . 2004-08-04 14:00 99,840 --a------ c:\windows\system32\SET6FD.tmp
2009-01-30 19:31 . 2004-08-04 14:00 99,840 --a------ c:\windows\system32\SET5FF.tmp
2009-01-30 19:31 . 2004-08-04 14:00 56,832 --a------ c:\windows\system32\SET6EE.tmp
2009-01-30 19:31 . 2004-08-04 14:00 56,832 --a------ c:\windows\system32\SET5F0.tmp
2009-01-29 20:26 . 2005-05-04 14:45 2,890,240 --a------ c:\windows\system32\msi.dll
2009-01-29 20:26 . 2005-05-04 14:45 2,890,240 --a--c--- c:\windows\system32\dllcache\msi.dll
2009-01-29 20:26 . 2005-05-04 14:45 884,736 --a------ c:\windows\system32\msimsg.dll
2009-01-29 20:26 . 2005-05-04 14:45 884,736 --a--c--- c:\windows\system32\dllcache\msimsg.dll
2009-01-29 20:26 . 2005-05-04 14:45 271,360 --a------ c:\windows\system32\msihnd.dll
2009-01-29 20:26 . 2005-05-04 14:45 271,360 --a--c--- c:\windows\system32\dllcache\msihnd.dll
2009-01-29 20:26 . 2005-05-04 14:45 78,848 --a------ c:\windows\system32\msiexec.exe
2009-01-29 20:26 . 2005-05-04 14:45 78,848 --a--c--- c:\windows\system32\dllcache\msiexec.exe
2009-01-29 20:26 . 2005-05-04 14:45 15,360 --a------ c:\windows\system32\msisip.dll
2009-01-29 20:26 . 2005-05-04 14:45 15,360 --a--c--- c:\windows\system32\dllcache\msisip.dll
2009-01-29 19:46 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2009-01-29 19:35 . 2009-01-29 19:35 12,704 --a------ c:\windows\system32\wpa.bak
2009-01-29 19:06 . 2002-09-03 11:24 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-29 19:05 . 2002-09-03 11:24 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2009-01-29 19:04 . 2009-01-29 19:04 299,552 --a------ c:\windows\WMSysPrx.prx
2009-01-29 19:04 . 2009-01-29 19:04 25,065 --a------ c:\windows\system32\wmpscheme.xml
2009-01-29 19:03 . 2009-01-29 19:03 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-29 19:00 . 2008-10-16 14:13 1,809,944 --a------ c:\windows\system32\wuaueng.dll
2009-01-29 18:49 . 2002-09-03 11:50 1,086,182 -ra------ c:\windows\SET94.tmp
2009-01-29 18:47 . 2009-01-31 08:37 1,187,656 --a------ c:\windows\setupapi.log.0.old
2009-01-28 18:41 . 2008-04-13 12:39 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2009-01-28 18:41 . 2008-06-13 06:05 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2009-01-28 18:41 . 2008-04-13 13:53 264,832 --a------ c:\windows\system32\drivers\http.sys
2009-01-28 18:41 . 2008-04-13 11:36 144,384 --a------ c:\windows\system32\drivers\hdaudbus.sys
2009-01-28 18:41 . 2008-04-13 13:32 129,792 --a------ c:\windows\system32\drivers\fltmgr.sys
2009-01-28 18:41 . 2008-04-13 13:36 79,232 --a------ c:\windows\system32\drivers\sdbus.sys
2009-01-28 18:41 . 2008-04-13 13:53 36,608 --a------ c:\windows\system32\drivers\ip6fw.sys
2009-01-28 18:41 . 2008-04-13 13:31 36,352 --a------ c:\windows\system32\drivers\intelppm.sys
2009-01-28 18:41 . 2004-08-03 23:07 15,488 --a------ c:\windows\system32\drivers\mssmbios.sys
2009-01-28 18:41 . 2008-04-13 13:40 11,904 --a------ c:\windows\system32\drivers\sffdisk.sys
2009-01-28 18:41 . 2008-04-13 13:40 11,008 --a------ c:\windows\system32\drivers\sffp_sd.sys
2009-01-28 13:47 . 2009-01-28 13:47 <DIR> d-------- c:\windows\kdefense
2009-01-28 13:47 . 2009-01-28 13:47 846,336 --a------ c:\windows\system32\kdfinj.dll
2009-01-28 13:47 . 2009-01-31 18:53 722,472 --a------ c:\windows\system32\kdfmgr.exe
2009-01-28 13:47 . 2009-01-31 18:53 192,512 --a------ c:\windows\system32\kdfvmgr.exe
2009-01-28 13:47 . 2009-01-31 18:53 77,824 --a------ c:\windows\system32\kdfapi.dll
2009-01-28 13:47 . 2009-01-31 18:43 53,248 --a------ c:\windows\system32\Kdfhok.dll
2009-01-28 09:22 . 2009-01-28 09:22 <DIR> d-------- c:\windows\LocalSSL
2009-01-28 09:21 . 2009-01-28 08:23 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-28 09:21 . 2009-01-28 08:23 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-01-28 09:21 . 2009-01-28 08:23 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-01-28 08:40 . 2009-01-28 13:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-28 08:23 . 2008-11-26 20:39 1,195,384 --a------ c:\windows\system32\drivers\vsapint.sys
2009-01-28 08:23 . 2009-01-28 08:23 334,352 --a------ c:\windows\system32\drivers\TM_CFW.sys
2009-01-28 08:23 . 2008-11-26 20:42 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-01-28 08:23 . 2009-01-28 08:23 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2009-01-28 08:23 . 2008-11-26 20:42 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-01-26 18:49 . 2009-01-26 18:49 <DIR> d-------- c:\windows\Speeditup Free
2009-01-26 18:49 . 2009-01-26 20:09 <DIR> d-------- c:\program files\Speeditup Free
2009-01-24 21:03 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2009-01-24 20:55 . 2009-01-24 21:02 <DIR> d--h----- c:\windows\msdownld.tmp
2009-01-24 20:54 . 2009-01-24 20:54 <DIR> d-------- c:\windows\Logs
2009-01-24 11:12 . 2009-01-24 11:12 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-24 10:21 . 2009-01-24 10:21 <DIR> d-------- c:\program files\NOS
2009-01-24 10:21 . 2009-01-24 10:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-23 08:37 . 2009-01-23 08:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-23 08:36 . 2009-01-23 08:36 0 --a------ c:\windows\system32\REN18.tmp
2009-01-23 08:36 . 2009-01-23 08:36 0 --a------ c:\windows\system32\REN17.tmp
2009-01-23 08:36 . 2009-01-23 08:36 0 --a------ c:\windows\system32\REN16.tmp
2009-01-23 07:43 . 2009-01-23 08:14 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-22 19:56 . 2009-01-22 19:59 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\HouseCall 6.6
2009-01-22 19:21 . 2009-01-22 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-01-21 17:24 . 2009-01-23 08:37 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-20 21:09 . 2009-01-20 21:09 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-01-20 21:09 . 2009-01-20 21:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 19:55 . 2009-01-20 19:56 <DIR> d-------- c:\documents and settings\HP_Owner\.SunDownloadManager
2009-01-20 16:09 . 2009-01-20 16:09 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-01-20 16:09 . 2009-01-20 16:12 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\U3
2009-01-18 20:33 . 2006-08-22 04:05 498,742 --a------ c:\windows\system32\OLD22.tmp
2009-01-18 15:00 . 2009-01-18 15:00 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\MiniDm
2009-01-18 12:34 . 2009-01-18 12:35 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\IEPro
2009-01-18 11:09 . 2009-01-18 11:09 <DIR> d-------- c:\windows\system32\Service
2009-01-16 21:04 . 2009-01-23 15:27 16,384 --a------ c:\windows\DCEBoot.exe
2009-01-15 21:06 . 2008-04-13 19:11 2,843,136 --a------ c:\windows\system32\SET3F8.tmp
2009-01-15 21:05 . 2008-04-13 19:11 1,267,200 --a------ c:\windows\system32\SET507.tmp
2009-01-15 21:04 . 2008-04-13 19:11 193,536 --a------ c:\windows\system32\SET550.tmp
2009-01-15 21:04 . 2008-04-13 19:11 143,360 --a------ c:\windows\system32\SET54C.tmp
2009-01-15 21:04 . 2008-04-13 19:11 136,192 --a------ c:\windows\system32\aaclient.dll
2009-01-15 21:04 . 2008-04-13 19:11 125,952 --a------ c:\windows\system32\SET545.tmp
2009-01-15 21:04 . 2008-04-13 19:11 98,304 --a------ c:\windows\system32\SET54E.tmp
2009-01-15 21:04 . 2008-04-13 19:12 44,544 --a------ c:\windows\system32\SET548.tmp
2009-01-15 21:04 . 2008-04-13 19:11 17,408 --a------ c:\windows\system32\SET547.tmp
2009-01-14 20:02 . 2009-01-14 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse
2009-01-14 17:40 . 2009-01-22 19:49 <DIR> d-------- c:\documents and settings\HP_Owner\.housecall6.6
2009-01-10 11:28 . 2009-01-10 11:28 661,808 --a------ c:\windows\system32\UfWSC.cpl
2009-01-07 22:08 . 2009-01-07 22:08 <DIR> d-------- C:\f3c56b0d68fa940fd1fa1239
2009-01-06 22:02 . 2009-01-06 22:02 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2009-01-06 18:54 . 2009-01-06 18:54 <DIR> d-------- C:\90a20f68ebc99c4012
2009-01-06 17:44 . 2009-01-25 09:22 <DIR> d-------- c:\program files\Application Compatibility Toolkit
2009-01-06 17:42 . 2009-01-06 18:54 <DIR> d-------- c:\program files\Support Tools
2009-01-06 17:27 . 2009-01-28 20:31 355,603 --a------ c:\windows\setupapi.old

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 00:39 --------- d-----w c:\program files\Google
2009-01-30 00:04 558,142 ----a-w c:\windows\java\Packages\vjhvbv31.zip
2009-01-30 00:04 155,995 ----a-w c:\windows\java\Packages\7fjnpbtb.zip
2009-01-28 14:21 --------- d-----w c:\program files\Trend Micro
2009-01-24 18:10 --------- d-----w c:\program files\Common Files\Adobe
2009-01-23 13:37 --------- d-----w c:\program files\Java
2009-01-23 11:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 02:34 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Lavasoft
2009-01-19 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-18 19:12 --------- d-----w c:\program files\Viewpoint
2009-01-18 17:57 --------- d-----w c:\program files\TuneUp Utilities 2008
2009-01-15 00:59 --------- d-----w c:\program files\WildGames
2009-01-10 17:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-10 17:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-07 03:02 --------- d-----w c:\program files\AIM6
2009-01-05 01:15 --------- d-----w c:\program files\Elf Bowling 3
2009-01-05 01:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-01-03 19:35 --------- d-----w c:\program files\My Free Mahjong
2009-01-03 19:35 --------- d-----w c:\program files\ElastoMania111
2008-12-29 23:53 --------- d-----w c:\program files\COSMI
2008-12-29 23:53 --------- d-----w c:\program files\Common Files\Cosmi
2008-12-21 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-14 03:35 --------- d-----w c:\program files\Kyodai
2007-03-09 20:49 122,880 ----a-w c:\documents and settings\HP_Owner\Application Data\prg.exe
2007-04-28 01:03 1,371,359 -csha-w c:\windows\Registration\rabssy.ini2
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-29 39408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-28 497008]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\[u]0[/u]stera\[u]0[/u]smrgdf c:\program files\iolo\System Mechanic 5\\[u]0[/u]autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TurboNote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TurboNote.lnk
backup=c:\windows\pss\TurboNote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
backup=c:\windows\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
--a--c--- 2004-08-07 16:35 159744 c:\progra~1\HELPAN~1\Pavilion\XPHWWBF4Duet\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 12:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2004-03-04 09:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 20:42 659456 c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a--c--- 2004-06-07 20:53 49152 c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a--c--- 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a--c--- 2003-05-15 18:41 163840 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Utility Bar]
--a--c--- 2005-02-17 09:10 734208 c:\program files\iolo\System Mechanic 5\SMUtilityBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2004-04-21 20:28 286720 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 15:44 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 15:41 8192 c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a--c--- 2004-10-13 11:21 1694208 c:\windows\$hf_mig$\KB887472\SP2QFE\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
--a------ 2009-01-28 08:23 497008 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLNRNote]
--a------ 2004-11-23 08:24 30720 c:\program files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRnote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 18:57 81920 c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-23 08:37 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2009-01-29 19:39 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-05 05:50 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2009-01-28 08:23 970808 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-03-04 11:01 88209 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 04:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"UxTuneUp"=2 (0x2)
"SharedAccess"=2 (0x2)
"ProtectedStorage"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"firewalldisableoverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\TurboNote\\tbnote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-08-10 26488]
R2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 SGUARD;SGUARD;c:\windows\system32\drivers\SGuard.sys [2005-01-21 17857]
S0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\DRIVERS\IABFilt.sys [2005-07-01 25344]
S0 pyytaxfq;pyytaxfq;c:\windows\system32\drivers\pyytaxfq.sys [2004-08-04 23424]
S1 HMFAxCore9e7601803354626e599e36ff93023a2b;HMFAxCore9e7601803354626e599e36ff93023a2b;c:\windows\system32\drivers\HMFAxCore9e7601803354626e599e36ff93023a2b.sys [2007-04-15 15872]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-28 49680]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-28 492888]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-11-26 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-28 677128]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-01-28 334352]


