Explore topic-wise InterviewSolutions in .

Processor-AMD Athlon 64 X2 DualCore 5600+
MB-Asus M2N-E
RAM-4gb
GCard-Nvidia GeForce 8800GTS 512mb
HD-250gb
Windows 7 64bit
About 2 weeks ago when I entered my password for my desktop the loading screen turned white and my desktop loaded with these generic gray toolbars and dialog boxes and instead of having colored BACKGROUNDS in dialog boxes they are white.  I checked around my system but couldnt find a problem.  Everything has been working so I havent messed with it.  I have had it with the white backgrounds so today I got into system restore to restore it to a pre/problem desktop but there was only one system restore point and it was only 4 days ago which really has me wondering what is going on.  Anyone have any Ideas?  I looked at another desktop on my COMPUTER and it was unaffected by whatever has been messing with my desktop and decided to make another desktop to use so I went to Manage Users and there was a desktop there that I had never seen before called "ASP.Net Machine Acct", they had even password protected it.  I assume it's someone hijacking space on my computer and causing these problems so I DELETED all their files.  I dont know how they did it but that desktop never showed up on the startup screen but was visible on the manage users window.My suspition is that someone DID NOT hack into your computer.

First of all, there are reasons why windows will revert back to the classic theme (it sounds like thats what your describing). Most often this happens because your GRAPHICS card is not good enough to handle the aero theme.

You also mentioned another USER account called "ASP.Net Machine Acct". That account is created by .NET. I don't know why, but I do know that it is not a threat.But what about system restore?  It should have had way more than 1 restore point.

Your comment has been removed. Please do not post malware ADVICE, or post here in the malware FORUM, UNLESS you NEED help.  If you want to help, please go here. Superdave.

I was thinking about writing a GUIDE to removing malware USING processxp and explain the sign of an infection, were most infected FILES are, how they START, and work so that people can get better at removing viruses themselves.

What do you think? Should I do this?

Hi, i have this malware, the problem is i can get into safe mode or anything to run MALWAREBYTES.  Any idea what i can do?A possible fix.
Quote

....booting an infected machine from a CD and running an operating system off the CD that treats the C disk as a data disk. You can then run anti-malware software
...
It turns out that this is a GOOD first step, but is not sufficient as the only step (see Part 3). There is great news ahead however. Both MalwareBytes and SUPERAntiSpyware are working on being able to mount the registry as a registry, EVEN when running outside the infected Operating System. This will be a big IMPROVEMENT and go further to making my scan-from-the-outside approach even better.booting an infected machine from a CD and running an operating system off the CD that treats the C disk as a data disk. You can then run anti-malware software.
http://www.michaelhorowitz.com/removespyware.html

method.torrent,patch ANYTHING,i know its not free,thanksWe won't HELP with such requests. THREAD closed.

From my most accessed anti malware thread posted by evilfantasy:

Quote

Step 3: SUPERAntiSpyware


* Under Scanner Options make sure only the FOLLOWING are checked:

    * Close BROWSERS before scanning
    * Scan for tracking cookies
    * Terminate memory threats before quarantining
    * Please leave the others unchecked

Myself don't know how to classify this question - stupid or not ? Anyway, just out of my curiosity.
Let's say there's an infected file on my computer. And being aware of this I just delete this one to Recycle Bin and then empty content of my recycle bin. Would this PROCEDURE do the same ACTION like using AV software to delete/clean such an infection ? Quote from: doer on February 18, 2011, 11:12:38 AM

Would this procedure do the same action like using AV software to delete/clean such an infection ?

Credit card company called and said there was suspicious activity on my card.  And yes there were charges that did not belong to me.  I know that with all of the electronic RECORDS and data bases that my card account was not necessarily stolen from my computer but could have been accessed from anywhere the card number flows through.  Having said that could someone please check the my logs and let me know if there is anything on my computer that should not be there?

My computer info:

Windows XP Home Edition
Version 2002
Service Pack 3

HP Pavilion
Pentium 4   3.00 GHz
3.11 GB RAM

Thanks in advance


SAS Log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/12/2011 at 10:01 PM

Application Version : 4.48.1000

Core Rules Database Version : 6387
Trace Rules Database Version: 4199

Scan type       : Quick Scan
Total Scan TIME : 00:22:05

Memory items scanned      : 462
Memory threats detected   : 0
Registry items scanned    : 1391
Registry threats detected : 0
File items scanned        : 35202
File threats detected     : 6

Adware.Tracking Cookie
   ad.yieldmanager.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\gvl4dpcz.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\gvl4dpcz.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\gvl4dpcz.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\gvl4dpcz.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\gvl4dpcz.default\cookies.sqlite ]
   .content.yieldmanager.com [ C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\gvl4dpcz.default\cookies.sqlite ]



MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5751

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/12/2011 9:33:53 PM
mbam-log-2011-02-12 (21-33-53).txt

Scan type: Quick scan
Objects scanned: 163962
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
FOLDERS Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



HJT Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:40:44 PM, on 2/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\JAVA\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: http://ezproxy.nwtc.edu
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (FACEBOOK Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - http://aolsvc.aol.com/onlinegames/free-trial-mystery-solitaire-secret-island/SpinTopGamesLauncher.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.93.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs:        C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 8986 bytes

You need to talk to you credit card company.
The only threats were tracking cookies.
Quote

Tracking cookies do NOT steal passwords or your fianicial data.

For the last few days when clicking in to my AOL email ACCOUNT I have been getting a PAGE - "Error Code 418 - please try later".  I try again immediately and get through no problem.  Apparently Error Code 418 is some sort of APRIL Fool practical joke.  How can I get rid of this IRRITATION?  Is it a virus?

Advice appreciated.

It's only a QA JOB and I have a rough idea of how I'm GOING to answer QA-y related questions.

However while I would consider myself moderately versed in malware lingo, I was wondering what people's thoughts were on what they would consider "basic" level malware knowledge and MAYBE a little bit of ADVANCED stuff.

I've considered looking at the malware "SCHOOLS" posted in the sticky, but I only have 2 days to prepare for this so that probably not going to work for me.

Hi,

I have a 6 year old Dell Inspiron 5150.  I've had many problems with it over the years, and CH has done a great job of extending it's life. 
I'm not sure if this latest problem is spyware/hardware, or old age.

Yesterday I was on MS Word, I was trying to cut and PASTE some of the text, so I highlighted it with my mouse, right clicked copy, then paste.  After that the rest is fuzzy, what I do know is since my computer has been opening, closing, things at it's own will.
I got a message even stating that the computer's ctrl button was being held down.  I tried restarting, but to no avail (it asked for some reason if since ctrl was being held down if I wanted to go in safe mode).

I have no clue why this is occurring.  I am not holding down ctrl, I checked, the button is not jammed, so far as I can tell.
Any ideas on the problem/solution or is it time to trash?  It's be nice to at least be able to retrieve my files..which at this point I can't.
Thanks.Not to state the obvious, but the first thing you want to do is try a different keyboard and/or try this keyboard on a different system. Quote from: Allan on January 31, 2011, 10:42:47 AM

Not to state the obvious, but the first thing you want to do is try a different keyboard and/or try this keyboard on a different system.

Hey guys,

I have a lot of experience with computer hardware and software, but on antivirus I'm a newbie. I am playing CALL of Duty Black Ops, and this guy released a mod for it, and it comes with a loader.exe to load the mod. But Norton says there's a virus in it called Suspicious.Cloud.2. The guy who released the mod claims it is unrightfully being labeled as a virus. Is it possible? I thought that if it was indeed unrightfully labeled as a virus, it would be SEEN as a trojan?

ANYWAY, I just need to know if there is a chance that this is indeed an actual virus and what the creator of it could potentially do with it?

Thanks in advance. Here's a screenshot:

http://www.blazed-esports.com/forum/uploads/images/1296918290-U2.pngIs it possible an av thinks a legitimate file is malicious? Yes. Is that the case with this particular file? I don't know. QUOTE from: Antivirusn00b on February 05, 2011, 09:45:27 AM

Norton says there's a virus in it called Suspicious.Cloud.2. The guy who released the mod claims it is unrightfully being labeled as a virus.

If you download this, say good bye to your steam account.

This is a f****** virus you MORONS. It steals your steam account

It is a VIRUS and does not work. I'm not saying that because I don't like cheaters because I was going to use it but it is a load of crap.

how do you remove the exe that keeps running every time it starts up windows?

i lol'd every stupid noobs who downloaded this ROFL

The red Windows Security shield icon keeps telling me my antivirus isn't turned on or it's out of date.  My green Microsoft Security Essentials castle icon tells me it is working and is up-to-date.  Am I supposed to have Windows antivirus turned off because I have MS Sec. Ess.?  If they're both turned on aren't they competing with each other and overtaxing my CPU?  If I have the Windows Security do I not need the MS Security Essentials?  Are they doing different things?  The Windows product MENTIONS a Firewall but the Security Essentials doesn't.  you should only have one AV in your pc as they might be in conflict or cause problems , i would keep MSE

disable the windows one , but i would delete it altogether

you will still have the firewall workingWhat is Windows Anti Virus? Quote from: Allan on January 28, 2011, 03:41:05 PM

What is Windows Anti Virus?