--- Other Services/Drivers In Memory ---

*Deregistered* - _IOMEGA_ACTIVE_DISK_SERVICE_
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Arp1394
*Deregistered* - Aspi32
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - BCMNTIO
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - BridgeMP
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - fasttx2k
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HMFAxCore9e7601803354626e599e36ff93023a2b
*Deregistered* - IABFilt
*Deregistered* - Iomega App Services
*Deregistered* - IomegaAccess
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MAPMEM
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQL$MICROSOFTBCM
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - pyytaxfq
*Deregistered* - RasAcd
*Deregistered* - RasAuto
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RemoteAccess
*Deregistered* - RpcSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - Security Activity Dashboard Service
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SISAGP
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - symlcbrd
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tmactmon
*Deregistered* - TMBMServer
*Deregistered* - tmcfw
*Deregistered* - tmcomm
*Deregistered* - tmevtmgr
*Deregistered* - TmPfw
*Deregistered* - tmpreflt
*Deregistered* - TmProxy
*Deregistered* - tmtdi
*Deregistered* - tmxpflt
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsapint
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - ZipToA

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 08:09]

2009-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-01 c:\windows\Tasks\EasyShare Registration RunOnce Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOfferSilence@16 []

2009-01-25 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []
.
- - - - ORPHANS REMOVED - - - -

BHO-{7EA1262C-7865-4D3F-9955-12D359CA1C91} - c:\windows\system32\catsr.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\77091a4s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.adamscable.com/index2.php
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: network.http.max-persistent-connections-per-server - 3
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 19:15:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3119658614-1899647474-260270903-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
r Running Proce
.
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-31 19:24:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 00:24:30
ComboFix2.txt 2009-01-31 00:31:25

Pre-Run: 114,536,603,648 bytes free
Post-Run: 114,464,788,480 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=11 Sets=,1,2,3,4,5,6,7,8,9,10,11
563 --- E O F --- 2009-01-31 13:46:53


Report •

#5
January 31, 2009 at 17:12:31
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\[u]0[/u]02512_.tmp
c:\windows\system32\SETED2.tmp
c:\windows\system32\SETECA.tmp
c:\windows\system32\SETED8.tmp
c:\windows\system32\SETEC9.tmp
c:\windows\system32\SET319.tmp
c:\windows\system32\SET1F3.tmp
c:\windows\[u]0[/u]02463_.tmp
c:\windows\SET94.tmp
c:\windows\system32\SET6FD.tmp
c:\windows\system32\SET5FF.tmp
c:\windows\system32\SET6EE.tmp
c:\windows\system32\SET5F0.tmp
c:\windows\msdownld.tmp
c:\windows\system32\REN18.tmp
c:\windows\system32\REN17.tmp
c:\windows\system32\REN16.tmp
c:\windows\system32\OLD22.tmp
c:\windows\system32\SET3F8.tmp
c:\windows\system32\SET507.tmp
c:\windows\system32\SET550.tmp
c:\windows\system32\SET54C.tmp
c:\windows\system32\SET545.tmp
c:\windows\system32\SET54E.tmp
c:\windows\system32\SET548.tmp
c:\windows\system32\SET547.tmp

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#6
February 1, 2009 at 05:33:10
combofix log
ComboFix 09-01-31.02 - HP_Owner 2009-02-01 8:02:11.10 - NTFSx86
Running from: c:\documents and settings\HP_Owner\Desktop\toolb.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt

FILE ::
c:\windows\[u]0[/u]02463_.tmp
c:\windows\[u]0[/u]02512_.tmp
c:\windows\msdownld.tmp
c:\windows\SET94.tmp
c:\windows\system32\OLD22.tmp
c:\windows\system32\REN16.tmp
c:\windows\system32\REN17.tmp
c:\windows\system32\REN18.tmp
c:\windows\system32\SET1F3.tmp
c:\windows\system32\SET319.tmp
c:\windows\system32\SET3F8.tmp
c:\windows\system32\SET507.tmp
c:\windows\system32\SET545.tmp
c:\windows\system32\SET547.tmp
c:\windows\system32\SET548.tmp
c:\windows\system32\SET54C.tmp
c:\windows\system32\SET54E.tmp
c:\windows\system32\SET550.tmp
c:\windows\system32\SET5F0.tmp
c:\windows\system32\SET5FF.tmp
c:\windows\system32\SET6EE.tmp
c:\windows\system32\SET6FD.tmp
c:\windows\system32\SETEC9.tmp
c:\windows\system32\SETECA.tmp
c:\windows\system32\SETED2.tmp
c:\windows\system32\SETED8.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SET94.tmp
c:\windows\system32\OLD22.tmp
c:\windows\system32\REN16.tmp
c:\windows\system32\REN17.tmp
c:\windows\system32\REN18.tmp
c:\windows\system32\SET1F3.tmp
c:\windows\system32\SET319.tmp
c:\windows\system32\SET3F8.tmp
c:\windows\system32\SET507.tmp
c:\windows\system32\SET545.tmp
c:\windows\system32\SET547.tmp
c:\windows\system32\SET548.tmp
c:\windows\system32\SET54C.tmp
c:\windows\system32\SET54E.tmp
c:\windows\system32\SET550.tmp
c:\windows\system32\SET5F0.tmp
c:\windows\system32\SET5FF.tmp
c:\windows\system32\SET6EE.tmp
c:\windows\system32\SET6FD.tmp
c:\windows\system32\SETEC9.tmp
c:\windows\system32\SETECA.tmp
c:\windows\system32\SETED2.tmp
c:\windows\system32\SETED8.tmp