Windows Security Center is not an AV

Do you GET it by going to a bad site or by downloading something? Do you only get it if you use google to search, or does it APPLY to other search engines as well? And what does it affect exactly... the browser, search engines, entire computer systems, etc.

The more info the BETTER. Thanks


You can get infected by going to unsafe sites or you could be HIT by a drive-by infection. I had my laptop infected just by searching for a free AV program. Infections mainly affect the computer system. Please find more information below.
Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.Maybe he wants the virus. 
Would you like someone to SEND it to you?

Is it okay to RUN multiple maleware, say Panda, Threatfile, and Ibit security 360 at the same TIME?You can run multiple security apps, but NEVER have more than one Anti Virus APP RUNNING at the same time.Or more than one firewall.

Ok, i gat dis dis dell desktop, 40gig hdd, 512mb ram, proc.spd 866, service pak 3, wiv os window 7 vienna, tho  i luv dis os n it makes it hard 4 me to format d system, cos i aint at ma grasp nemore!  D probs is dat wenever i insert a flash into it, havin collected sumtyn 4rm sum1, ma system sees d file, as a shortcut(1kb) evn if wot i collectd is 10gig! N wen dis same flash enters into anoda system(laptop) tho antivirus myt n maynt detect anythyn bt either way, d file still remains a short cut n later d EFFECT myt crash such a laptop(2 crashed laptops) bt ol it does on ma system is that it slows down evrythn, lyk game n corrupts sum of ma appls, lyk virtual dj n so on, bt ma antivirus(es) havnt n dont detect anythang( avast n avg)! Now i cnt collect stuffs 4rm pple n i cnt give out n i dnt wana 4mat d system, pls help! Its drivin me nutts! Can't read your post. Please use real English with punctuation. Thank you. Quote from: Allan on January 12, 2011, 05:36:26 AM

Can't read your post. Please use real English with punctuation. Thank you.

Is this a joke?

it sounds/reads a bit like they speak in Trinidad and Tobago and around the west indies

or maybe its spam

HELP ME GET THIS OFF PLEASE:) I have tried several tactics to get it off it hasn't helped. I tried to use the micosoft cleanup wizard, that did not work. That ended up crashing my pc. I had to go in under safe mode to try to do a microsoft system restore. That did not work. So i had to do a dell imaging restore. that worked to at atleast get my pc to boot properly. But i'm still stuck with this trend micro that i can't uninstall nor reinstall. I then got norton internet security 2010, HOPING that would override the trend micro. that did notwork either. my computer is a dell 580 with windows 7 home premium. When i try to reinstall it says it hasn't been uninstalled that i should click on uninstall. i do tha and the uninstall screen pops up and when it gets to servers and drivers it stops and says it has been interrupted and to try again later. I just don't know what to do.http://esupport.trendmicro.com/4/How-do-I-remove-Trend-Micro-Internet-Security-Pro-and-Trend-Micro-Inte.aspxThat did not work it was for trend micro 2008. THANKS for the reply though.
 Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet EXPLORER, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to SEE a list of security programs that should be DISABLED and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts. (you will receive a UAC prompt, please allow it)

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixthe combofix.exe won't work it is not for my os. I have windows 7. That is for xp or vista. Thank you once again for the help.
Download and rename HijackThis.exe (HJT)

* Double-click on HJTInstall.
* Click on the Install button.
* It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
* Upon install, HijackThis should open for you.

* If using Windows Vista, Right-click and Run As Administrator.
* Click on the Do a system scan and save a log file button
* HijackThis will scan and then a log will open in notepad.
•Copy and Paste the entire contents of the log in your post.
.
Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
.
Although we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

•Start HijackThis
•Click on the Misc Tools button
•Click on the Open Uninstall Manager button.
•Click on the Save list... button and specify where you would like to save this file. When you press Save button a Notepad will open with the contents of that file. Save the file to your desktop.
Copy and paste this file in your next reply.

My problem has been fixed by trend micro. I still could not reinstall trend micro, but i was able to install norton. when trend micro was uninstalling itself it corrupted my network driver. I then called dell for a update. now my computer is now back to normal YAY

Hello all
First off. I know there are steps to do before I ask for help, but I have been unable to do them.
I am working on a familiy members computer. that cant connect to the internet to d/l the various software you all like to use
I d/l the software to a thumb drive, but the computer wont reconize the drive. I was told that the thumb drive could be ACCESSED when in safe mode, so I tried that
This computer used to be part of a network, and nobody can remember the password'
I'd reformate, but there are some FILES that would like to be saved.
Any Ideas?
Thanks in advance
MelI was able to acess the computer using admin
I BURNT avg,SAS and Mban to a cd
I tried several times to install AVG and the computer would restart itself when it would reach about 14%
The other software wouldn't even start to install
Since then I have been able to install AVG in safe mode, and am running a scan now
None of the usb ports work even though device manager SAYS all are working
I'm afraid to hook this computer to my network, because I dont want my other computers to get infected also
Any advice?
Thanks   MelGo to this link to create a Rescue CD or to this site to create a Rescue USB. Carefully follow all the instructions for whichever method you choose.

I just got Kaspersky Antivirus 2010 trial for 30 days and after a scan it says:

(suspicious files)
- x:/programs/bblean/BLACKBOX.exe 'PDM.Invader (loader)'
- x:/programs/kerio/firewall/KPF4GUI.exe
- x:/programs/mirc/mirc6.16/mirc.exe

Should I get rid of these injection-prone apps (PDM.Invader (loader)) or are they false positives?
I mean, I downloaded bblean from their original website (google for bblean) and Kaspersky says it's riskware.. I don't get it.
Then also some others are marked as not-a-virus:xyz(loader)..

Any ideas?

Treval
I know the answers to all of that as I use Kaspersky Internet Security 2010 myself, but not allowed to tell you here on this 'lol' of a so-called help forum because it's in the viruses and spyware section (and I'm not a specialist) 

I bet they will just get you running ComboFix for all your life problems instead!

Here's a clue - 'PDM.Invader (loader)' is a behavioral detection from Proactive Defense.

Kaspersky reporting riskware isn't a virus, but a possible security risk/hole. It's a potentially dangerous application, even if it's a legitimate one.

Quote

I know the answers to all of that as I use Kaspersky Internet Security 2010 myself, but not allowed to tell you here on this 'lol' of a so-called help forum because it's in the viruses and spyware section (and I'm not a specialist) 

Mirc a riskware due to the way it runs P2P and because it can be scripted to perform malicious activities.

x:/programs/mirc/mirc6.16/mirc.exe

I bet they will just get you running ComboFix for all your life problems instead!

yes, your method of googling each of them and pasting the text from one of the hits is far more effective.

Unwanted apps

Probing access

I did the pre-requisite readings before posting this, but I can't seem to figure anything out.

I'm getting the "Application cannot be executed...file is infected" popup what seems like every 30 seconds randomly and every time I try to run Notepad or any program. I only seem to be able to open Firefox. At first it was the XP Internet Security 2010, then Antivirus Soft, and various other "security" popups.

I tried to run rkill to generate a log, but I'm not sure it works. I get a quick MS-DOS screen, but almost instantly it gets shut down by the "Application cannot be executed" popup. Where is the log supposed to be generated?

Thanks in advance for any help. I'm getting pretty frustrated here.   Sorry, forgot to add that I am running Windows XP (I think SP3, cannot open my system information in control panel so cannot be 100% sure).  Try not to restart the computer until one of the tools we use does it  for you or tells you to.

If one of the tools will not run just go on to the next one. Save the logs to post in your next reply.

1) Please download and run the below  tool named Rkill (courtesy of BleepingComputer.com) which  may help allow other programs to run.
 
There are 4 different  versions. If one of them won't run then download and try to run the next  one.
 
Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get WARNINGS from your  antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

*  Double-click on the Rkill desktop icon to run the tool.
*  If using Vista or Windows 7 right-click on it and  choose Run As Administrator.
* A  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

*  If Rkill does not run from the first link, delete the file, then  download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until  the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Once you've gotten one of them to run then try to immediately run the following.


2) Download and run exeHelper

*  Please download  exeHelper from Raktor to your desktop.
* Double-click on  exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
*  Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs  together (they will both be in the one file).


3) If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


Logs needed:

• Rkill
  
• exeHelper
  
• Malwarebytes

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as ZACK MORRIS on 02/25/2010 at 22:07:45.