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-31 15:28 . 2009-01-31 15:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 15:28 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 15:28 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 11:41 . 2009-01-31 11:41 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-31 10:49 . 2004-08-04 00:56 380,416 --------- c:\windows\system32\irprops.cpl
2009-01-31 10:47 . 2009-01-31 10:47 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-31 10:44 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]02512_.tmp
2009-01-31 09:02 . 2009-01-31 09:02 300 --a------ c:\windows\system32\Shortcut to subinacl.lnk
2009-01-31 08:11 . 2004-08-04 00:56 4,274,816 --a------ c:\windows\system32\nv4_disp.dll
2009-01-30 20:36 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-01-30 20:36 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2009-01-30 20:36 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2009-01-30 20:36 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2009-01-30 20:36 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedon.reg
2009-01-30 20:36 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedoff.reg
2009-01-30 20:23 . 2004-08-04 00:56 1,708,032 --a------ c:\windows\system32\SET293.tmp
2009-01-30 20:22 . 2004-08-04 00:56 1,483,264 --a------ c:\windows\system32\SET1F4.tmp
2009-01-30 20:20 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]02463_.tmp
2009-01-30 20:19 . 2005-10-20 20:08 986,112 --a--c--- c:\windows\system32\dllcache\DANIM.DLL
2009-01-30 20:19 . 2005-11-29 16:27 364,544 --a--c--- c:\windows\system32\dllcache\npdsplay.dll
2009-01-30 20:18 . 2006-09-13 00:01 1,084,416 --a--c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-30 20:18 . 2006-05-18 00:24 450,560 --a--c--- c:\windows\system32\dllcache\jscript.dll
2009-01-30 20:18 . 2005-10-17 16:14 118,272 --a------ c:\windows\system32\t2embed.dll
2009-01-30 20:18 . 2005-10-17 16:14 118,272 --a--c--- c:\windows\system32\dllcache\t2embed.dll
2009-01-30 19:51 . 2004-09-01 17:27 209,280 --a--c--- c:\windows\system32\dllcache\update.sys
2009-01-30 19:32 . 2004-08-04 14:00 1,251,840 --a------ c:\windows\system32\SET6C0.tmp
2009-01-29 20:26 . 2005-05-04 14:45 2,890,240 --a------ c:\windows\system32\msi.dll
2009-01-29 20:26 . 2005-05-04 14:45 2,890,240 --a--c--- c:\windows\system32\dllcache\msi.dll
2009-01-29 20:26 . 2005-05-04 14:45 884,736 --a------ c:\windows\system32\msimsg.dll
2009-01-29 20:26 . 2005-05-04 14:45 884,736 --a--c--- c:\windows\system32\dllcache\msimsg.dll
2009-01-29 20:26 . 2005-05-04 14:45 271,360 --a------ c:\windows\system32\msihnd.dll
2009-01-29 20:26 . 2005-05-04 14:45 271,360 --a--c--- c:\windows\system32\dllcache\msihnd.dll
2009-01-29 20:26 . 2005-05-04 14:45 78,848 --a------ c:\windows\system32\msiexec.exe
2009-01-29 20:26 . 2005-05-04 14:45 78,848 --a--c--- c:\windows\system32\dllcache\msiexec.exe
2009-01-29 20:26 . 2005-05-04 14:45 15,360 --a------ c:\windows\system32\msisip.dll
2009-01-29 20:26 . 2005-05-04 14:45 15,360 --a--c--- c:\windows\system32\dllcache\msisip.dll
2009-01-29 19:46 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2009-01-29 19:35 . 2009-01-29 19:35 12,704 --a------ c:\windows\system32\wpa.bak
2009-01-29 19:06 . 2002-09-03 11:24 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-29 19:05 . 2002-09-03 11:24 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2009-01-29 19:04 . 2009-01-29 19:04 299,552 --a------ c:\windows\WMSysPrx.prx
2009-01-29 19:04 . 2009-01-29 19:04 25,065 --a------ c:\windows\system32\wmpscheme.xml
2009-01-29 19:03 . 2009-01-29 19:03 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-29 19:00 . 2008-10-16 14:13 1,809,944 --a------ c:\windows\system32\wuaueng.dll
2009-01-29 18:49 . 2002-09-03 11:49 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2009-01-29 18:47 . 2009-01-31 08:37 1,187,656 --a------ c:\windows\setupapi.log.0.old
2009-01-28 18:41 . 2008-04-13 12:39 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2009-01-28 18:41 . 2008-06-13 06:05 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2009-01-28 18:41 . 2008-04-13 13:53 264,832 --a------ c:\windows\system32\drivers\http.sys
2009-01-28 18:41 . 2008-04-13 11:36 144,384 --a------ c:\windows\system32\drivers\hdaudbus.sys
2009-01-28 18:41 . 2008-04-13 13:32 129,792 --a------ c:\windows\system32\drivers\fltmgr.sys
2009-01-28 18:41 . 2008-04-13 13:36 79,232 --a------ c:\windows\system32\drivers\sdbus.sys
2009-01-28 18:41 . 2008-04-13 13:53 36,608 --a------ c:\windows\system32\drivers\ip6fw.sys
2009-01-28 18:41 . 2008-04-13 13:31 36,352 --a------ c:\windows\system32\drivers\intelppm.sys
2009-01-28 18:41 . 2004-08-03 23:07 15,488 --a------ c:\windows\system32\drivers\mssmbios.sys
2009-01-28 18:41 . 2008-04-13 13:40 11,904 --a------ c:\windows\system32\drivers\sffdisk.sys
2009-01-28 18:41 . 2008-04-13 13:40 11,008 --a------ c:\windows\system32\drivers\sffp_sd.sys
2009-01-28 13:47 . 2009-01-28 13:47 <DIR> d-------- c:\windows\kdefense
2009-01-28 13:47 . 2009-01-28 13:47 846,336 --a------ c:\windows\system32\kdfinj.dll
2009-01-28 13:47 . 2009-02-01 07:38 722,472 --a------ c:\windows\system32\kdfmgr.exe
2009-01-28 13:47 . 2009-02-01 07:38 192,512 --a------ c:\windows\system32\kdfvmgr.exe
2009-01-28 13:47 . 2009-02-01 07:38 77,824 --a------ c:\windows\system32\kdfapi.dll
2009-01-28 13:47 . 2009-02-01 07:38 53,248 --a------ c:\windows\system32\Kdfhok.dll
2009-01-28 09:22 . 2009-01-28 09:22 <DIR> d-------- c:\windows\LocalSSL
2009-01-28 09:21 . 2009-01-28 08:23 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-28 09:21 . 2009-01-28 08:23 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-01-28 09:21 . 2009-01-28 08:23 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-01-28 08:40 . 2009-01-28 13:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-28 08:23 . 2008-11-26 20:39 1,195,384 --a------ c:\windows\system32\drivers\vsapint.sys
2009-01-28 08:23 . 2009-01-28 08:23 334,352 --a------ c:\windows\system32\drivers\TM_CFW.sys
2009-01-28 08:23 . 2008-11-26 20:42 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-01-28 08:23 . 2009-01-28 08:23 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2009-01-28 08:23 . 2008-11-26 20:42 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-01-26 18:49 . 2009-01-26 18:49 <DIR> d-------- c:\windows\Speeditup Free
2009-01-26 18:49 . 2009-01-26 20:09 <DIR> d-------- c:\program files\Speeditup Free
2009-01-24 21:03 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2009-01-24 20:55 . 2009-01-24 21:02 <DIR> d--h----- c:\windows\msdownld.tmp
2009-01-24 20:54 . 2009-01-24 20:54 <DIR> d-------- c:\windows\Logs
2009-01-24 11:12 . 2009-01-24 11:12 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-24 10:21 . 2009-01-24 10:21 <DIR> d-------- c:\program files\NOS
2009-01-24 10:21 . 2009-01-24 10:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-23 08:37 . 2009-01-23 08:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-23 07:43 . 2009-01-23 08:14 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-22 19:56 . 2009-01-22 19:59 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\HouseCall 6.6
2009-01-22 19:21 . 2009-01-22 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-01-21 17:24 . 2009-01-23 08:37 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-20 21:09 . 2009-01-20 21:09 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-01-20 21:09 . 2009-01-20 21:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 19:55 . 2009-01-20 19:56 <DIR> d-------- c:\documents and settings\HP_Owner\.SunDownloadManager
2009-01-20 16:09 . 2009-01-20 16:09 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-01-20 16:09 . 2009-01-20 16:12 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\U3
2009-01-18 15:00 . 2009-01-18 15:00 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\MiniDm
2009-01-18 12:34 . 2009-01-18 12:35 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\IEPro
2009-01-18 11:09 . 2009-01-18 11:09 <DIR> d-------- c:\windows\system32\Service
2009-01-16 21:04 . 2009-01-23 15:27 16,384 --a------ c:\windows\DCEBoot.exe
2009-01-15 21:06 . 2008-04-13 19:12 1,703,936 --a------ c:\windows\system32\SET3B9.tmp
2009-01-15 21:05 . 2008-04-13 19:11 1,082,368 --a------ c:\windows\system32\SET49A.tmp
2009-01-15 21:04 . 2008-04-13 19:11 136,192 --a------ c:\windows\system32\aaclient.dll
2009-01-14 20:02 . 2009-01-14 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse
2009-01-14 17:40 . 2009-01-22 19:49 <DIR> d-------- c:\documents and settings\HP_Owner\.housecall6.6
2009-01-10 11:28 . 2009-01-10 11:28 661,808 --a------ c:\windows\system32\UfWSC.cpl
2009-01-07 22:08 . 2009-01-07 22:08 <DIR> d-------- C:\f3c56b0d68fa940fd1fa1239
2009-01-06 22:02 . 2009-01-06 22:02 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2009-01-06 18:54 . 2009-01-06 18:54 <DIR> d-------- C:\90a20f68ebc99c4012
2009-01-06 17:44 . 2009-01-25 09:22 <DIR> d-------- c:\program files\Application Compatibility Toolkit
2009-01-06 17:42 . 2009-01-06 18:54 <DIR> d-------- c:\program files\Support Tools
2009-01-06 17:27 . 2009-01-28 20:31 355,603 --a------ c:\windows\setupapi.old
2009-01-06 17:24 . 2009-01-06 18:54 <DIR> d-------- c:\windows\setupupd(2)
2009-01-04 20:06 . 2009-01-04 20:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-01-04 08:56 . 2009-01-06 18:54 <DIR> d-------- c:\program files\RegCure
2009-01-04 08:35 . 2009-01-06 18:54 <DIR> d-------- C:\cmdcons(2)
2009-01-03 11:37 . 2009-01-03 11:37 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-03 11:36 . 2009-01-03 11:36 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-03 11:36 . 2009-01-03 11:36 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-03 11:36 . 2009-01-03 11:36 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-01 08:52 . 2009-01-01 08:52 <DIR> d-------- c:\program files\Flip Words 2
2009-01-01 08:32 . 2009-01-24 14:36 <DIR> d-------- c:\program files\Jigsaw365
2009-01-01 08:32 . 2009-01-24 14:50 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 08:31 . 2009-01-01 08:31 <DIR> d-------- c:\program files\bfgclient
2009-01-01 08:30 . 2009-01-18 16:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-01-01 08:27 . 2009-01-01 09:10 <DIR> d-------- c:\program files\Sudoku
2009-01-01 08:27 . 2009-01-01 08:27 <DIR> d-------- c:\program files\BFG
2009-01-01 08:27 . 2009-01-01 08:27 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\demo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 00:39 --------- d-----w c:\program files\Google
2009-01-28 14:21 --------- d-----w c:\program files\Trend Micro
2009-01-24 18:10 --------- d-----w c:\program files\Common Files\Adobe
2009-01-23 13:37 --------- d-----w c:\program files\Java
2009-01-23 11:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 02:34 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Lavasoft
2009-01-19 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-18 19:12 --------- d-----w c:\program files\Viewpoint
2009-01-18 17:57 --------- d-----w c:\program files\TuneUp Utilities 2008
2009-01-15 00:59 --------- d-----w c:\program files\WildGames
2009-01-10 17:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-10 17:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-07 03:02 --------- d-----w c:\program files\AIM6
2009-01-05 01:15 --------- d-----w c:\program files\Elf Bowling 3
2009-01-05 01:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-01-03 19:35 --------- d-----w c:\program files\My Free Mahjong
2009-01-03 19:35 --------- d-----w c:\program files\ElastoMania111
2008-12-29 23:53 --------- d-----w c:\program files\COSMI
2008-12-29 23:53 --------- d-----w c:\program files\Common Files\Cosmi
2008-12-21 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-14 03:35 --------- d-----w c:\program files\Kyodai
2007-03-09 20:49 122,880 ----a-w c:\documents and settings\HP_Owner\Application Data\prg.exe
2007-04-28 01:03 1,371,359 -csha-w c:\windows\Registration\rabssy.ini2
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-29 39408]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-28 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-28 970808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-28 497008]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\[u]0[/u]stera\[u]0[/u]smrgdf c:\program files\iolo\System Mechanic 5\\[u]0[/u]autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TurboNote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TurboNote.lnk
backup=c:\windows\pss\TurboNote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
backup=c:\windows\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
--a--c--- 2004-08-07 16:35 159744 c:\progra~1\HELPAN~1\Pavilion\XPHWWBF4Duet\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 12:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2004-03-04 09:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 20:42 659456 c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a--c--- 2004-06-07 20:53 49152 c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a--c--- 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a--c--- 2003-05-15 18:41 163840 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Utility Bar]
--a--c--- 2005-02-17 09:10 734208 c:\program files\iolo\System Mechanic 5\SMUtilityBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2004-04-21 20:28 286720 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 15:44 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 15:41 8192 c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a--c--- 2004-10-13 11:21 1694208 c:\windows\$hf_mig$\KB887472\SP2QFE\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLNRNote]
--a------ 2004-11-23 08:24 30720 c:\program files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRnote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 18:57 81920 c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-23 08:37 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2009-01-29 19:39 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-05 05:50 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-03-04 11:01 88209 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 04:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"UxTuneUp"=2 (0x2)
"SharedAccess"=2 (0x2)
"ProtectedStorage"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"firewalldisableoverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\TurboNote\\tbnote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-08-10 26488]
R2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 SGUARD;SGUARD;c:\windows\system32\drivers\SGuard.sys [2005-01-21 17857]
S0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\DRIVERS\IABFilt.sys [2005-07-01 25344]
S0 pyytaxfq;pyytaxfq;c:\windows\system32\drivers\pyytaxfq.sys [2004-08-04 23424]
S1 HMFAxCore9e7601803354626e599e36ff93023a2b;HMFAxCore9e7601803354626e599e36ff93023a2b;c:\windows\system32\drivers\HMFAxCore9e7601803354626e599e36ff93023a2b.sys [2007-04-15 15872]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-28 49680]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-28 492888]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-11-26 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-28 677128]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-01-28 334352]


--- Other Services/Drivers In Memory ---

*Deregistered* - _IOMEGA_ACTIVE_DISK_SERVICE_
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Arp1394
*Deregistered* - Aspi32
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - BCMNTIO
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - BridgeMP
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - fasttx2k
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HMFAxCore9e7601803354626e599e36ff93023a2b
*Deregistered* - IABFilt
*Deregistered* - Iomega App Services
*Deregistered* - IomegaAccess
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MAPMEM
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQL$MICROSOFTBCM
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - pyytaxfq
*Deregistered* - RasAcd
*Deregistered* - RasAuto
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RemoteAccess
*Deregistered* - RpcSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - Security Activity Dashboard Service
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SISAGP
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - symlcbrd
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tmactmon
*Deregistered* - TMBMServer
*Deregistered* - tmcfw
*Deregistered* - tmcomm
*Deregistered* - tmevtmgr
*Deregistered* - TmPfw
*Deregistered* - tmpreflt
*Deregistered* - TmProxy
*Deregistered* - tmtdi
*Deregistered* - tmxpflt
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsapint
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - ZipToA

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 08:09]

2009-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-01 c:\windows\Tasks\EasyShare Registration RunOnce Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOfferSilence@16 []

2009-01-25 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []
.
- - - - ORPHANS REMOVED - - - -

BHO-{7EA1262C-7865-4D3F-9955-12D359CA1C91} - c:\windows\system32\catsr.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\77091a4s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.adamscable.com/index2.php
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: network.http.max-persistent-connections-per-server - 3
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 08:15:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3119658614-1899647474-260270903-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
r Running Proce
.
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-01 8:24:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 13:23:53
ComboFix2.txt 2009-02-01 00:24:48

Pre-Run: 114,645,311,488 bytes free
Post-Run: 114,639,130,624 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=11 Sets=,1,2,3,4,5,6,7,8,9,10,11
573 --- E O F --- 2009-01-31 13:46:53


Report •

#7
February 1, 2009 at 05:39:54
I must unistall and reinstall Trend Micro Internet security 2009. When going to add/delete programs, error message says Windows Installer Service cannot be accessed. How do I reload that service?
Went to msiexe and enabled, but still same message.

Report •

#8
February 1, 2009 at 05:51:56
Ran ATF Cleaner, but Kaspersky Online Scanner will not run!

Report •

#9
February 1, 2009 at 08:05:52
Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.

Please go to Virus Total and upload the following file for analysis:

c:\windows\Registration\rabssy.ini2

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.

Try this online scanner.

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


Report •

#10
February 1, 2009 at 09:53:59
Virus Total log and Eset log to follow shortly

File rabssy.ini2 received on 02.01.2009 18:43:05 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/39 (2.57%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.01 -
AhnLab-V3 5.0.0.2 2009.01.31 -
AntiVir 7.9.0.60 2009.01.30 -
Authentium 5.1.0.4 2009.02.01 -
Avast 4.8.1281.0 2009.02.01 -
AVG 8.0.0.229 2009.01.31 -
BitDefender 7.2 2009.02.01 -
CAT-QuickHeal 10.00 2009.01.31 -
ClamAV 0.94.1 2009.02.01 -
Comodo 957 2009.02.01 -
DrWeb 4.44.0.09170 2009.02.01 -
eSafe 7.0.17.0 2009.02.01 -
eTrust-Vet 31.6.6335 2009.01.29 -
F-Prot 4.4.4.56 2009.02.01 -
F-Secure 8.0.14470.0 2009.02.01 INI/Vundo.A
Fortinet 3.117.0.0 2009.02.01 -
GData 19 2009.02.01 -
Ikarus T3.1.1.45.0 2009.02.01 -
K7AntiVirus 7.10.612 2009.01.31 -
Kaspersky 7.0.0.125 2009.02.01 -
McAfee 5512 2009.01.31 -
McAfee+Artemis 5512 2009.01.31 -
Microsoft 1.4306 2009.02.01 -
NOD32 3816 2009.02.01 -
Norman 6.00.02 2009.01.31 -
nProtect 2009.1.8.0 2009.01.30 -
Panda 9.5.1.2 2009.02.01 -
PCTools 4.4.2.0 2009.02.01 -
Prevx1 V2 2009.02.01 -
Rising 21.14.61.00 2009.02.01 -
SecureWeb-Gateway 6.7.6 2009.01.30 -
Sophos 4.38.0 2009.02.01 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.02.01 -
TheHacker 6.3.1.5.243 2009.02.01 -
TrendMicro 8.700.0.1004 2009.01.30 -
VBA32 3.12.8.12 2009.02.01 -
ViRobot 2009.1.31.1583 2009.01.31 -
VirusBuster 4.5.11.0 2009.02.01 -
Additional information
File size: 1371359 bytes
MD5...: c7201ad65c6b2156b66058409963190e
SHA1..: cd37a71f0c1bb806e1bf9b293adf8ebf56a79412
SHA256: ef91f8ff77648f222764e1f04c54dae3dd899d9c276df0fbdb0e418ca36b8ffa
SHA512: c91f197608dc6b7ca29fdc5827857a14a76420a9d852b0072a7a5a532be131e0
3f7a903d31df9350be2e1691af0789bf116fd95a76fe7fc007d211f583ba2824

ssdeep: 24576:A//CUj54ULIjLq9RAuQAotyKLoV5WVAgkt:AnCUj54ULIjL2NQAotxL2

PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware


Report •

#11
February 1, 2009 at 14:16:55
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3816 (20090201)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=3ab1353e7a8c5c43932a04fbf86e8aa9
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-02-01 09:56:27
# local_time=2009-02-01 04:56:27 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=455904
# found=3
# scan_time=13737
C:\Downloads\Install_AIM.exe Win32/Adware.WBug.A application 2816C9D1C6FB95C534540222AFF48F20
C:\Downloads\Install_AIM.exe »WISE »WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000
C:\Downloads\Install_AIM.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000

Report •

#12
February 1, 2009 at 15:36:50
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\Registration\rabssy.ini2
C:\Downloads\Install_AIM.exe
c:\windows\[u]0[/u]02512_.tmp
c:\windows\[u]0[/u]02463_.tmp
c:\windows\system32\SET293.tmp
c:\windows\system32\SET1F4.tmp
c:\windows\system32\SET6C0.tmp

DIRLOOK::
C:\f3c56b0d68fa940fd1fa1239
C:\90a20f68ebc99c4012

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run". Please post the log produced by Combofix.


Report •

#13
February 1, 2009 at 16:17:51
ComboFix 09-01-31.02 - HP_Owner 2009-02-01 18:47:48.11 - NTFSx86
Running from: c:\documents and settings\HP_Owner\Desktop\toolb.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt

FILE ::
c:\downloads\Install_AIM.exe
c:\windows\[u]0[/u]02463_.tmp
c:\windows\[u]0[/u]02512_.tmp
c:\windows\Registration\rabssy.ini2
c:\windows\system32\SET1F4.tmp
c:\windows\system32\SET293.tmp
c:\windows\system32\SET6C0.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\downloads\Install_AIM.exe
c:\windows\Registration\rabssy.ini2
c:\windows\system32\SET1F4.tmp
c:\windows\system32\SET293.tmp
c:\windows\system32\SET6C0.tmp

.
((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.

2009-02-01 18:30 . <DIR> c:\windows\LastGood.Tmp
2009-02-01 12:50 . 2009-02-01 17:16 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-31 15:28 . 2009-01-31 15:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 15:28 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 15:28 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 11:41 . 2009-01-31 11:41 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-31 10:49 . 2004-08-04 00:56 380,416 --------- c:\windows\system32\irprops.cpl
2009-01-31 10:47 . 2009-01-31 10:47 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-31 10:44 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]02512_.tmp
2009-01-31 09:02 . 2009-01-31 09:02 300 --a------ c:\windows\system32\Shortcut to subinacl.lnk
2009-01-31 08:11 . 2004-08-04 00:56 4,274,816 --a------ c:\windows\system32\nv4_disp.dll
2009-01-30 20:36 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-01-30 20:36 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2009-01-30 20:36 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2009-01-30 20:36 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2009-01-30 20:36 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedon.reg
2009-01-30 20:36 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedoff.reg
2009-01-30 20:23 . 2004-08-03 22:19 1,351,168 --a------ c:\windows\system32\SET317.tmp
2009-01-30 20:22 . 2004-08-04 00:56 1,281,536 --a------ c:\windows\system32\SET25C.tmp
2009-01-30 20:20 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]02463_.tmp
2009-01-30 20:19 . 2005-10-20 20:08 986,112 --a--c--- c:\windows\system32\dllcache\DANIM.DLL
2009-01-30 20:19 . 2005-11-29 16:27 364,544 --a--c--- c:\windows\system32\dllcache\npdsplay.dll
2009-01-30 20:18 . 2006-09-13 00:01 1,084,416 --a--c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-30 20:18 . 2006-05-18 00:24 450,560 --a--c--- c:\windows\system32\dllcache\jscript.dll
2009-01-30 20:18 . 2005-10-17 16:14 118,272 --a------ c:\windows\system32\t2embed.dll
2009-01-30 20:18 . 2005-10-17 16:14 118,272 --a--c--- c:\windows\system32\dllcache\t2embed.dll
2009-01-30 19:51 . 2004-09-01 17:27 209,280 --a--c--- c:\windows\system32\dllcache\update.sys
2009-01-30 19:32 . 2004-08-04 14:00 1,251,840 --a------ c:\windows\system32\SET5C2.tmp
2009-01-29 20:26 . 2005-05-04 14:45 2,890,240 --a------ c:\windows\system32\msi.dll
2009-01-29 20:26 . 2005-05-04 14:45 2,890,240 --a--c--- c:\windows\system32\dllcache\msi.dll
2009-01-29 20:26 . 2005-05-04 14:45 884,736 --a------ c:\windows\system32\msimsg.dll
2009-01-29 20:26 . 2005-05-04 14:45 884,736 --a--c--- c:\windows\system32\dllcache\msimsg.dll
2009-01-29 20:26 . 2005-05-04 14:45 271,360 --a------ c:\windows\system32\msihnd.dll
2009-01-29 20:26 . 2005-05-04 14:45 271,360 --a--c--- c:\windows\system32\dllcache\msihnd.dll
2009-01-29 20:26 . 2005-05-04 14:45 78,848 --a------ c:\windows\system32\msiexec.exe
2009-01-29 20:26 . 2005-05-04 14:45 78,848 --a--c--- c:\windows\system32\dllcache\msiexec.exe
2009-01-29 20:26 . 2005-05-04 14:45 15,360 --a------ c:\windows\system32\msisip.dll
2009-01-29 20:26 . 2005-05-04 14:45 15,360 --a--c--- c:\windows\system32\dllcache\msisip.dll
2009-01-29 19:46 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2009-01-29 19:35 . 2009-01-29 19:35 12,704 --a------ c:\windows\system32\wpa.bak
2009-01-29 19:06 . 2002-09-03 11:24 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-29 19:05 . 2002-09-03 11:24 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2009-01-29 19:04 . 2009-01-29 19:04 299,552 --a------ c:\windows\WMSysPrx.prx
2009-01-29 19:04 . 2009-01-29 19:04 25,065 --a------ c:\windows\system32\wmpscheme.xml
2009-01-29 19:03 . 2009-01-29 19:03 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-29 19:00 . 2008-10-16 14:13 1,809,944 --a------ c:\windows\system32\wuaueng.dll
2009-01-29 18:49 . 2002-09-03 11:49 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2009-01-29 18:47 . 2009-01-31 08:37 1,187,656 --a------ c:\windows\setupapi.log.0.old
2009-01-28 18:41 . 2008-04-13 12:39 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2009-01-28 18:41 . 2008-06-13 06:05 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2009-01-28 18:41 . 2008-04-13 13:53 264,832 --a------ c:\windows\system32\drivers\http.sys
2009-01-28 18:41 . 2008-04-13 11:36 144,384 --a------ c:\windows\system32\drivers\hdaudbus.sys
2009-01-28 18:41 . 2008-04-13 13:32 129,792 --a------ c:\windows\system32\drivers\fltmgr.sys
2009-01-28 18:41 . 2008-04-13 13:36 79,232 --a------ c:\windows\system32\drivers\sdbus.sys
2009-01-28 18:41 . 2008-04-13 13:53 36,608 --a------ c:\windows\system32\drivers\ip6fw.sys
2009-01-28 18:41 . 2008-04-13 13:31 36,352 --a------ c:\windows\system32\drivers\intelppm.sys
2009-01-28 18:41 . 2004-08-03 23:07 15,488 --a------ c:\windows\system32\drivers\mssmbios.sys
2009-01-28 18:41 . 2008-04-13 13:40 11,904 --a------ c:\windows\system32\drivers\sffdisk.sys
2009-01-28 18:41 . 2008-04-13 13:40 11,008 --a------ c:\windows\system32\drivers\sffp_sd.sys
2009-01-28 13:47 . 2009-01-28 13:47 <DIR> d-------- c:\windows\kdefense
2009-01-28 13:47 . 2009-01-28 13:47 846,336 --a------ c:\windows\system32\kdfinj.dll
2009-01-28 13:47 . 2009-02-01 18:43 722,472 --a------ c:\windows\system32\kdfmgr.exe
2009-01-28 13:47 . 2009-02-01 18:43 192,512 --a------ c:\windows\system32\kdfvmgr.exe
2009-01-28 13:47 . 2009-02-01 18:43 77,824 --a------ c:\windows\system32\kdfapi.dll
2009-01-28 13:47 . 2009-02-01 18:43 53,248 --a------ c:\windows\system32\Kdfhok.dll
2009-01-28 09:22 . 2009-01-28 09:22 <DIR> d-------- c:\windows\LocalSSL
2009-01-28 09:21 . 2009-01-28 08:23 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-28 09:21 . 2009-01-28 08:23 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-01-28 09:21 . 2009-01-28 08:23 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-01-28 08:40 . 2009-01-28 13:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-28 08:23 . 2008-11-26 20:39 1,195,384 --a------ c:\windows\system32\drivers\vsapint.sys
2009-01-28 08:23 . 2009-01-28 08:23 334,352 --a------ c:\windows\system32\drivers\TM_CFW.sys
2009-01-28 08:23 . 2008-11-26 20:42 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-01-28 08:23 . 2009-01-28 08:23 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2009-01-28 08:23 . 2008-11-26 20:42 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-01-26 18:49 . 2009-01-26 18:49 <DIR> d-------- c:\windows\Speeditup Free
2009-01-26 18:49 . 2009-01-26 20:09 <DIR> d-------- c:\program files\Speeditup Free
2009-01-24 21:03 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2009-01-24 20:55 . 2009-01-24 21:02 <DIR> d--h----- c:\windows\msdownld.tmp
2009-01-24 20:54 . 2009-01-24 20:54 <DIR> d-------- c:\windows\Logs
2009-01-24 11:12 . 2009-01-24 11:12 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-24 10:21 . 2009-01-24 10:21 <DIR> d-------- c:\program files\NOS
2009-01-24 10:21 . 2009-01-24 10:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-23 08:37 . 2009-01-23 08:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-23 07:43 . 2009-01-23 08:14 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-22 19:56 . 2009-01-22 19:59 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\HouseCall 6.6
2009-01-22 19:21 . 2009-01-22 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-01-21 17:24 . 2009-01-23 08:37 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-20 21:09 . 2009-01-20 21:09 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-01-20 21:09 . 2009-01-20 21:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 19:55 . 2009-01-20 19:56 <DIR> d-------- c:\documents and settings\HP_Owner\.SunDownloadManager
2009-01-20 16:09 . 2009-01-20 16:09 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-01-20 16:09 . 2009-01-20 16:12 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\U3
2009-01-18 15:00 . 2009-01-18 15:00 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\MiniDm
2009-01-18 12:34 . 2009-01-18 12:35 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\IEPro
2009-01-18 11:09 . 2009-01-18 11:09 <DIR> d-------- c:\windows\system32\Service
2009-01-16 21:04 . 2009-01-23 15:27 16,384 --a------ c:\windows\DCEBoot.exe
2009-01-15 21:06 . 2008-04-13 19:12 1,703,936 --a------ c:\windows\system32\SET3B9.tmp
2009-01-15 21:05 . 2008-04-13 19:11 1,082,368 --a------ c:\windows\system32\SET49A.tmp
2009-01-15 21:04 . 2008-04-13 19:11 136,192 --a------ c:\windows\system32\aaclient.dll
2009-01-14 20:02 . 2009-01-14 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse
2009-01-14 17:40 . 2009-01-22 19:49 <DIR> d-------- c:\documents and settings\HP_Owner\.housecall6.6
2009-01-10 11:28 . 2009-01-10 11:28 661,808 --a------ c:\windows\system32\UfWSC.cpl
2009-01-07 22:08 . 2009-01-07 22:08 <DIR> d-------- C:\f3c56b0d68fa940fd1fa1239
2009-01-06 22:02 . 2009-01-06 22:02 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2009-01-06 18:54 . 2009-01-06 18:54 <DIR> d-------- C:\90a20f68ebc99c4012
2009-01-06 17:44 . 2009-01-25 09:22 <DIR> d-------- c:\program files\Application Compatibility Toolkit
2009-01-06 17:42 . 2009-01-06 18:54 <DIR> d-------- c:\program files\Support Tools
2009-01-06 17:27 . 2009-01-28 20:31 355,603 --a------ c:\windows\setupapi.old
2009-01-06 17:24 . 2009-01-06 18:54 <DIR> d-------- c:\windows\setupupd(2)
2009-01-04 20:06 . 2009-01-04 20:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-01-04 08:56 . 2009-01-06 18:54 <DIR> d-------- c:\program files\RegCure
2009-01-04 08:35 . 2009-01-06 18:54 <DIR> d-------- C:\cmdcons(2)
2009-01-03 11:37 . 2009-01-03 11:37 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-03 11:36 . 2009-01-03 11:36 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-03 11:36 . 2009-01-03 11:36 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-03 11:36 . 2009-01-03 11:36 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 00:39 --------- d-----w c:\program files\Google
2009-01-28 14:21 --------- d-----w c:\program files\Trend Micro
2009-01-24 19:50 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-24 19:36 --------- d-----w c:\program files\Jigsaw365
2009-01-24 18:10 --------- d-----w c:\program files\Common Files\Adobe
2009-01-23 13:37 --------- d-----w c:\program files\Java
2009-01-23 11:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 02:34 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Lavasoft
2009-01-19 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-18 21:38 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-01-18 19:12 --------- d-----w c:\program files\Viewpoint
2009-01-18 17:57 --------- d-----w c:\program files\TuneUp Utilities 2008
2009-01-15 00:59 --------- d-----w c:\program files\WildGames
2009-01-10 17:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-10 17:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-07 03:02 --------- d-----w c:\program files\AIM6
2009-01-05 01:15 --------- d-----w c:\program files\Elf Bowling 3
2009-01-05 01:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-01-03 19:35 --------- d-----w c:\program files\My Free Mahjong
2009-01-03 19:35 --------- d-----w c:\program files\ElastoMania111
2009-01-01 14:10 --------- d-----w c:\program files\Sudoku
2009-01-01 13:52 --------- d-----w c:\program files\Flip Words 2
2009-01-01 13:31 --------- d-----w c:\program files\bfgclient
2009-01-01 13:27 --------- d-----w c:\program files\BFG
2009-01-01 13:27 --------- d-----w c:\documents and settings\HP_Owner\Application Data\demo
2008-12-29 23:53 --------- d-----w c:\program files\COSMI
2008-12-29 23:53 --------- d-----w c:\program files\Common Files\Cosmi
2008-12-21 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-14 03:35 --------- d-----w c:\program files\Kyodai
2007-03-09 20:49 122,880 ----a-w c:\documents and settings\HP_Owner\Application Data\prg.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\90a20f68ebc99c4012 ----