Processes terminated by Rkill or while it was running:

exeHelper by Raktor

Memory items scanned      : 385
Memory threats detected   : 0
Registry items scanned    : 5279
Registry threats detected : 1
File items scanned        : 30144
File threats detected     : 23

Adware.Tracking Cookie
   C:\DOCUMENTS and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][3].txt

Rogue.AntivirusSoft
   HKU\S-1-5-21-2996800989-1999048823-2621022130-1006\Software\avsoft

Trojan.Agent/Gen-Faker
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1316\A0193300.EXE

Adware.Vundo/Variant-[Fixed]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1316\A0193302.DLL

Malwarebytes' Anti-Malware 1.43
Database version: 3740
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/27/2010 3:42:41 PM
mbam-log-2010-02-27 (15-42-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 229289
Time elapsed: 1 hour(s), 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tabasifil (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hosalajono (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: nlauipn.dll  -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.88,93.188.161.39 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{570ac077-8bd7-4f49-8f6c-b5871d60abaa}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.88,93.188.161.39 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\nlauipn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\Temp\11.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\14.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1B.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Bvij.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\F.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mcmbyn.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00007fc3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Memory items scanned      : 370
Memory threats detected   : 0
Registry items scanned    : 5278
Registry threats detected : 0
File items scanned        : 88942
File threats detected     : 3

Adware.Tracking Cookie
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt

Malwarebytes' Anti-Malware 1.43
Database version: 3740
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/27/2010 5:32:44 PM
mbam-log-2010-02-27 (17-32-44).txt

Scan type: Quick Scan
Objects scanned: 136946
Time elapsed: 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Object         Detection   

rkill.pif                 HIDDENEXT/Crypted
D4EF690Ad01         TR/Dropper.Gen
jar_cache52099.tmp   TR/Dldr.Java.Agent.AH.1
rigslhn.exe         TR/Crypt.XPACK.Gen
rsxeamwonc.tmp        TR/Dldr.Mufanom.muo   
all.pdf            EXP/Pdfka.bpf
newplayer.pdf         EXP/Pdfka.bmg
rkill.pif                 HIDDENEXT.Crypted
jar_cache52099.tmp   TR/Dldr.Java.Agent.AH.1
rigslhn.exe          TR/Crypt.XPACK.Gen
rsxeamwonc.tmp         TR/Dldr.Mufanom.muo
all.pdf            EXP/Pdfka.bpf
newplayer.pdf         EXP/Pdfka.bmg
A0190740.exe        TR/Crypt.XPACK.Gen

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Does any one can tell me what are the necessary anti virus software to be USED to prevent Virus, Mal ware and Trojans? Currently am using AVIRA Premium security suit with updated virus definitions and spy BOT search and destroy.Any suggestions please??

regards
rajaThis question is asked and answered at least once a week. Please do a search on this forum and you'll find lots of responses. Quote from: Allan on March 15, 2010, 09:22:51 AM

This question is asked and answered at least once a week. Please do a search on this forum and you'll find lots of responses.

Are you looking for free programs?

I hope someone can HELP me, I feel like I'm crazy.

I logged into my YAHOO Mail yesterday and ever since, the letter 'l' or 'k' keep repeating over and over. I doubled checked the keyboard and ran both a virus and spyware scan which have turned up nothing unfortunately.

The key is DEFINITELY not stuck, but I am!

Has anyone experienced this and knows what to do? I say another post like this and wanted to ADD that there is no special background or error message that pops up. I can't type anything because the bars keep filling up with 'k'

Thanking you in advance!
Tracy try another keyboard.I SUPPORT the above suggestion, but for testing purposes, it might actually be easier to just unplug your keyboard.  When the screen starts filling up with letters, unplug the keyboard and see what happens.  If the letters stop, then you either need to clean or replace your keyboard.

I am almost certain that your keyboard is the problem, but this will let you test it before buying a new one.  Give it a try and let us know what happens.

I got rid of most of the viruses(I thought) but I'm TRYING to do a clean install of XP and it just takes be to a blue screen that says

a problem has been detected.......

driver_irql_not_less_or_equal

please help I'm going crazy and I don't have money to pay to fix this.are u booting to the disk and where do u get this screen
You said that you're trying to do a clean INSTALLATION of XP... Have you TRIED the steps int this link: How do I install Microsoft Windows XP.

Also, when did the error comes out?

Please see this link also: Windows STOP DRIVER_IRQL_NOT_LESS_OR_EQUAL error

Hi all, I installed WINTER funpack2004 for WINDOWS xp forgetting that i have WINDOWS 7 OS installed on my computer. It will not UNINSTALL and I have tried using sytem restore but I get an error message (OX8007005) saying to disable my ANTIVIRUS which is Avira Antivir Premium. I did this but still it will not uninstall and I get the same error message from system restore. Any IDEAS? thanks

Earlier today i tried to download a file of mediafire called Justin Vernon Self-Record
As soon as I downloaded it my computer freaked out, my default internet browser was changed from Flock to Internet Explorer. I just got a popup that SAYS "Vista Internet Security 2010 - Unregistered Version" it says I have 22 critical system objects and lists what could happen to my system then gives me the options to register my copy of vista internet security 2010 or remind me later. I also got a pop up from the same company that "scanned" my computer, I've attached a screenshot.

About three boxes popped up, that screenshot, another one with a red bar on top saying my system was infected and Windows Security Center or something like that which says my  firewall and malware protection are off, to be honest I'm not sure it was ever on but I'm 98% sure it was because I've never had a problem with it before. When i type in Security in the Start Search bar it says theres a Windows Firewall and Advanced Security and Security Center which is the one i have problems with. I've attached another screenshot of this. Every time i open a program, it always ends up the last program listed in my start bar and for some reason Security Center does not end up on that list but Windows Firewall and Advanced Security does. When I try and click anything in Security center, whether it be "System Restore and Backup" or "Turn on now" it just pops up with that scan again

My sister had a similar thing happen last week except it progressed and she wasn't able to open anything. It would say the application could not be executed (Please look at my previous thread), so we were told to do a system restore, we did except now none of the programs will open because it can't be associated with something.

The same virus program just gave another pop up saying sensitive data may be sent over my internet connection right now. It lists the IP it was attacked from, port number, the thread (Lemena.3544) But i had also gotten this earlier and it was called Worm something.

I have Norton Internet Security and have been running a full system scan, it hasn't caught anything.

I was just about to post this when suddenly this tab closed. All three of my other tabs stayed open except for the one I was about to post. Maybe I'm just paranoid, but it makes me think that it KNOWS what I'm saying and doing. I don't mean to sound frank or rude, I'd just like to get this done before this tab randomly closes.

Please, if you have any suggestions or answers, I'm open to anything however I am a newbie and am hesitant to inflict any further damage

[Saving space, attachment deleted by admin]Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.I really hope I did this right 





ComboFix 10-02-24.01 - Cynthia 02/24/2010  19:18:52.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.3002.1805 [GMT -8:00]
Running from: c:\users\Cynthia\Downloads\ComboFix.exe
AV: ResolutionsMSP *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2819002435-850761837-2018973860-500
c:\$recycle.bin\S-1-5-21-506404324-59653650-1567083677-500
c:\users\Cynthia\AppData\Local\av.exe

.
(((((((((((((((((((((((((   Files Created from 2010-01-25 to 2010-02-25  )))))))))))))))))))))))))))))))
.