---- Directory of C:\f3c56b0d68fa940fd1fa1239 ----

2009-01-07 22:08 788 --ah----- c:\f3c56b0d68fa940fd1fa1239\$shtdwn$.req
2008-08-30 00:00 1640448 --a------ c:\f3c56b0d68fa940fd1fa1239\msxml6.msi


------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2009-02-01_ 8.22.22.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-27 20:49:02 196,683 ----a-w c:\windows\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w c:\windows\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w c:\windows\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w c:\windows\system32\lnod32upd.dll
+ 2007-08-02 23:11:28 253,952 ----a-w c:\windows\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w c:\windows\system32\OnlineScannerDLLW.dll
+ 2007-08-06 18:17:40 19,456 ----a-w c:\windows\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe
+ 2009-02-02 00:02:14 16,384 ----atw c:\windows\temp\Perflib_Perfdata_65c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EA1262C-7865-4D3F-9955-12D359CA1C91}]
c:\windows\system32\catsr.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-29 39408]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-28 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-28 970808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-28 497008]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\[u]0[/u]stera\[u]0[/u]smrgdf c:\program files\iolo\System Mechanic 5\\[u]0[/u]autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TurboNote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TurboNote.lnk
backup=c:\windows\pss\TurboNote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
backup=c:\windows\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
--a--c--- 2004-08-07 16:35 159744 c:\progra~1\HELPAN~1\Pavilion\XPHWWBF4Duet\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 12:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2004-03-04 09:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 20:42 659456 c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a--c--- 2004-06-07 20:53 49152 c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a--c--- 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a--c--- 2003-05-15 18:41 163840 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Utility Bar]
--a--c--- 2005-02-17 09:10 734208 c:\program files\iolo\System Mechanic 5\SMUtilityBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2004-04-21 20:28 286720 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 15:44 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 15:41 8192 c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a--c--- 2004-10-13 11:21 1694208 c:\windows\$hf_mig$\KB887472\SP2QFE\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLNRNote]
--a------ 2004-11-23 08:24 30720 c:\program files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRnote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 18:57 81920 c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-23 08:37 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2009-01-29 19:39 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-05 05:50 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-03-04 11:01 88209 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 04:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"UxTuneUp"=2 (0x2)
"SharedAccess"=2 (0x2)
"ProtectedStorage"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"firewalldisableoverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\TurboNote\\tbnote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-08-10 26488]
R2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 SGUARD;SGUARD;c:\windows\system32\drivers\SGuard.sys [2005-01-21 17857]
S0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\DRIVERS\IABFilt.sys [2005-07-01 25344]
S0 pyytaxfq;pyytaxfq;c:\windows\system32\drivers\pyytaxfq.sys [2004-08-04 23424]
S1 HMFAxCore9e7601803354626e599e36ff93023a2b;HMFAxCore9e7601803354626e599e36ff93023a2b;c:\windows\system32\drivers\HMFAxCore9e7601803354626e599e36ff93023a2b.sys [2007-04-15 15872]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-28 49680]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-28 492888]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-11-26 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-28 677128]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-01-28 334352]


--- Other Services/Drivers In Memory ---

*Deregistered* - _IOMEGA_ACTIVE_DISK_SERVICE_
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Arp1394
*Deregistered* - Aspi32
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - BCMNTIO
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - BridgeMP
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - fasttx2k
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HMFAxCore9e7601803354626e599e36ff93023a2b
*Deregistered* - IABFilt
*Deregistered* - Iomega App Services
*Deregistered* - IomegaAccess
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MAPMEM
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQL$MICROSOFTBCM
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - pyytaxfq
*Deregistered* - RasAcd
*Deregistered* - RasAuto
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RemoteAccess
*Deregistered* - RpcSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - Security Activity Dashboard Service
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SISAGP
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - symlcbrd
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tmactmon
*Deregistered* - TMBMServer
*Deregistered* - tmcfw
*Deregistered* - tmcomm
*Deregistered* - tmevtmgr
*Deregistered* - TmPfw
*Deregistered* - tmpreflt
*Deregistered* - TmProxy
*Deregistered* - tmtdi
*Deregistered* - tmxpflt
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsapint
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - ZipToA

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 08:09]

2009-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-02 c:\windows\Tasks\EasyShare Registration RunOnce Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOfferSilence@16 []

2009-01-25 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\77091a4s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.adamscable.com/index2.php
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: network.http.max-persistent-connections-per-server - 3
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 19:02:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3119658614-1899647474-260270903-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
r Running Proce
.
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-01 19:11:26 - machine was rebooted [HP_Owner]
ComboFix-quarantined-files.txt 2009-02-02 00:11:16
ComboFix2.txt 2009-02-01 13:24:06
ComboFix3.txt 2009-02-01 00:24:48

Pre-Run: 129,240,940,544 bytes free
Post-Run: 129,239,678,976 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=11 Sets=,1,2,3,4,5,6,7,8,9,10,11
556 --- E O F --- 2009-01-31 13:46:53


Report •

#14
February 3, 2009 at 09:33:21
jabuck, getting nervous that my computer is unprotected, because I could not uninstall or reinstall Trend Micro. I will try to install AVG. When going to add/delete programs, error message says Windows Installer Service cannot be accessed. How do I reload that service?

Report •

#15
February 3, 2009 at 14:55:44
Try reregistering windows installer:

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Go to start> run> type in msiexec /regserver (note: the space after msiexec is needed) then click ok.

Restart the computer, see if you get the error message again.


Report •

#16
February 3, 2009 at 18:17:53
Did the following
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Go to start> run> type in msiexec /regserver (note: the space after msiexec is needed) then click ok.
Same error. Also getting Microsoft Visual c++ Runtime Error
Program C:\ Prog~ runtime to terminate in an unusual way.

Please help!!!
Ran AVG scan got 7 trojan viruses found, What should I Do?


Report •

#17
February 3, 2009 at 18:57:01
Navigate to C:\WIndows\System32 and see if you see the file msiexc.exe in the folder. It will not have the .exe extension only msiexec

Then go to start> search> all files and folders > do a search for msiexec and let me know what you find.


Report •

#18
February 4, 2009 at 04:17:29
working from another computer, I cannot access the internet due to
Iexplore access violation at address 6cb616b7
in module 'AVGToo1.dll'. Read of address 00000004. Computer then locks for two minutes and displays "The page cannot be displayed"

Report •

#19
February 4, 2009 at 13:47:01
Downloaded (burned Cd and installed) AVG removal tool and used it, it seemed to do the trick for the Iexplore error. Manually removed Trend Micro program using program TISS support in C/Programs/Trend Micro. Msiexec seems to be allowing me to remove programs now. What can I do to clean up the hard drive and speed this slug up? Also do not get the Visual C++ error either, still worried about the Trojans. Finally what processes need to / or not be running? Thanks in advance.

Report •

#20
February 4, 2009 at 15:19:19
"The Windows Installer Service could not be accessed" will not let me load Trend Micro Internet Security. Any way to fix Windows installer?

Report •

#21
February 4, 2009 at 19:01:06
Look at response #17 and let me know what you find.

Report •

#22
February 5, 2009 at 15:46:21
Went to C:\WIndows\System32 and see if you see the file msiexc.exe. This is what if found
msi.dll
msi.old
msi.old1
msident.dll
msiexec (Windows Installer)
msiexec.old
msiexec.old1
msihnd.dll (Application Extension)
msihnd.old
msihnd.old1
msimg32.dll

Report •

#23
February 5, 2009 at 16:00:52
PS search wont work!!!!

Report •

#24
February 5, 2009 at 17:04:05
Two things I see is that someone/something has tried to reinstall the windows installer two time. You are running xp sp2 and once you get your computer clean you need to update to sp3 which may be the biggest part of the problem

Go to the following link and download the windows installer but don't install it yet:

Windows Installer 3.0

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Delete the following file but do not empty the recycle bin in case we need them later:


msi.dll
msi.old
msi.old1
msiexec (Windows Installer)
msiexec.old
msiexec.old1
msihnd.dll (Application Extension)
msihnd.old
msihnd.old1

Do not delete these files:

msimg32.dll
msident.dll

Next while still in safe mode double click the window install file on your desktop and install it. Once it install reboot to normal.

Let us know if it that helped


Report •

#25
February 5, 2009 at 17:22:17
could not delete msi.dll access is denied
make sure disk is not full or write protected
or file is currently in use. The Windows Installer 3.0 is not on desktop in safe mode

Report •

#26
February 5, 2009 at 17:30:38
While in safe mode go to start> my computer> local disk c:> documents and settings> your folder> desktop> double click it from there to start the install.

If it is not there you downloaded it somewhere beside the desktop, redownload it to the desktop and try it again.

If that does not work try it in normal mode.


Report •

#27
February 5, 2009 at 17:48:17
loaded installer3.1 KB893803 in safe mode.
loading Trend micro as we speak. Hope it loads completely. Any cleanup procedures for me?

Report •

#28
February 5, 2009 at 18:52:52
Good job, let us know if the download was successful.

Report •

#29
February 6, 2009 at 17:05:44
download was successful but loading errors. will work on that

Report •

#30
February 6, 2009 at 18:42:58
Microtrend downloaded but having a difficult time installing it. will you help me clean my machine?

Report •

#31
February 8, 2009 at 16:05:51
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#32
February 9, 2009 at 15:15:51
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:08:12, on 2/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Owner\Desktop\tools.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7EA1262C-7865-4D3F-9955-12D359CA1C91} - C:\WINDOWS\system32\catsr.dll (file missing)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-3119658614-1899647474-260270903-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3119658614-1899647474-260270903-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-3119658614-1899647474-260270903-1009\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-3119658614-1899647474-260270903-1009 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framewor...
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/h...
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp...
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downl...
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_ins...
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adob...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Security Activity Dashboard Service - Unknown owner - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 9497 bytes
Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 2

2/9/2009 6:00:40 PM
mbam-log-2009-02-09 (18-00-28).txt

Scan type: Quick Scan
Objects scanned: 67616
Time elapsed: 22 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 2

2/9/2009 6:00:50 PM
mbam-log-2009-02-09 (18-00-50).txt

Scan type: Quick Scan
Objects scanned: 67616
Time elapsed: 22 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 2

2/9/2009 6:00:50 PM
mbam-log-2009-02-09 (18-00-50).txt

Scan type: Quick Scan
Objects scanned: 67616
Time elapsed: 22 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 2

2/9/2009 6:00:40 PM
mbam-log-2009-02-09 (18-00-28).txt

Scan type: Quick Scan
Objects scanned: 67616
Time elapsed: 22 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

#33
February 9, 2009 at 15:31:49
One of your real time scanners is probably reinstalling the items Malwarebytes is removing.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

but do not run it yet.

Make sure you update Malwarebytes then go offline, turn off your PC Tools AntiVirus , Spyware Guard, Spybot and any other antispyware that you may have.

Run malwarebytes again.