2010-02-25 03:28 . 2010-02-25 03:28   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-02-25 03:28 . 2010-02-25 03:28   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-02-25 01:56 . 2010-02-13 01:41   558448   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-25 01:34 . 2010-02-03 09:00   1324720   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\NAVEX15.SYS
2010-02-25 01:34 . 2009-08-25 08:00   177520   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\NAVENG32.DLL
2010-02-25 01:34 . 2009-08-25 08:00   1647984   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\NAVEX32A.DLL
2010-02-25 01:34 . 2010-02-03 09:00   84912   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\NAVENG.SYS
2010-02-25 01:34 . 2009-08-26 08:00   102448   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\ERASER.SYS
2010-02-25 01:34 . 2009-09-22 08:00   259440   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\ECMSVR32.DLL
2010-02-25 01:34 . 2009-08-26 08:00   371248   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\EECTRL.SYS
2010-02-25 01:34 . 2009-12-09 09:00   2747440   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\CCERASER.DLL
2010-02-25 01:30 . 2010-02-25 01:30   --------   d-----r-   c:\program files\Norton Support
2010-02-20 01:35 . 2009-10-28 22:37   811896   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-20 01:35 . 2009-10-28 22:37   329592   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-20 01:35 . 2009-10-28 22:37   343088   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-20 01:35 . 2009-10-28 22:37   488312   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-20 01:35 . 2009-10-28 22:37   466992   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-18 08:22 . 2010-02-18 08:22   --------   d-----w-   c:\program files\iPod
2010-02-18 08:10 . 2010-02-18 08:10   72488   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-10 15:09 . 2009-12-11 12:07   301568   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-02-10 15:09 . 2009-12-11 12:07   98304   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2010-02-10 15:08 . 2009-12-08 20:52   3597912   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-10 15:08 . 2009-12-08 20:52   3546200   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-10 15:08 . 2009-12-08 20:52   897624   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2010-02-10 15:06 . 2009-12-28 12:35   1314816   ----a-w-   c:\windows\system32\quartz.dll
2010-02-10 15:06 . 2009-12-28 12:32   22528   ----a-w-   c:\windows\system32\msyuv.dll
2010-02-10 15:06 . 2009-12-28 12:32   31744   ----a-w-   c:\windows\system32\msvidc32.dll
2010-02-10 15:06 . 2009-12-28 12:32   13312   ----a-w-   c:\windows\system32\msrle32.dll
2010-02-10 15:06 . 2009-12-28 12:31   50176   ----a-w-   c:\windows\system32\iyuv_32.dll
2010-02-10 15:06 . 2009-12-28 12:35   11776   ----a-w-   c:\windows\system32\tsbyuv.dll
2010-02-10 15:06 . 2009-12-28 12:31   82944   ----a-w-   c:\windows\system32\mciavi32.dll
2010-02-10 15:06 . 2009-12-28 12:28   65024   ----a-w-   c:\windows\system32\avicap32.dll
2010-02-10 15:06 . 2009-12-28 12:32   123904   ----a-w-   c:\windows\system32\msvfw32.dll
2010-02-10 15:06 . 2009-12-28 12:28   91136   ----a-w-   c:\windows\system32\avifil32.dll
2010-02-10 15:05 . 2009-12-04 16:12   105472   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 15:05 . 2009-12-04 16:12   212992   ----a-w-   c:\windows\system32\drivers\mrxsmb10.sys
2010-02-03 03:01 . 2010-02-03 03:01   --------   d-----w-   c:\programdata\EA Core
2010-02-03 03:00 . 2010-02-03 03:00   --------   d-----w-   c:\programdata\Electronic Arts
2010-01-28 00:36 . 2009-10-28 22:37   329592   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\IDSXpx86.sys
2010-01-28 00:36 . 2009-10-28 22:37   811896   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\Scxpx86.dll
2010-01-28 00:36 . 2009-10-28 22:37   488312   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\IDSxpx86.dll
2010-01-28 00:36 . 2009-10-28 22:37   343088   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\IDSvix86.sys
2010-01-28 00:36 . 2009-10-28 22:37   466992   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\IDSviA64.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 07:56 . 2009-08-15 06:26   --------   d-----w-   c:\users\Cynthia\AppData\Roaming\LimeWire
2010-02-23 07:00 . 2009-10-12 02:54   --------   d-----w-   c:\users\Cynthia\AppData\Roaming\Corel
2010-02-23 06:58 . 2009-10-12 02:54   952   --sha-w-   c:\windows\system32\KGyGaAvL.sys
2010-02-23 02:35 . 2009-08-11 10:25   6080   ----a-w-   c:\users\Cynthia\AppData\Local\d3d9caps.dat
2010-02-18 08:23 . 2009-06-26 09:20   --------   d-----w-   c:\program files\iTunes
2010-02-18 08:22 . 2009-06-26 09:16   --------   d-----w-   c:\program files\Common Files\Apple
2010-02-14 08:21 . 2010-01-22 23:21   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-02-14 08:20 . 2010-01-22 23:22   38784   ----a-w-   c:\users\Cynthia\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-11 15:09 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-02-03 02:59 . 2009-06-09 22:48   --------   d-----w-   c:\program files\Electronic Arts
2010-02-02 06:33 . 2009-06-24 00:23   --------   d-----w-   c:\program files\Flock
2010-01-21 23:48 . 2008-10-23 10:52   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-17 06:06 . 2009-06-26 09:21   --------   d-----w-   c:\users\Cynthia\AppData\Roaming\Apple Computer
2010-01-17 06:04 . 2009-06-26 09:16   --------   d-----w-   c:\programdata\Apple
2010-01-02 06:38 . 2010-01-22 00:09   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 00:09   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 00:09   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 00:09   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2008-10-23 10:05 . 2008-10-23 09:55   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-25 175128]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-25 153112]
"AMTDeviceService"="c:\program files\AMT Media Manager\AMTDeviceService.exe" [2009-01-21 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-20 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
="Service"

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1008000.029\SymEFA.sys [2/2/2010 2:25 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1008000.029\BHDrvx86.sys [2/2/2010 2:25 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1008000.029\cchpx86.sys [2/2/2010 2:24 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys [2/19/2010 5:35 PM 343088]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 2:24 PM 117640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [10/23/2008 2:56 AM 365952]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/31/2009 12:22 AM 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [10/23/2008 1:55 AM 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/29/2009 11:09 PM 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [12/5/2008 1:25 AM 112640]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1008000.029\symndisv.sys [2/2/2010 2:25 PM 48688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-02-24 c:\windows\Tasks\HPCeeScheduleForCynthia.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-23 18:34]

2010-02-25 c:\windows\Tasks\User_Feed_Synchronization-{6585B70F-EAFB-4C96-9643-B24DA9996293}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim6 - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-SR Splash - c:\program files\SR\SRSplash.exe
HKLM-Run-SRLogon - c:\program files\SR\srlogon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 19:29
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
Denied: (A) (Users)
Denied: (A) (Everyone)
Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
Denied: (A) (Users)
Denied: (A) (Everyone)
Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
Denied: (A) (Users)
Denied: (A) (Everyone)
Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-24  19:33:40
ComboFix-quarantined-files.txt  2010-02-25 03:33

Pre-Run: 196,952,645,632 bytes free
Post-Run: 197,864,738,816 bytes free

- - End Of File - - 05ABAF7A4FBFE45B6A7DCB493E95630F
Hi again. Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your WORK before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your MACHINE. If it does not, please manually reboot the machine yourself to ensure a complete clean.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

• MBAM log
• SAS log
• ESET log

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
• For a few moments the system will make some calculations
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

I actually had this on my computer for a few months.

Symantec Security Response - Back Door Found in Energizer DUO USB Battery Charger Software

http://www.kb.cert.org/vuls/id/154421
http://www.bleepingcomputer.com/forums/topic300933.html
I bet they're looking for that Liu guy. Pretty SCARY stuff, a trusted company unknowingly giving out a virus to its CUSTOMERS. Hard to believe. You are not safe with a battery charger.
So what next? TROJANS in my AUTOMATIC coffee pot?  Quote from: Geek-9pm on March 10, 2010, 12:40:31 AM

Hard to believe. You are not safe with a battery charger.
So what next? Trojans in my automatic coffee pot? 

I'm using Kaspersky Internet Security.  I downloaded a single mp3 from a legal SITE and scanned the file as i do with everything that i download. 

"2 objects scanned, no threats detected"

While i trust Kaspersky, i've NEVER seen an mp3 come up as 2 files.
Can anyone shed some light on this for me?The file has two data streams.

When you download a file, Internet Explorer and most browsers automatically add a data stream to the file, indicating that it is a downloaded file. For example, if you try to run an application with this stream present, Windows will display the "security warning" and tell you that files from the internet may not be secure, BLAH blah. Basically- it uses this stream to "know" if a file was downloaded.

An Alternate Data Stream is a feature of the NTFS file system that NT-based Windows Operating Systems have used. It basically makes a File have more then one set of data associated with it- the "NORMAL" data is in fact stored in a stream called "$DATA" that will be opened if no specific stream name is specified.

Most programs can open Alternate Streams- notepad, for example, can be told to save a file called "file.txt:hidden." if you open file.txt, you'll find that you cannot see  the text you just saved! In order to view your secret data, use "file.txt:hidden." to open the file again.

If your curious about Alternate Data Streams, I have released a program called "BCStreams" that lets you view the alternate data streams of a file: http://bc-programming.com/index.php?page=downloads.

However, since that is a command-line tool and I have not yet created an easier to use GUI tool for it, you MIGHT prefer to use something like the JSWare StreamViewer, which adds a new tab to the "properties" dialog of any file, listing the alternate data streams that exist in it.

I've received two such messages QUITE RECENTLY.  I don't recall ever receiving any before these.  But, I see this is not a new hoax; it's actually been going on for quite awhile.  See this: United Parcel Service - Fake email for package non-delivery .  Of course, if you RECEIVE ONE of these, do not open the attachment.

I just switched to a Mac. Can the experts tell me which firewall, antivirus, and antispyware programs are essential for MACS? Would INSTALLING any of these have a downside to my computer's performance, etc?

I want to stay as safe when using the INTERNET as possible. ThanksMac VIRUS are not as widespread as Windows virus. But it is out there.

http://mac.majorgeeks.com/downloads29.html

I have no idea what sort of performance impact it might have.Hi EVIL, thanks for the link. I'll have to look more into ClamXav.