Next run Combofix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your PC Tools AntiVirus, Spyware Guard, Spybot and any other antispyware that you may have.
2. Run Combofix by double clicking the combofix.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#34
February 9, 2009 at 16:22:37
ComboFix 09-02-08.02 - HP_Owner 2009-02-09 19:11:46.12 - NTFSx86
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-08 16:55 . 2009-02-08 16:55 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-08 16:55 . 2009-02-08 16:55 1,409 --a------ c:\windows\QTFont.for
2009-02-08 16:44 . 2004-08-04 07:00 343,040 --a------ c:\windows\system32\mspaint.exe
2009-02-08 16:44 . 2004-08-04 07:00 343,040 --a--c--- c:\windows\system32\dllcache\mspaint.exe
2009-02-07 21:39 . 2009-02-09 19:08 <DIR> d-------- c:\program files\PC Tools AntiVirus
2009-02-07 21:39 . 2009-02-07 21:39 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-02-07 21:39 . 2009-02-07 21:39 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\PC Tools
2009-02-07 21:39 . 2009-02-07 21:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-02-07 21:39 . 2007-12-06 16:51 28,568 --a------ c:\windows\system32\drivers\AVHook.sys
2009-02-07 21:39 . 2007-12-06 16:51 21,912 --a------ c:\windows\system32\drivers\AVRec.sys
2009-02-07 21:39 . 2008-02-12 11:44 21,904 --a------ c:\windows\system32\drivers\AVFilter.sys
2009-02-07 15:58 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2009-02-07 15:58 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2009-02-07 14:22 . 2009-02-07 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-07 09:56 . 2009-02-07 09:56 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 09:42 . 2009-02-07 10:38 <DIR> d-------- c:\program files\SpywareGuard
2009-02-06 19:37 . 2009-02-06 19:37 <DIR> d-------- c:\documents and settings\HP_Owner\.housecall6.6
2009-02-06 18:45 . 2009-02-06 18:45 <DIR> d-------- C:\75bbe60ff6aa817162ef0297517b
2009-02-06 18:43 . 2009-02-06 18:43 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\HouseCall 6.6
2009-02-06 18:43 . 2009-02-06 18:43 <DIR> d-------- C:\90a20f68ebc99c4012
2009-02-06 18:43 . 2009-02-06 18:43 <DIR> d-------- C:\5015a705363358e220
2009-02-06 18:43 . 2009-02-06 18:43 <DIR> d-------- C:\321d08e234eb05c9c310be
2009-02-06 18:28 . 2009-02-06 18:41 <DIR> d---s---- c:\documents and settings\HP_Owner.HOME1
2009-02-04 20:44 . 2009-02-07 09:43 <DIR> d-------- c:\program files\SpywareBlaster
2009-02-04 18:30 . 2009-02-04 18:30 <DIR> d-------- C:\toolb
2009-02-04 15:55 . 2009-02-04 15:55 <DIR> d-------- c:\windows\system32\drivers\avg7rsnt.sys
2009-02-03 16:45 . 2009-02-03 16:48 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-03 16:10 . 2009-02-04 16:30 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\AVGTOOLBAR
2009-02-03 16:10 . 2009-02-04 16:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-01 12:50 . 2009-02-01 17:16 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-31 15:28 . 2009-02-09 17:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 15:28 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 15:28 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 11:41 . 2009-01-31 11:41 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-31 10:49 . 2004-08-04 00:56 380,416 --------- c:\windows\system32\irprops.cpl
2009-01-31 10:47 . 2009-01-31 10:47 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-31 10:44 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]02512_.tmp
2009-01-31 09:02 . 2009-01-31 09:02 300 --a------ c:\windows\system32\Shortcut to subinacl.lnk
2009-01-31 08:11 . 2004-08-04 00:56 4,274,816 --a------ c:\windows\system32\nv4_disp.dll
2009-01-30 20:36 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-01-30 20:36 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2009-01-30 20:36 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2009-01-30 20:36 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2009-01-30 20:36 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedon.reg
2009-01-30 20:36 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedoff.reg
2009-01-30 20:23 . 2004-08-03 22:19 1,351,168 --a------ c:\windows\system32\SET317.tmp
2009-01-30 20:22 . 2004-08-04 00:56 1,281,536 --a------ c:\windows\system32\SET25C.tmp
2009-01-30 20:20 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]02463_.tmp
2009-01-30 20:19 . 2005-10-20 20:08 986,112 --a--c--- c:\windows\system32\dllcache\DANIM.DLL
2009-01-30 20:19 . 2005-11-29 16:27 364,544 --a--c--- c:\windows\system32\dllcache\npdsplay.dll
2009-01-30 20:18 . 2006-09-13 00:01 1,084,416 --a--c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-30 20:18 . 2003-01-13 14:57 589,881 --a--c--- c:\windows\system32\dllcache\jscript.dll
2009-01-30 20:18 . 2005-10-17 16:14 118,272 --a------ c:\windows\system32\t2embed.dll
2009-01-30 20:18 . 2005-10-17 16:14 118,272 --a--c--- c:\windows\system32\dllcache\t2embed.dll
2009-01-30 19:51 . 2004-09-01 17:27 209,280 --a--c--- c:\windows\system32\dllcache\update.sys
2009-01-30 19:32 . 2004-08-04 14:00 1,251,840 --a------ c:\windows\system32\SET5C2.tmp
2009-01-29 20:26 . 2008-05-19 06:33 4,445,184 --a------ c:\windows\system32\msi.dll
2009-01-29 20:26 . 2008-05-19 06:33 4,445,184 --a--c--- c:\windows\system32\dllcache\msi.dll
2009-01-29 20:26 . 2008-05-19 06:33 332,800 --a--c--- c:\windows\system32\dllcache\msihnd.dll
2009-01-29 20:26 . 2008-05-19 01:57 95,744 --a--c--- c:\windows\system32\dllcache\msiexec.exe
2009-01-29 20:26 . 2005-05-04 14:45 78,848 --a------ c:\windows\system32\mnsiexec.old
2009-01-29 20:26 . 2008-05-19 06:33 18,944 --a------ c:\windows\system32\msisip.dll
2009-01-29 20:26 . 2008-05-19 06:33 18,944 --a--c--- c:\windows\system32\dllcache\msisip.dll
2009-01-29 20:26 . 2008-04-17 01:43 2,560 --a------ c:\windows\system32\msimsg.dll
2009-01-29 20:26 . 2008-04-17 01:43 2,560 --a--c--- c:\windows\system32\dllcache\msimsg.dll
2009-01-29 19:46 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2009-01-29 19:35 . 2009-01-29 19:35 12,704 --a------ c:\windows\system32\wpa.bak
2009-01-29 19:06 . 2002-09-03 11:24 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-29 19:05 . 2002-09-03 11:24 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2009-01-29 19:04 . 2009-01-29 19:04 299,552 --a------ c:\windows\WMSysPrx.prx
2009-01-29 19:04 . 2009-01-29 19:04 25,065 --a------ c:\windows\system32\wmpscheme.xml
2009-01-29 19:03 . 2009-01-29 19:03 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-29 19:00 . 2008-10-16 14:13 1,809,944 --a------ c:\windows\system32\wuaueng.dll
2009-01-29 18:49 . 2002-09-03 11:49 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2009-01-29 18:47 . 2009-01-31 08:37 1,187,656 --a------ c:\windows\setupapi.log.0.old
2009-01-28 18:41 . 2008-04-13 12:39 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2009-01-28 18:41 . 2008-06-13 06:05 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2009-01-28 18:41 . 2008-04-13 13:53 264,832 --a------ c:\windows\system32\drivers\http.sys
2009-01-28 18:41 . 2008-04-13 11:36 144,384 --a------ c:\windows\system32\drivers\hdaudbus.sys
2009-01-28 18:41 . 2008-04-13 13:32 129,792 --a------ c:\windows\system32\drivers\fltmgr.sys
2009-01-28 18:41 . 2008-04-13 13:36 79,232 --a------ c:\windows\system32\drivers\sdbus.sys
2009-01-28 18:41 . 2008-04-13 13:53 36,608 --a------ c:\windows\system32\drivers\ip6fw.sys
2009-01-28 18:41 . 2008-04-13 13:31 36,352 --a------ c:\windows\system32\drivers\intelppm.sys
2009-01-28 18:41 . 2004-08-03 23:07 15,488 --a------ c:\windows\system32\drivers\mssmbios.sys
2009-01-28 18:41 . 2008-04-13 13:40 11,904 --a------ c:\windows\system32\drivers\sffdisk.sys
2009-01-28 18:41 . 2008-04-13 13:40 11,008 --a------ c:\windows\system32\drivers\sffp_sd.sys
2009-01-28 13:47 . 2009-01-28 13:47 <DIR> d-------- c:\windows\kdefense
2009-01-28 13:47 . 2009-01-28 13:47 846,336 --a------ c:\windows\system32\kdfinj.dll
2009-01-28 13:47 . 2009-02-04 16:08 722,472 --a------ c:\windows\system32\kdfmgr.exe
2009-01-28 13:47 . 2009-02-04 16:08 192,512 --a------ c:\windows\system32\kdfvmgr.exe
2009-01-28 13:47 . 2009-02-04 16:08 77,824 --a------ c:\windows\system32\kdfapi.dll
2009-01-28 13:47 . 2009-02-04 16:08 53,248 --a------ c:\windows\system32\Kdfhok.dll
2009-01-28 09:22 . 2009-01-28 09:22 <DIR> d-------- c:\windows\LocalSSL
2009-01-28 08:40 . 2009-02-06 20:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-26 18:49 . 2009-01-26 18:49 <DIR> d-------- c:\windows\Speeditup Free
2009-01-26 18:49 . 2009-01-26 20:09 <DIR> d-------- c:\program files\Speeditup Free
2009-01-24 21:03 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2009-01-24 20:55 . 2009-01-24 21:02 <DIR> d--h----- c:\windows\msdownld.tmp
2009-01-24 20:54 . 2009-01-24 20:54 <DIR> d-------- c:\windows\Logs
2009-01-24 11:12 . 2009-01-24 11:12 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-24 10:21 . 2009-01-24 10:21 <DIR> d-------- c:\program files\NOS
2009-01-24 10:21 . 2009-01-24 10:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-23 08:37 . 2009-01-23 08:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-22 19:21 . 2009-01-22 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-01-21 17:24 . 2009-01-23 08:37 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-20 21:09 . 2009-01-20 21:09 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-01-20 21:09 . 2009-01-20 21:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 19:55 . 2009-01-20 19:56 <DIR> d-------- c:\documents and settings\HP_Owner\.SunDownloadManager
2009-01-20 16:09 . 2009-01-20 16:09 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-01-20 16:09 . 2009-01-20 16:12 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\U3
2009-01-18 15:00 . 2009-01-18 15:00 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\MiniDm
2009-01-18 12:34 . 2009-01-18 12:35 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\IEPro
2009-01-18 11:09 . 2009-01-18 11:09 <DIR> d-------- c:\windows\system32\Service
2009-01-16 21:04 . 2009-01-23 15:27 16,384 --a------ c:\windows\DCEBoot.exe
2009-01-15 21:06 . 2008-04-13 19:12 1,703,936 --a------ c:\windows\system32\SET3B9.tmp
2009-01-15 21:05 . 2008-04-13 19:11 1,082,368 --a------ c:\windows\system32\SET49A.tmp
2009-01-15 21:04 . 2008-04-13 19:11 136,192 --a------ c:\windows\system32\aaclient.dll
2009-01-14 20:02 . 2009-01-14 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 00:09 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-07 15:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-07 15:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-07 14:39 --------- d-----w c:\program files\MSECache
2009-01-30 00:39 --------- d-----w c:\program files\Google
2009-01-30 00:04 558,142 ----a-w c:\windows\java\Packages\vjhvbv31.zip
2009-01-30 00:04 155,995 ----a-w c:\windows\java\Packages\7fjnpbtb.zip
2009-01-25 14:22 --------- d-----w c:\program files\Application Compatibility Toolkit
2009-01-24 19:36 --------- d-----w c:\program files\Jigsaw365
2009-01-24 18:10 --------- d-----w c:\program files\Common Files\Adobe
2009-01-23 13:37 --------- d-----w c:\program files\Java
2009-01-23 11:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 02:34 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Lavasoft
2009-01-19 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-18 19:12 --------- d-----w c:\program files\Viewpoint
2009-01-18 17:57 --------- d-----w c:\program files\TuneUp Utilities 2008
2009-01-15 00:59 --------- d-----w c:\program files\WildGames
2009-01-07 03:02 --------- d-----w c:\program files\Common Files\Software Update Utility
2009-01-07 03:02 --------- d-----w c:\program files\AIM6
2009-01-06 23:54 --------- d-----w c:\program files\Support Tools
2009-01-06 23:54 --------- d-----w c:\program files\RegCure
2009-01-05 01:15 --------- d-----w c:\program files\Elf Bowling 3
2009-01-05 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-01-05 01:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-01-03 19:35 --------- d-----w c:\program files\My Free Mahjong
2009-01-03 19:35 --------- d-----w c:\program files\ElastoMania111
2009-01-03 16:37 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-03 16:36 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-03 16:36 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-03 16:36 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-01 14:10 --------- d-----w c:\program files\Sudoku
2009-01-01 13:52 --------- d-----w c:\program files\Flip Words 2
2009-01-01 13:27 --------- d-----w c:\program files\BFG
2009-01-01 13:27 --------- d-----w c:\documents and settings\HP_Owner\Application Data\demo
2008-12-29 23:53 --------- d-----w c:\program files\COSMI
2008-12-29 23:53 --------- d-----w c:\program files\Common Files\Cosmi
2008-12-21 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-14 03:35 --------- d-----w c:\program files\Kyodai
2007-03-09 20:49 122,880 ----a-w c:\documents and settings\HP_Owner\Application Data\prg.exe
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2008-12-04 1370000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\[u]0[/u]stera\[u]0[/u]smrgdf c:\program files\iolo\System Mechanic 5\\[u]0[/u]autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TurboNote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TurboNote.lnk
backup=c:\windows\pss\TurboNote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
backup=c:\windows\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
--a--c--- 2004-08-07 16:35 159744 c:\progra~1\HELPAN~1\Pavilion\XPHWWBF4Duet\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 12:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2004-03-04 09:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 20:42 659456 c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a--c--- 2004-06-07 20:53 49152 c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a--c--- 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a--c--- 2003-05-15 18:41 163840 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Utility Bar]
--a--c--- 2005-02-17 09:10 734208 c:\program files\iolo\System Mechanic 5\SMUtilityBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2004-04-21 20:28 286720 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 15:44 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 15:41 8192 c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a--c--- 2004-10-13 11:21 1694208 c:\windows\$hf_mig$\KB887472\SP2QFE\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLNRNote]
--a------ 2004-11-23 08:24 30720 c:\program files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRnote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 18:57 81920 c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-23 08:37 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2009-01-29 19:39 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-05 05:50 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-03-04 11:01 88209 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 04:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"UxTuneUp"=2 (0x2)
"SharedAccess"=2 (0x2)
"ProtectedStorage"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\TurboNote\\tbnote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 Security Activity Dashboard Service;Security Activity Dashboard Service; [x]
R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-08-10 26488]
R2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 SGUARD;SGUARD;c:\windows\system32\drivers\SGuard.sys [2005-01-21 17857]
S0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\DRIVERS\IABFilt.sys [2005-07-01 25344]
S0 pyytaxfq;pyytaxfq;c:\windows\system32\drivers\pyytaxfq.sys [2004-08-04 23424]
S1 HMFAxCore9e7601803354626e599e36ff93023a2b;HMFAxCore9e7601803354626e599e36ff93023a2b;c:\windows\system32\drivers\HMFAxCore9e7601803354626e599e36ff93023a2b.sys [2007-04-15 15872]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]