I SEE SpywareGuard 2.2 touted as a good free real-time antimalware app that makes a great compliment to SpywareBlaster. But can anyone confirm that for me, and that it's definitely a different app than SPYWARE Guard 2008 & 2009? It had better be, because the latter is said to actually be a sophisticated rogue antispyware. Check these LINKS out:

How to remove Spyware Guard 2008?
http://www.2-viruses.com/remove-spyware-guard-2008

How to remove Spyware Guard 2008 and Spyware Guard 2009
http://www.bleepingcomputer.com/virus-removal/remove-spyware-guard-2008

Spyware Guard 2009 Removal Guide
http://www.spywareremove.com/removeSpywareGuard2009.html


And assuming SpywareGuard 2.2 is OK, will it run with Avast Free Antivirus 5.0.418?

This is the real Spywareguard. http://www.javacoolsoftware.com/spywareguard.html

But like I said in the other topic it is past it's time as an effective TOOL.

Quote

SpywareGuard works on Windows 98, ME, NT, 2000, XP. Not tested on Vista.

I have some questions about antispyware apps:

1. I know you're not SUPPOSED to run 2 antivirus apps at once, but that you CAN run 2 scanner-only antispyware apps at once. But should you not run 2 real-time-protection antispyware apps at once?

2. Other than the fact that spyware "spies", just what is the difference between a virus and a spyware app? In other words, why can you run one antivirus app at the same time as a real-time-protection antispyware app?

3. Do all antispyware that offer real-time protection constantly run in the background to prevent the installation of malware, WHENEVER an attempt is made to open a file or launch an application? Do they all also offer manual and/or scheduled system scans?

4. Does Comodo AntiVirus + Firewall include antispyware functionality?

5. Does Spyware Terminator include antivirus functionality? Quote from: BobLewiston on March 09, 2010, 06:14:12 AM

I have some questions about antispyware apps:

1. I know you're not supposed to run 2 antivirus apps at once, but that you CAN run 2 scanner-only antispyware apps at once. But should you not run 2 real-time-protection antispyware apps at once?

There is no reason to have more than one antispyare app resident at any given time. Use either MalwareBytes or Super AntiSpyware if you want the current best of breed. You may scan with as many different apps as you like (though not simultaneously).

2. Other than the fact that spyware "spies", just what is the difference between a virus and a spyware app? In other words, why can you run one antivirus app at the same time as a real-time-protection antispyware app?

http://www.squidoo.com/spyware-vs-virus

3. Do all antispyware that offer real-time protection constantly run in the background to prevent the installation of malware, whenever an attempt is made to open a file or launch an application? Do they all also offer manual and/or scheduled system scans?

Yes, real time protection requires the program to "run in the background" (or remain resident). You can schedule full scans with most good ones. Again, MalwareBytes & Super AntiSpyware would be my recommendation(s).

4. Does Comodo AntiVirus + Firewall include antispyware functionality?

Don't know - have you visited their WEBSITE?

5. Does Spyware Terminator include antivirus functionality?

No IDEA, but it would not be my first choice (see above).

Hi ,
 
 I have a security question , i used avast 5.0 and online armour firewall last version of it.

 When both programs are running after a while, 10 minutes LETS say, i could not connect to Internet , my Internet connection is stopped and WIN32 svc host error occurs. After i REBOOT uninstall Online Armour firewall the system is running ok.

 I believe that using last version of security software may be an issue for old Win Xp sp2 operating system.   

 I just want to ask, which are in your opinion best security recommended tools for Win xp sp2.

Thanks  Online Armour is actually one of the best but it might not be agreeing with your computer. You could try asking in their forums if they know of a solution. http://support.tallemu.com/vbforum/

Or try another firewall.

Remember only install ONE firewall

1) Online Armor
2) Agnitum Outpost
3) PC Tools Firewall Plus
4) Comodo Personal Firewall (Uncheck during installation "Install Comodo HopSurf..", Ask.com search provider" and "Make Comodo HopSurf.com Search my homepage"Hi,

 Thanks for the message.

  I will check on tall emu forums for more details .

Regards,Your welcome. Good LUCK!Are you sure that the windows firewall has been disabled? That may cause some confliction if both firewalls are enabled at the same time.

Hello, a few weeks ago I had alerts from ThreatFire saying that "c:\2F2FE1D9C8463A4E6C7466B1CF9E03AD\MPSIGSTUB.EXE"
was trying to modify another program, copy itself to multiple locations, I clicked ignore to these after looking it up, and finding out that mpsigstub.exe was related to windows malicious software remover. When I  TRIED to LOOK inside the folders, they renamed themselves. I started to panic when I found out that its normally in the system32 folder, so my friend came ROUND to help me delete it and remove the registry changes it had made. I know that was a virus, but I'm not sure about these:

Not so long ago a very similar directory had been created again, this time with stub.exe in it. I deleted them, and ran an anti virus scan.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report09186521\WER11A7.tmp.hdmp and C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report11188777 were infected and quarantined . stub.exe was also trying to modify other programs etc.
 
Just today I found two more directories with similar names, such as 70d953ce1268e4d3b8, with eventlog.txt in them. I haven't got any warnings as far as I know, so I want to know if this is the same virus, or even if its actually a virus at all, and I'm just being paranoid.

Thanks in advance 

PS. I also had a process called conime.exe, I looked it up, and its to do with using an ASIAN language. Apparently, if this is running while you aren't using an Asian language, it could be a backdoor. Is this TRUE? Sorry, I'm a bit over anxious after having had Magistr.b not long ago. 

could you check below i have had trouble with this virus Virus:Win32/Induc.A
i cannot see anything in the log
2 days with a frozen pc would not do anything



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:33, on 26/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE
C:\Program Files\[email protected]\[email protected]\[email protected]
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\harold mullan\Application Data\[email protected]\FahCore_b4.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://uk.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX520 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE /P31 "EPSON Stylus Photo RX520 Series" /M "Stylus Photo RX520" /EF "HKCU"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: [email protected] = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1219531497140
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178998938015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179009861625
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c99aa9e4bae958) (gupdate1c99aa9e4bae958) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9199 bytes
Harry, I can't see anything amiss in the log. Where are the SAS and MBAM scans?do them now daveall clear dave


Malwarebytes' Anti-Malware 1.44
Database version: 3798
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

26/02/2010 23:40:48
mbam-log-2010-02-26 (23-40-48).txt

Scan type: Quick Scan
Objects scanned: 116004
Time elapsed: 23 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/27/2010 at 00:01 AM

Application Version : 4.27.1002

Core Rules Database Version : 4623
Trace Rules Database Version: 2435

Scan type       : Quick Scan
Total Scan Time : 00:28:12

Memory items scanned      : 480
Memory threats detected   : 0
Registry items scanned    : 552
Registry threats detected : 0
File items scanned        : 8164
File threats detected     : 4

Adware.Tracking Cookie
   C:\Documents and Settings\harold mullan\Cookies\[email protected][1].txt
   C:\Documents and Settings\harold mullan\Cookies\[email protected][2].txt
   C:\Documents and Settings\harold mullan\Cookies\[email protected][2].txt
   C:\Documents and Settings\harold mullan\Cookies\[email protected][1].txt
Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before PERFORMING a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts. (you will receive a UAC prompt, please allow it)

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixcombo says i have avg in the pc , i took it out 3 years ago and also ran the uninstall tool twice

there are a lot of very old files in combo that i could take out its the first i've seen them if you tell me where to go they must be hidden


ComboFix 10-02-26.03 - harold mullan 27/02/2010  16:02:53.3.1 - FAT32x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.1247.817 [GMT 0:00]
Running from: c:\documents and settings\harold mullan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\harold mullan\Application Data\Desktopicon
c:\documents and settings\harold mullan\Application Data\Desktopicon\config.ini
c:\program files\Fast Browser Search
c:\program files\RegGenie
c:\program files\RegGenie\Backups\40030.8808081944
c:\program files\RegGenie\RegGenie.ini
c:\windows\Downloaded Program Files\popcaploader.inf

.
(((((((((((((((((((((((((   Files Created from 2010-01-27 to 2010-02-27  )))))))))))))))))))))))))))))))
.

2010-02-26 11:09 . 2010-02-24 09:16   181632   ------w-   c:\windows\system32\MpSigStub.exe
2010-02-26 10:58 . 2010-02-26 10:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\Birdstep Technology
2010-02-26 10:52 . 2010-02-26 10:52   --------   d-----w-   c:\documents and settings\harold mullan\Local Settings\Application Data\PCHealth
2010-02-26 10:52 . 2010-02-26 10:52   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-02-26 10:52 . 2010-02-26 10:52   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-02-23 23:50 . 2010-02-23 23:50   16312832   ----a-w-   c:\documents and settings\harold mullan\Application Data\[email protected]\FahCore_b4.exe
2010-02-20 14:29 . 2010-02-20 14:29   --------   d-----w-   c:\program files\Romancing the Seven Wonders - Taj Mahal
2010-02-19 19:00 . 2010-02-19 19:00   --------   d-----w-   c:\program files\The Tarot's Misfortune
2010-02-18 22:49 . 2010-02-18 22:49   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\BigFishGames
2010-02-18 16:15 . 2010-02-18 16:15   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\GameMill
2010-02-18 16:15 . 2010-02-18 16:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\GameMill
2010-02-17 23:57 . 2010-02-17 23:57   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\LaJangada
2010-02-04 16:09 . 2010-02-04 16:09   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-02-01 23:37 . 2010-02-01 23:37   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\Gestalt Games
2010-02-01 23:30 . 2010-02-01 23:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Million
2010-01-28 21:17 . 2010-01-28 21:17   --------   d-----w-   c:\documents and settings\harold mullan\Local Settings\Application Data\Menge

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 23:23 . 2009-08-06 21:16   117760   ----a-w-   c:\documents and settings\harold mullan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-23 23:41 . 2007-05-14 19:08   61   ---ha-w-   c:\windows\popcinfo.dat
2010-01-25 23:55 . 2010-01-25 23:55   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\SevenSails
2010-01-24 23:25 . 2010-01-24 23:25   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\Valusoft
2010-01-24 23:25 . 2010-01-24 23:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Valusoft
2010-01-24 23:22 . 2010-01-24 23:22   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\Green Clover Games
2010-01-24 23:22 . 2010-01-24 23:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\Green Clover Games
2010-01-24 19:59 . 2010-01-24 19:59   --------   d-----w-   c:\program files\World Poker Championship
2010-01-23 21:26 . 2010-01-23 21:26   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\WhatPulse
2010-01-18 20:07 . 2008-04-22 21:52   5115824   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-17 22:34 . 2010-01-17 22:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-17 22:33 . 2010-01-17 22:33   --------   d-----w-   c:\program files\Bonjour
2010-01-17 22:32 . 2010-01-17 22:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-17 22:31 . 2010-01-17 22:31   --------   d-----w-   c:\program files\Apple Software Update
2010-01-17 22:30 . 2010-01-17 22:30   --------   d-----w-   c:\program files\Common Files\Apple
2010-01-17 22:30 . 2010-01-17 22:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2010-01-17 18:48 . 2009-12-31 19:29   52224   ----a-w-   c:\documents and settings\harold mullan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-15 23:22 . 2010-01-15 23:22   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\Gold Casual Games
2010-01-14 19:36 . 2010-01-14 19:36   --------   d-----w-   c:\program files\SpongeBob SquarePants Diner Dash
2010-01-14 19:12 . 2010-01-14 19:12   1245321   ----a-w-   c:\documents and settings\All Users\Application Data\NeoEdge Networks\Yahoo_DinerDash\IAF.dll
2010-01-14 19:12 . 2010-01-14 19:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\NeoEdge Networks
2010-01-14 19:12 . 2010-01-14 19:12   --------   d-----w-   c:\program files\Yahoo! Games
2010-01-12 23:08 . 2010-01-12 23:08   --------   d-----w-   c:\program files\Microsoft DirectX SDK (August 2009)
2010-01-12 23:07 . 2010-01-12 23:07   93512   ----a-w-   c:\windows\dxsdkuninst.exe
2010-01-10 00:11 . 2010-01-10 00:11   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\BrokenHearts
2010-01-10 00:10 . 2010-01-10 00:10   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\Dragon Altar Games
2010-01-07 16:07 . 2008-07-24 00:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2008-05-08 23:56   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2006-06-23 11:33   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-06-14 15:14   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2002-09-23 09:02   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-01-03 18:43 . 2010-01-03 18:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\IncrediMail
2010-01-02 23:07 . 2010-01-02 23:07   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\Virtual City
2010-01-02 19:00 . 2010-01-02 19:00   --------   d-----w-   c:\program files\SeaMonkey
2010-01-01 23:21 . 2010-01-01 23:20   --------   d-----w-   c:\documents and settings\harold mullan\Application Data\Friday's games
2009-12-31 20:09 . 2009-12-31 20:09   --------   d-----w-   c:\program files\The Mirror Mysteries
2009-12-31 16:50 . 2002-09-23 09:04   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-17 17:14 . 2008-10-30 19:51   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2004-08-30 14:29   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-23 09:02   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-23 09:03   2189184   ----a-w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04   2066048   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2009-12-07 21:08 . 2009-05-12 23:28   56816   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-12-04 18:22 . 2002-09-23 09:03   455424   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"EPSON Stylus Photo RX520 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE" [2005-04-07 98304]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2009-11-24 2156816]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\harold mullan\Start Menu\Programs\Startup\
[email protected] - c:\documents and settings\harold mullan\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe [2009-5-7 98477]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2007-05-26 20:21   936960   ------w-   c:\program files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPASTATUS]
2003-02-26 16:18   620032   ------w-   c:\program files\Internet Explorer\Connection Wizard\status.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-08-07 18:49   1830128   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15   15872   ----a-w-   c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\dpnsvr.exe"=
"c:\\WINDOWS\\System32\\dxdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil_.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/07/2009 10:53 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/07/2009 10:53 74480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [17/02/2009 20:08 55152]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [12/03/2009 10:44 184968]
S2 gupdate1c99aa9e4bae958;Google Update Service (gupdate1c99aa9e4bae958);c:\program files\Google\Update\GoogleUpdate.exe [01/03/2009 20:11 133104]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/07/2009 10:53 7408]
S3 Vsp;Vsp;\??\c:\windows\System32\drivers\Vsp.sys --> c:\windows\System32\drivers\Vsp.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-11-26 13:48]

2010-02-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 17:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 16:10
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2485982703-2457388570-1893012673-1006\Software\Microsoft\SystemCertificates\AddressBook*]
Allowed: (Read) (RestrictedCode)
Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-27  16:12:02
ComboFix-quarantined-files.txt  2010-02-27 16:12

Pre-Run: 53,495,988,224 bytes free
Post-Run: 53,540,421,632 bytes free

- - End Of File - - 2BD237A39B491DE99D0802F26476D4C7



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:18:15, on 27/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX520 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE /P31 "EPSON Stylus Photo RX520 Series" /M "Stylus Photo RX520" /EF "HKCU"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: [email protected] = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1219531497140
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178998938015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179009861625
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c99aa9e4bae958) (gupdate1c99aa9e4bae958) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8152 bytes
Quote

ComboFix 10-02-26.03 - harold mullan 27/02/2010  16:02:53.3.1 - FAT32x86

My nieces  CPU , she thinks she got a virus. She uses AVG. Here what her CPU is doing. When she turns it on it loads up to her desktop then shuts down. I had her try it in safe mode and it does the same thing. She TOOK it to a COMP place and they said they would have to get her save pics...etc..off then put a new OS back on it. What I was wondering is how can you get her pics and etc off if you can't get the comp to boot up and stay on. If I vcan get here stuff off of the comp I can put a OS back on it. She is running WinXP.. Thanks..this is my first message on this Cpu forum, hope I put this in the right place Welcome to CH.
Just leave the computer off for awhile. After ten minutes turn it back on and try to get into the safe mode. This is done by tapping the F8 key before Windows starts.

Is this a laptop and is the BATTERY well charged? A WEAK or defective battery can make the laptop restart.
If this is a Desktop, what SUB devices do you have? So devices dares to much poser and cause the desktop to restart.

Another POSSIBILITY is that the fan my be stuck or broken. A Desktop PC has two fans that must cool the processor and the power supply.If the computer gets to hot is restarts or shuts off.

Do you have an Anti-Virus program? Did it indicate a problem?It's a desktop , and yes  they are using AVG. and it did show several virus. I haven't look at the cpu myself but she going to bring it over so I can look at it. I'll do what you said in the reply and check it out. Thanks for the reply. I'll get back. I headed for work this evening. Thanks again.

Would there be any conflict if I ran scans with AVAST 4.8 and Malwarebytes at the sametime?. Basically it's just to save time as I find myself treading the floorboards WAITING for them to finish.

Plus is there any free software that will stop Adware from getting on my PC?

Cheers
Running two scanners at the same time can cause your computer to crash or have INACCURATE results. Only scan with ONE at a time.