--- Other Services/Drivers In Memory ---

*Deregistered* - _IOMEGA_ACTIVE_DISK_SERVICE_
*Deregistered* - AFD
*Deregistered* - Arp1394
*Deregistered* - Aspi32
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - AVFilter
*Deregistered* - AVHook
*Deregistered* - AVRec
*Deregistered* - BCMNTIO
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - BridgeMP
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - fasttx2k
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HMFAxCore9e7601803354626e599e36ff93023a2b
*Deregistered* - IABFilt
*Deregistered* - Iomega App Services
*Deregistered* - IomegaAccess
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MAPMEM
*Deregistered* - mchInjDrv
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQL$MICROSOFTBCM
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - PCTAVSvc
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - pyytaxfq
*Deregistered* - RasAcd
*Deregistered* - RasAuto
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RemoteAccess
*Deregistered* - RpcSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - ShellHWDetection
*Deregistered* - SISAGP
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - symlcbrd
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - ZipToA
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 08:09]

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-10 c:\windows\Tasks\EasyShare Registration RunOnce Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOfferSilence@16 []

2009-01-25 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []
.
- - - - ORPHANS REMOVED - - - -

BHO-{7EA1262C-7865-4D3F-9955-12D359CA1C91} - c:\windows\system32\catsr.dll
HKU-Default-Run-OE - c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
Notify-avgrsstarter - avgrsstx.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 19:16:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3119658614-1899647474-260270903-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'lsass.exe'(872)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'csrss.exe'(788)
c:\program files\PC Tools AntiVirus\PCTAVHook.dll
.
Completion time: 2009-02-09 19:18:59
ComboFix-quarantined-files.txt 2009-02-10 00:18:31
ComboFix2.txt 2009-02-02 00:11:34

Pre-Run: 126,200,496,128 bytes free
Post-Run: 126,393,479,168 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=11 Sets=,1,2,3,4,5,6,7,8,9,10,11
499 --- E O F --- 2009-01-31 13:46:53

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 19:12:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden files ...

scan completed successfully
hidden files: 0


Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 2

2/9/2009 7:04:31 PM
mbam-log-2009-02-09 (19-04-16).txt

Scan type: Quick Scan
Objects scanned: 68243
Time elapsed: 22 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Report •

#35
February 9, 2009 at 19:41:23
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\[u]0[/u]02512_.tmp
c:\windows\system32\SET317.tmp
c:\windows\system32\SET25C.tmp
c:\windows\[u]0[/u]02463_.tmp
c:\windows\system32\SET5C2.tmp
c:\windows\system32\SET3B9.tmp
c:\windows\system32\SET49A.tmp
c:\windows\system32\drivers\ip6fw.sys

Driver::
ip6fw

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#36
February 10, 2009 at 13:11:21
ComboFix 09-02-08.02 - HP_Owner 2009-02-10 15:51:23.13 - NTFSx86
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt

FILE ::
c:\windows\[u]0[/u]02463_.tmp
c:\windows\[u]0[/u]02512_.tmp
c:\windows\system32\drivers\ip6fw.sys
c:\windows\system32\SET25C.tmp
c:\windows\system32\SET317.tmp
c:\windows\system32\SET3B9.tmp
c:\windows\system32\SET49A.tmp
c:\windows\system32\SET5C2.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ip6fw.sys
c:\windows\system32\SET25C.tmp
c:\windows\system32\SET317.tmp
c:\windows\system32\SET3B9.tmp
c:\windows\system32\SET49A.tmp
c:\windows\system32\SET5C2.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ip6Fw


((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-09 20:21 . 2009-02-09 20:21 <DIR> d-------- c:\program files\Alwil Software
2009-02-08 16:55 . 2009-02-08 16:55 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-08 16:55 . 2009-02-08 16:55 1,409 --a------ c:\windows\QTFont.for
2009-02-08 16:44 . 2004-08-04 07:00 343,040 --a------ c:\windows\system32\mspaint.exe
2009-02-08 16:44 . 2004-08-04 07:00 343,040 --a--c--- c:\windows\system32\dllcache\mspaint.exe
2009-02-07 21:39 . 2009-02-07 21:39 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-02-07 15:58 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2009-02-07 15:58 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2009-02-07 14:22 . 2009-02-07 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-07 09:56 . 2009-02-07 09:56 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 09:42 . 2009-02-07 10:38 <DIR> d-------- c:\program files\SpywareGuard
2009-02-06 19:37 . 2009-02-06 19:37 <DIR> d-------- c:\documents and settings\HP_Owner\.housecall6.6
2009-02-06 18:45 . 2009-02-06 18:45 <DIR> d-------- C:\75bbe60ff6aa817162ef0297517b
2009-02-06 18:43 . 2009-02-06 18:43 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\HouseCall 6.6
2009-02-06 18:43 . 2009-02-06 18:43 <DIR> d-------- C:\90a20f68ebc99c4012
2009-02-06 18:43 . 2009-02-06 18:43 <DIR> d-------- C:\5015a705363358e220
2009-02-06 18:43 . 2009-02-06 18:43 <DIR> d-------- C:\321d08e234eb05c9c310be
2009-02-06 18:28 . 2009-02-06 18:41 <DIR> d---s---- c:\documents and settings\HP_Owner.HOME1
2009-02-04 20:44 . 2009-02-07 09:43 <DIR> d-------- c:\program files\SpywareBlaster
2009-02-04 18:30 . 2009-02-04 18:30 <DIR> d-------- C:\toolb
2009-02-03 16:45 . 2009-02-03 16:48 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-03 16:10 . 2009-02-04 16:30 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\AVGTOOLBAR
2009-02-03 16:10 . 2009-02-09 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-01 12:50 . 2009-02-01 17:16 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-31 15:28 . 2009-02-09 17:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 15:28 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 15:28 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 11:41 . 2009-01-31 11:41 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-31 10:49 . 2004-08-04 00:56 380,416 --------- c:\windows\system32\irprops.cpl
2009-01-31 10:47 . 2009-01-31 10:47 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-31 10:44 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]02512_.tmp
2009-01-31 09:02 . 2009-01-31 09:02 300 --a------ c:\windows\system32\Shortcut to subinacl.lnk
2009-01-31 08:11 . 2004-08-04 00:56 4,274,816 --a------ c:\windows\system32\nv4_disp.dll
2009-01-30 20:36 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-01-30 20:36 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2009-01-30 20:36 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2009-01-30 20:36 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2009-01-30 20:36 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedon.reg
2009-01-30 20:36 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedoff.reg
2009-01-30 20:23 . 2004-08-04 00:56 1,236,480 --a------ c:\windows\system32\SET2BD.tmp
2009-01-30 20:22 . 2004-08-04 00:56 723,456 --a------ c:\windows\system32\SET197.tmp
2009-01-30 20:20 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]02463_.tmp
2009-01-30 20:19 . 2005-10-20 20:08 986,112 --a--c--- c:\windows\system32\dllcache\DANIM.DLL
2009-01-30 20:19 . 2005-11-29 16:27 364,544 --a--c--- c:\windows\system32\dllcache\npdsplay.dll
2009-01-30 20:18 . 2006-09-13 00:01 1,084,416 --a--c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-30 20:18 . 2003-01-13 14:57 589,881 --a--c--- c:\windows\system32\dllcache\jscript.dll
2009-01-30 20:18 . 2005-10-17 16:14 118,272 --a------ c:\windows\system32\t2embed.dll
2009-01-30 20:18 . 2005-10-17 16:14 118,272 --a--c--- c:\windows\system32\dllcache\t2embed.dll
2009-01-30 19:51 . 2004-09-01 17:27 209,280 --a--c--- c:\windows\system32\dllcache\update.sys
2009-01-30 19:32 . 2004-08-04 14:00 1,016,832 --a------ c:\windows\system32\SET6E4.tmp
2009-01-29 20:26 . 2008-05-19 06:33 4,445,184 --a------ c:\windows\system32\msi.dll
2009-01-29 20:26 . 2008-05-19 06:33 4,445,184 --a--c--- c:\windows\system32\dllcache\msi.dll
2009-01-29 20:26 . 2008-05-19 06:33 332,800 --a--c--- c:\windows\system32\dllcache\msihnd.dll
2009-01-29 20:26 . 2008-05-19 01:57 95,744 --a--c--- c:\windows\system32\dllcache\msiexec.exe
2009-01-29 20:26 . 2005-05-04 14:45 78,848 --a------ c:\windows\system32\mnsiexec.old
2009-01-29 20:26 . 2008-05-19 06:33 18,944 --a------ c:\windows\system32\msisip.dll
2009-01-29 20:26 . 2008-05-19 06:33 18,944 --a--c--- c:\windows\system32\dllcache\msisip.dll
2009-01-29 20:26 . 2008-04-17 01:43 2,560 --a------ c:\windows\system32\msimsg.dll
2009-01-29 20:26 . 2008-04-17 01:43 2,560 --a--c--- c:\windows\system32\dllcache\msimsg.dll
2009-01-29 19:46 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2009-01-29 19:35 . 2009-01-29 19:35 12,704 --a------ c:\windows\system32\wpa.bak
2009-01-29 19:06 . 2002-09-03 11:24 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-29 19:05 . 2002-09-03 11:24 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2009-01-29 19:04 . 2009-01-29 19:04 299,552 --a------ c:\windows\WMSysPrx.prx
2009-01-29 19:04 . 2009-01-29 19:04 25,065 --a------ c:\windows\system32\wmpscheme.xml
2009-01-29 19:03 . 2009-01-29 19:03 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-29 19:00 . 2008-10-16 14:13 1,809,944 --a------ c:\windows\system32\wuaueng.dll
2009-01-29 18:49 . 2002-09-03 11:49 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2009-01-29 18:47 . 2009-01-31 08:37 1,187,656 --a------ c:\windows\setupapi.log.0.old
2009-01-28 18:41 . 2008-04-13 12:39 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2009-01-28 18:41 . 2008-06-13 06:05 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2009-01-28 18:41 . 2008-04-13 13:53 264,832 --a------ c:\windows\system32\drivers\http.sys
2009-01-28 18:41 . 2008-04-13 11:36 144,384 --a------ c:\windows\system32\drivers\hdaudbus.sys
2009-01-28 18:41 . 2008-04-13 13:32 129,792 --a------ c:\windows\system32\drivers\fltmgr.sys
2009-01-28 18:41 . 2008-04-13 13:36 79,232 --a------ c:\windows\system32\drivers\sdbus.sys
2009-01-28 18:41 . 2008-04-13 13:31 36,352 --a------ c:\windows\system32\drivers\intelppm.sys
2009-01-28 18:41 . 2004-08-03 23:00 29,056 --a--c--- c:\windows\system32\dllcache\ip6fw.sys
2009-01-28 18:41 . 2004-08-03 23:07 15,488 --a------ c:\windows\system32\drivers\mssmbios.sys
2009-01-28 18:41 . 2008-04-13 13:40 11,904 --a------ c:\windows\system32\drivers\sffdisk.sys
2009-01-28 18:41 . 2008-04-13 13:40 11,008 --a------ c:\windows\system32\drivers\sffp_sd.sys
2009-01-28 13:47 . 2009-01-28 13:47 <DIR> d-------- c:\windows\kdefense
2009-01-28 13:47 . 2009-01-28 13:47 846,336 --a------ c:\windows\system32\kdfinj.dll
2009-01-28 13:47 . 2009-02-04 16:08 722,472 --a------ c:\windows\system32\kdfmgr.exe
2009-01-28 13:47 . 2009-02-04 16:08 192,512 --a------ c:\windows\system32\kdfvmgr.exe
2009-01-28 13:47 . 2009-02-04 16:08 77,824 --a------ c:\windows\system32\kdfapi.dll
2009-01-28 13:47 . 2009-02-04 16:08 53,248 --a------ c:\windows\system32\Kdfhok.dll
2009-01-28 09:22 . 2009-01-28 09:22 <DIR> d-------- c:\windows\LocalSSL
2009-01-28 08:40 . 2009-02-06 20:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-26 18:49 . 2009-01-26 18:49 <DIR> d-------- c:\windows\Speeditup Free
2009-01-26 18:49 . 2009-01-26 20:09 <DIR> d-------- c:\program files\Speeditup Free
2009-01-24 21:03 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2009-01-24 20:55 . 2009-01-24 21:02 <DIR> d--h----- c:\windows\msdownld.tmp
2009-01-24 20:54 . 2009-01-24 20:54 <DIR> d-------- c:\windows\Logs
2009-01-24 11:12 . 2009-01-24 11:12 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-24 10:21 . 2009-01-24 10:21 <DIR> d-------- c:\program files\NOS
2009-01-24 10:21 . 2009-01-24 10:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-23 08:37 . 2009-01-23 08:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-22 19:21 . 2009-01-22 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-01-21 17:24 . 2009-01-23 08:37 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-20 21:09 . 2009-01-20 21:09 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-01-20 21:09 . 2009-01-20 21:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 19:55 . 2009-01-20 19:56 <DIR> d-------- c:\documents and settings\HP_Owner\.SunDownloadManager
2009-01-20 16:09 . 2009-01-20 16:09 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-01-20 16:09 . 2009-01-20 16:12 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\U3
2009-01-18 15:00 . 2009-01-18 15:00 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\MiniDm
2009-01-18 12:34 . 2009-01-18 12:35 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\IEPro
2009-01-18 11:09 . 2009-01-18 11:09 <DIR> d-------- c:\windows\system32\Service
2009-01-16 21:04 . 2009-01-23 15:27 16,384 --a------ c:\windows\DCEBoot.exe
2009-01-15 21:06 . 2004-08-04 07:00 1,309,184 --a------ c:\windows\system32\drivers\mtlstrm.sys
2009-01-15 21:05 . 2004-08-04 07:00 1,041,536 --a------ c:\windows\system32\drivers\hsfdpsp2.sys
2009-01-15 21:04 . 2008-04-13 19:11 136,192 --a------ c:\windows\system32\aaclient.dll
2009-01-14 20:02 . 2009-01-14 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 01:58 --------- d-----w c:\program files\Google
2009-02-10 00:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-07 15:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-07 15:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-07 14:39 --------- d-----w c:\program files\MSECache
2009-01-25 14:22 --------- d-----w c:\program files\Application Compatibility Toolkit
2009-01-24 19:36 --------- d-----w c:\program files\Jigsaw365
2009-01-24 18:10 --------- d-----w c:\program files\Common Files\Adobe
2009-01-23 13:37 --------- d-----w c:\program files\Java
2009-01-23 11:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 02:34 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Lavasoft
2009-01-19 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-18 19:12 --------- d-----w c:\program files\Viewpoint
2009-01-18 17:57 --------- d-----w c:\program files\TuneUp Utilities 2008
2009-01-15 00:59 --------- d-----w c:\program files\WildGames
2009-01-07 03:02 --------- d-----w c:\program files\Common Files\Software Update Utility
2009-01-07 03:02 --------- d-----w c:\program files\AIM6
2009-01-06 23:54 --------- d-----w c:\program files\Support Tools
2009-01-06 23:54 --------- d-----w c:\program files\RegCure
2009-01-05 01:15 --------- d-----w c:\program files\Elf Bowling 3
2009-01-05 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-01-05 01:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-01-03 19:35 --------- d-----w c:\program files\My Free Mahjong
2009-01-03 19:35 --------- d-----w c:\program files\ElastoMania111
2009-01-03 16:37 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-03 16:36 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-03 16:36 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-03 16:36 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-01 14:10 --------- d-----w c:\program files\Sudoku
2009-01-01 13:52 --------- d-----w c:\program files\Flip Words 2
2009-01-01 13:27 --------- d-----w c:\program files\BFG
2009-01-01 13:27 --------- d-----w c:\documents and settings\HP_Owner\Application Data\demo
2008-12-29 23:53 --------- d-----w c:\program files\COSMI
2008-12-29 23:53 --------- d-----w c:\program files\Common Files\Cosmi
2008-12-21 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-14 03:35 --------- d-----w c:\program files\Kyodai
2007-03-09 20:49 122,880 ----a-w c:\documents and settings\HP_Owner\Application Data\prg.exe
2009-02-10 01:58 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-09_19.16.57.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:35 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:25 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2009-02-10 20:59:01 16,384 ----atw c:\windows\temp\Perflib_Perfdata_428.dat
+ 2009-02-10 20:58:37 16,384 ----atw c:\windows\temp\Perflib_Perfdata_64c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EA1262C-7865-4D3F-9955-12D359CA1C91}]
c:\windows\system32\catsr.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-09 30192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\[u]0[/u]stera\[u]0[/u]smrgdf c:\program files\iolo\System Mechanic 5\\[u]0[/u]autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TurboNote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TurboNote.lnk
backup=c:\windows\pss\TurboNote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
backup=c:\windows\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
--a--c--- 2004-08-07 16:35 159744 c:\progra~1\HELPAN~1\Pavilion\XPHWWBF4Duet\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 12:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2004-03-04 09:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 20:42 659456 c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a--c--- 2004-06-07 20:53 49152 c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a--c--- 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a--c--- 2003-05-15 18:41 163840 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Utility Bar]
--a--c--- 2005-02-17 09:10 734208 c:\program files\iolo\System Mechanic 5\SMUtilityBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2004-04-21 20:28 286720 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 15:44 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 15:41 8192 c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a--c--- 2004-10-13 11:21 1694208 c:\windows\$hf_mig$\KB887472\SP2QFE\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLNRNote]
--a------ 2004-11-23 08:24 30720 c:\program files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRnote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 18:57 81920 c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-23 08:37 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2009-01-29 19:39 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-05 05:50 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-03-04 11:01 88209 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 04:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"UxTuneUp"=2 (0x2)
"SharedAccess"=2 (0x2)
"ProtectedStorage"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\TurboNote\\tbnote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 Security Activity Dashboard Service;Security Activity Dashboard Service; [x]
R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-08-10 26488]
R2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-09 30192]
R3 SGUARD;SGUARD;c:\windows\system32\drivers\SGuard.sys [2005-01-21 17857]
S0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\DRIVERS\IABFilt.sys [2005-07-01 25344]
S0 pyytaxfq;pyytaxfq;c:\windows\system32\drivers\pyytaxfq.sys [2004-08-04 23424]
S1 aswSP;avast! Self Protection; [x]
S1 HMFAxCore9e7601803354626e599e36ff93023a2b;HMFAxCore9e7601803354626e599e36ff93023a2b;c:\windows\system32\drivers\HMFAxCore9e7601803354626e599e36ff93023a2b.sys [2007-04-15 15872]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]