What all real-time security tools do you have installed now?I have Avast, Malwarebytes and windows security centre. You have answred my question THO about running two at once.
cheers
ef

Is this file (in C:\WINDOWS) a virus?  I'm asking because my mom was reading emails and got a prompt that the computer had to be restarted to complete installation of a new program (it didn't say what new program).  It automatically restarted in 45 seconds (there was no close button).  When the computer came back up everything was fine (or looked like it).  I checked the list of running processes and found OA001Mon.exe.  I immediately searched the internet for this file.  I found reports of it shutting down the firewall and other bad things.  I ran a Norton full scan and found nothing.  avast! did a scan and found nothing.  Jotti's malware scan got 0/20 scanners reporting threats on OA001Mon.exe, OA001cfg.exe, and OA001.[I forgot the extension].  Whenever that computer booted up, OA001Mon.exe is running under my mom's USERNAME.  No virus scanner finds anything but all these internet reports and the fact that those THREE files are not on the other TWO computers at this house is kind of suspicious.  I removed these three files and rebooted and everything was fine, no OA001Mon.exe running and the files didn't come back.  Was this a good idea and are these files a virus?

-FleexyThere are files with those names that are legitimate. Do you have a webcam installed from Creative? Quote from: evilfantasy on MARCH 02, 2010, 05:00:01 PM

There are files with those names that are legitimate. Do you have a webcam installed from Creative?

I've heard that SpyWareGuard offers real-time ANTISPYWARE PROTECTION for free. Is this true, and will it CONFLICT with SpywareBlaster?SpyWareGuard is far outdated and LIKELY will not add any extra protection with the advancements in today's antivirus.

By Brian Krebs MS: Be Careful With Those Function Keys

Microsoft Corp. has a message for Windows 2000, XP and Server 2003 users: If you browse the Interwebs with Internet Explorer 6, 7, or 8, take care to ignore any prompts that ask you to hit the F1 key on your keyboard, as doing so may be UNHEALTHFUL to your PC.

It turns out that there is a security flaw in the way these operating systems + browser versions process “Windows Help files” in such a way that is entirely unhelpful. That is, clicking on the F1 key when presented with a specially crafted pop-up box prompting you to do so could allow criminals to download and install malicious software to your computer.

Thankfully, most Windows users are more likely to locate the “any” key on their systems before they REALIZE that the “Function 1″ key is but the first of 12 such keys situated just above the left-to-right number keys on the standard Windows keyboard. Indeed, most Windows users’ first experience with these function keys is when something goes wrong with Windows.

In a security advisory issued Monday, Microsoft said it may at some point issue a software update to address this SHORTCOMING. REDMOND’s advisory on this topic is available here. The organization responsible for this warning — Polish security firm iSec Security Research — has a bit more information here on the ins and outs of this bug.

I am scanning my computer using malwarebytes and it is currently showing a great 9,000 and counting of infected files... I had scanned my computer using avira earlier on and showed about 2,000 infections I thought that they had been false positives since AVG didn't detect any when I do scans using it and I changed avira to avast then had a thorough scan, and it showed one virus which is Win32 Rootkit-gen, that's the only thing it got and its severity is high basing on the avast report. This has got me alarmed though... what do I do with this? I'd be posting the EXACT amount of affected file once the scan it done. Just thought of posting this ahead while waiting. Please visit this webpage for a TUTORIAL on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.ComboFix 10-02-23.04 - asus 02/24/2010  15:52:32.2.2 - x86
Microsoft Windows 7 Starter   6.1.7600.0.1252.1.1033.18.2013.1096 [GMT 8:00]
Running from: c:\users\asus\Downloads\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\Mozilla FIREFOX\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\INSTALL.RDF
c:\program files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\1.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\users\asus\AppData\Roaming\02000000aeb10912741C.manifest
c:\users\asus\AppData\Roaming\02000000aeb10912741O.manifest
c:\users\asus\AppData\Roaming\02000000aeb10912741P.manifest
c:\users\asus\AppData\Roaming\02000000aeb10912741S.manifest
c:\users\asus\AppData\Roaming\Mozilla\Firefox\Profiles\zrgt56v5.default\extensions\{24ea2639-d3e4-45ac-83b2-d42eb7d13c07}
c:\users\asus\AppData\Roaming\Mozilla\Firefox\Profiles\zrgt56v5.default\extensions\{24ea2639-d3e4-45ac-83b2-d42eb7d13c07}\chrome.manifest
c:\users\asus\AppData\Roaming\Mozilla\Firefox\Profiles\zrgt56v5.default\extensions\{24ea2639-d3e4-45ac-83b2-d42eb7d13c07}\chrome\xulcache.jar
c:\users\asus\AppData\Roaming\Mozilla\Firefox\Profiles\zrgt56v5.default\extensions\{24ea2639-d3e4-45ac-83b2-d42eb7d13c07}\defaults\preferences\xulcache.js
c:\users\asus\AppData\Roaming\Mozilla\Firefox\Profiles\zrgt56v5.default\extensions\{24ea2639-d3e4-45ac-83b2-d42eb7d13c07}\install.rdf
c:\users\asus\AppData\Roaming\SystemProc
c:\users\StudyTimeJZoWN\AppData\Roaming\Mozilla\Firefox\Profiles\wuvad8e7.default\extensions\{24ea2639-d3e4-45ac-83b2-d42eb7d13c07}
c:\users\StudyTimeJZoWN\AppData\Roaming\Mozilla\Firefox\Profiles\wuvad8e7.default\extensions\{24ea2639-d3e4-45ac-83b2-d42eb7d13c07}\chrome.manifest
c:\users\StudyTimeJZoWN\AppData\Roaming\Mozilla\Firefox\Profiles\wuvad8e7.default\extensions\{24ea2639-d3e4-45ac-83b2-d42eb7d13c07}\chrome\xulcache.jar
c:\users\StudyTimeJZoWN\AppData\Roaming\Mozilla\Firefox\Profiles\wuvad8e7.default\extensions\{24ea2639-d3e4-45ac-83b2-d42eb7d13c07}\defaults\preferences\xulcache.js
c:\users\StudyTimeJZoWN\AppData\Roaming\Mozilla\Firefox\Profiles\wuvad8e7.default\extensions\{24ea2639-d3e4-45ac-83b2-d42eb7d13c07}\install.rdf
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\userdata.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MyWebSearchService


(((((((((((((((((((((((((   Files Created from 2010-01-24 to 2010-02-24  )))))))))))))))))))))))))))))))
.

2010-02-24 08:25 . 2010-02-24 08:25   --------   d-----w-   C:\Device
2010-02-24 08:18 . 2010-02-24 08:18   --------   d-----w-   c:\users\StudyTimeJZoWN\AppData\Local\temp
2010-02-24 08:18 . 2010-02-24 08:18   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-02-20 00:50 . 2010-02-20 00:50   --------   d-----w-   c:\users\Guest\AppData\Local\Diagnostics
2010-02-20 00:42 . 2010-02-20 00:42   --------   d-----w-   c:\users\Guest\AppData\Local\Apple Computer
2010-02-18 14:41 . 2010-02-18 14:41   --------   d-----w-   c:\program files\VideoLAN
2010-02-18 14:35 . 2010-02-18 14:35   --------   d-----w-   c:\users\asus\AppData\Roaming\Malwarebytes
2010-02-18 14:35 . 2010-01-07 08:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 14:35 . 2010-02-18 14:35   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-18 14:35 . 2010-02-18 14:35   --------   d-----w-   c:\programdata\Malwarebytes
2010-02-18 14:35 . 2010-01-07 08:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-18 01:07 . 2010-02-11 18:42   162512   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-02-18 01:07 . 2010-02-11 18:38   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-02-18 01:07 . 2010-02-11 18:39   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-02-18 01:07 . 2010-02-11 18:42   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-02-18 01:07 . 2010-02-11 18:38   51792   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2010-02-18 01:06 . 2010-02-11 18:53   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-02-18 01:06 . 2010-02-11 18:53   153184   ----a-w-   c:\windows\system32\aswBoot.exe
2010-02-15 13:54 . 2010-02-15 13:54   --------   d-----w-   c:\users\Default\AppData\Local\Microsoft Help
2010-02-15 02:31 . 2009-07-28 07:33   55656   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-02-15 01:58 . 2010-01-14 03:12   181120   ------w-   c:\windows\system32\MpSigStub.exe
2010-02-15 01:22 . 2010-02-15 01:22   2560   ----a-w-   c:\windows\_MSRSTRT.EXE
2010-02-14 15:25 . 2010-02-14 15:25   --------   d-----w-   c:\program files\Common Files\Windows Live
2010-02-14 05:57 . 2010-02-14 05:57   72488   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-14 05:45 . 2010-02-14 05:45   --------   d-----w-   c:\program files\Safari
2010-02-14 05:35 . 2010-02-14 05:35   79144   ----a-w-   c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-02 06:55 . 2010-02-02 06:55   --------   d-----w-   c:\users\Guest\AppData\Local\Yahoo
2010-02-02 06:42 . 2010-02-02 06:42   110000   ----a-w-   c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-02 06:41 . 2010-02-02 06:41   --------   d-----w-   c:\users\Guest\AppData\Roaming\LimeWire
2010-02-02 06:36 . 2010-02-02 06:36   --------   d-----w-   c:\users\Guest\AppData\Local\Apple
2010-02-02 06:12 . 2010-02-02 06:12   --------   d-----w-   c:\users\Guest\AppData\Local\Mozilla
2010-01-30 04:20 . 2010-01-30 04:20   --------   d-----w-   c:\users\asus\AppData\Roaming\skypePM
2010-01-29 13:43 . 2010-02-24 04:15   --------   d-----w-   c:\users\asus\AppData\Roaming\Skype
2010-01-29 13:39 . 2010-01-29 13:39   --------   d-----w-   c:\program files\Common Files\Skype
2010-01-29 13:39 . 2010-01-29 13:41   --------   d-----r-   c:\program files\Skype
2010-01-29 13:39 . 2010-01-29 13:39   --------   d-----w-   c:\programdata\Skype
2010-01-27 11:57 . 2009-10-31 05:45   2614272   ----a-w-   c:\windows\explorer.exe
2010-01-27 11:57 . 2009-10-28 06:17   285696   ----a-w-   c:\windows\system32\winlogon.exe
2010-01-27 06:08 . 2010-01-27 06:08   --------   d-----w-   c:\programdata\Alwil Software
2010-01-27 06:08 . 2010-01-27 06:08   --------   d-----w-   c:\program files\Alwil Software