--- Other Services/Drivers In Memory ---

*Deregistered* - _IOMEGA_ACTIVE_DISK_SERVICE_
*Deregistered* - Aavmker4
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Arp1394
*Deregistered* - Aspi32
*Deregistered* - aswFsBlk
*Deregistered* - aswMon2
*Deregistered* - aswRdr
*Deregistered* - aswSP
*Deregistered* - aswTdi
*Deregistered* - aswUpdSv
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avast! Antivirus
*Deregistered* - avast! Mail Scanner
*Deregistered* - avast! Web Scanner
*Deregistered* - BCMNTIO
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - BridgeMP
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - fasttx2k
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HMFAxCore9e7601803354626e599e36ff93023a2b
*Deregistered* - IABFilt
*Deregistered* - Iomega App Services
*Deregistered* - IomegaAccess
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MAPMEM
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQL$MICROSOFTBCM
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - pyytaxfq
*Deregistered* - RasAcd
*Deregistered* - RasAuto
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RemoteAccess
*Deregistered* - RpcSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SISAGP
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - symlcbrd
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - ZipToA
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 08:09]

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-10 c:\windows\Tasks\EasyShare Registration RunOnce Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOfferSilence@16 []

2009-01-25 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 15:59:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3119658614-1899647474-260270903-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
r Running Proce
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Iomega\AutoDisk\ADService.exe
.
**************************************************************************
.
Completion time: 2009-02-10 16:07:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-10 21:07:15
ComboFix2.txt 2009-02-10 00:19:01
ComboFix3.txt 2009-02-02 00:11:34

Pre-Run: 126,009,425,920 bytes free
Post-Run: 125,930,455,040 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=11 Sets=,1,2,3,4,5,6,7,8,9,10,11
538 --- E O F --- 2009-01-31 13:46:53


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 15:52:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden files ...

IPC error: 2 The system cannot find the file specified.
scan completed successfully
hidden files: 0


Report •

#37
February 10, 2009 at 15:07:17
I still see part of the rootkit, run the following scan and post its log.

Once you get SDFix downloaded go offline, turn off your antivirus, and turn off any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


Report •

#38
February 10, 2009 at 18:19:33

[b]SDFix: Version 1.240 [/b]
Run by Administrator on Tue 02/10/2009 at 08:51 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\WINDOWS\system32\service\18012009_TIS17_SfFniAU.log - Deleted

Folder C:\WINDOWS\system32\service - Removed


Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 21:10:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\TurboNote\\tbnote.exe"="C:\\Program Files\\TurboNote\\tbnote.exe:*:Enabled:TurboNote v3.4"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Mon 19 Jan 2009 281 A.SH. --- "C:\Boot.bak"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"
Mon 6 Oct 2008 24,450,376 A..H. --- "C:\Program Files\Flip Words 2\Flip Words 2.exe"
Thu 10 Jan 2008 5,334,344 A..H. --- "C:\Program Files\Jigsaw365\Jigsaw365.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sat 4 Mar 2006 4,789,792 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 22 Sep 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Thu 28 Dec 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 18 Aug 2008 1,832,272 A.SH. --- "C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP138\A0031612.exe"
Wed 30 Jul 2008 4,891,984 A.SH. --- "C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP138\A0031614.exe"
Thu 14 Aug 2008 1,429,840 A.SH. --- "C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP138\A0031616.exe"
Sun 18 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 29 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1544c59f923911a05608919ffd3e9c55\BIT17.tmp"
Thu 29 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\15b0690e56762a748aad6ecc29243272\BITA.tmp"
Sat 31 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\170c3c62053f68ffefd8d8b49117f666\BITD.tmp"
Thu 29 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1b8ce0f2f9497bd70baa1d4bdf6d2c99\BIT16.tmp"
Thu 29 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4350856b371516e52918c9b84bf5ee97\BIT12.tmp"
Thu 29 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\54c5a3d727bf789d1cfb4f62c9b49f79\BITC.tmp"
Sat 31 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\67df0a4eac3e90fd79db5b671e8945da\BITC.tmp"
Thu 29 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7eaaf080fed508964bad4efaa8e8c209\BIT13.tmp"
Thu 29 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8ba13a24b93c18ea903e9c7ceea34380\BIT10.tmp"
Thu 29 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9407ff8f78ca16e2ac85358356496f17\BIT14.tmp"
Sat 31 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\94461090b88b06f3dc2ad3ee12acc337\BIT10.tmp"
Sat 31 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a0f05c1b8510387a77cfd6804eafdf09\BITF.tmp"
Thu 29 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bd4a7277fb914e63f9f85bff4b389482\BIT11.tmp"
Thu 29 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cb32213b6388d5fe4824724c98fba263\BIT9.tmp"
Sat 31 Jan 2009 1,421,592 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eabea1caf3cf45a94cef1c5579ed7613\BITB.tmp"
Sat 31 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f2063794b3142a820db278f2946cf76f\BITE.tmp"
Sun 27 Apr 2008 0 A..H. --- "C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL1734.tmp"

[b]Finished![/b]


Report •

#39
February 10, 2009 at 18:57:13
Are you still being redirected?

Report •

#40
February 10, 2009 at 19:16:57
jabuck, No I am not, I don't know how to thank you. I am still working on getting TrendMicro Internet Security to install. I'm bothering their techs on installation issues. You are proof that are nice people still in this crazy world!!!I will be coming back to this forum to try and tweak and speed up my machine. P.S. do you know a site where I can check on necessary running processes and those that are probably not needed? Thanks again and my thughts and prayers will be with you. JOEGO

Report •

#41
February 11, 2009 at 17:42:26
jabuck found a problem. error 1719.windows installer service could not be accessed. tried MS solution but got this error. Could not start windows installer service on local computer Error 2 the system cannot find specified folder. Any fix in mind?

Report •

#42
February 11, 2009 at 18:57:25
Since you computer appears to be clean try installing xp sp3.

Report •

#43
February 11, 2009 at 19:16:58
SP3 installed still haning a problem. error 1719.windows installer service could not be accessed. tried MS solution but got this error. Could not start windows installer service on local computer Error 2 the system cannot find specified folder Installed 32 eupdates also for SP3

Report •


Ask Question