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 07:03 . 2009-12-01 00:51   45056   ----a-w-   c:\windows\system32\acovcnt.exe
2010-02-19 00:28 . 2009-11-27 12:38   110000   ----a-w-   c:\users\asus\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-18 19:04 . 2009-11-27 12:59   --------   d-----w-   c:\programdata\Microsoft Help
2010-02-18 19:03 . 2009-11-27 13:02   --------   d-----w-   c:\program files\Microsoft Works
2010-02-15 01:35 . 2009-11-27 12:49   --------   d-----w-   c:\programdata\avg9
2010-02-15 01:29 . 2009-12-04 15:48   --------   d-----w-   c:\users\asus\AppData\Roaming\Apple Computer
2010-02-15 01:23 . 2010-01-13 02:29   --------   d-----w-   c:\program files\Chikka
2010-02-14 06:13 . 2009-12-04 15:48   --------   d-----w-   c:\program files\iTunes
2010-02-14 06:13 . 2009-12-04 15:48   --------   d-----w-   c:\program files\iPod
2010-02-09 00:30 . 2010-01-13 07:21   --------   d-----w-   c:\users\asus\AppData\Roaming\Windows SideBar
2010-02-02 06:55 . 2010-01-14 14:47   --------   d-----w-   c:\users\Guest\AppData\Roaming\yahoo!
2010-01-30 04:20 . 2010-01-30 04:20   56   ---ha-w-   c:\programdata\ezsidmv.dat
2010-01-28 02:23 . 2009-11-27 12:46   --------   d-----w-   c:\program files\Common Files\Adobe
2010-01-27 15:01 . 2010-01-27 15:01   132608   ----a-w-   c:\windows\system32\trzFEA0.tmp
2010-01-27 15:00 . 2010-01-27 15:00   132608   ----a-w-   c:\windows\system32\trzF7A.tmp
2010-01-27 14:59 . 2010-01-27 14:59   132608   ----a-w-   c:\windows\system32\trzEC6.tmp
2010-01-27 14:58 . 2010-01-27 14:58   132608   ----a-w-   c:\windows\system32\trzAD1D.tmp
2010-01-27 14:57 . 2010-01-27 14:57   132608   ----a-w-   c:\windows\system32\trzC64F.tmp
2010-01-27 14:56 . 2010-01-27 14:56   132608   ----a-w-   c:\windows\system32\trzDA65.tmp
2010-01-27 14:55 . 2010-01-27 14:55   132608   ----a-w-   c:\windows\system32\trzEF64.tmp
2010-01-27 14:54 . 2010-01-27 14:54   132608   ----a-w-   c:\windows\system32\trzFFA5.tmp
2010-01-27 14:53 . 2010-01-27 14:53   132608   ----a-w-   c:\windows\system32\trzE79.tmp
2010-01-27 14:52 . 2010-01-27 14:52   132608   ----a-w-   c:\windows\system32\trzDC8.tmp
2010-01-27 14:51 . 2010-01-27 14:51   132608   ----a-w-   c:\windows\system32\trzEE1.tmp
2010-01-27 14:50 . 2010-01-27 14:50   132608   ----a-w-   c:\windows\system32\trzE12.tmp
2010-01-27 14:49 . 2010-01-27 14:49   132608   ----a-w-   c:\windows\system32\trzFFB.tmp
2010-01-27 14:48 . 2010-01-27 14:48   132608   ----a-w-   c:\windows\system32\trzED2.tmp
2010-01-27 14:47 . 2010-01-27 14:47   132608   ----a-w-   c:\windows\system32\trzDE2.tmp
2010-01-27 14:46 . 2010-01-27 14:46   132608   ----a-w-   c:\windows\system32\trzAE49.tmp
2010-01-27 14:45 . 2010-01-27 14:45   132608   ----a-w-   c:\windows\system32\trzC52F.tmp
2010-01-27 14:44 . 2010-01-27 14:44   132608   ----a-w-   c:\windows\system32\trzD9D8.tmp
2010-01-27 14:43 . 2010-01-27 14:43   132608   ----a-w-   c:\windows\system32\trzEE1B.tmp
2010-01-27 14:42 . 2010-01-27 14:42   132608   ----a-w-   c:\windows\system32\trzFE3D.tmp
2010-01-27 14:41 . 2010-01-27 14:41   132608   ----a-w-   c:\windows\system32\trzEF4.tmp
2010-01-27 14:40 . 2010-01-27 14:40   132608   ----a-w-   c:\windows\system32\trzF1C.tmp
2010-01-27 14:39 . 2010-01-27 14:39   132608   ----a-w-   c:\windows\system32\trzE5C.tmp
2010-01-27 14:38 . 2010-01-27 14:38   132608   ----a-w-   c:\windows\system32\trzE70.tmp
2010-01-27 14:37 . 2010-01-27 14:37   132608   ----a-w-   c:\windows\system32\trzFC0.tmp
2010-01-27 14:36 . 2010-01-27 14:36   132608   ----a-w-   c:\windows\system32\trzDDA.tmp
2010-01-27 14:35 . 2010-01-27 14:35   132608   ----a-w-   c:\windows\system32\trzDEE.tmp
2010-01-27 14:34 . 2010-01-27 14:34   132608   ----a-w-   c:\windows\system32\trzAF72.tmp
2010-01-27 14:33 . 2010-01-27 14:33   132608   ----a-w-   c:\windows\system32\trzC329.tmp
2010-01-27 14:32 . 2010-01-27 14:32   132608   ----a-w-   c:\windows\system32\trzD967.tmp
2010-01-27 14:31 . 2010-01-27 14:31   132608   ----a-w-   c:\windows\system32\trzEE93.tmp
2010-01-27 14:30 . 2010-01-27 14:30   132608   ----a-w-   c:\windows\system32\trzFF44.tmp
2010-01-27 14:29 . 2010-01-27 14:29   132608   ----a-w-   c:\windows\system32\trzDDC.tmp
2010-01-27 14:28 . 2010-01-27 14:28   132608   ----a-w-   c:\windows\system32\trzF75.tmp
2010-01-27 14:27 . 2010-01-27 14:27   132608   ----a-w-   c:\windows\system32\trzE8B.tmp
2010-01-27 14:26 . 2010-01-27 14:26   132608   ----a-w-   c:\windows\system32\trzE4A.tmp
2010-01-27 14:25 . 2010-01-27 14:25   132608   ----a-w-   c:\windows\system32\trzFEF.tmp
2010-01-27 14:24 . 2010-01-27 14:24   132608   ----a-w-   c:\windows\system32\trzFFA.tmp
2010-01-27 14:23 . 2010-01-27 14:23   132608   ----a-w-   c:\windows\system32\trzF43.tmp
2010-01-27 14:22 . 2010-01-27 14:22   132608   ----a-w-   c:\windows\system32\trzACD1.tmp
2010-01-27 14:21 . 2010-01-27 14:21   132608   ----a-w-   c:\windows\system32\trzC27F.tmp
2010-01-27 14:20 . 2010-01-27 14:20   132608   ----a-w-   c:\windows\system32\trzD8DB.tmp
2010-01-27 14:19 . 2010-01-27 14:19   132608   ----a-w-   c:\windows\system32\trzEDB0.tmp
2010-01-27 14:18 . 2010-01-27 14:18   132608   ----a-w-   c:\windows\system32\trzFF87.tmp
2010-01-27 14:17 . 2010-01-27 14:17   132608   ----a-w-   c:\windows\system32\trzE7E.tmp
2010-01-27 14:16 . 2010-01-27 14:16   132608   ----a-w-   c:\windows\system32\trzE3D.tmp
2010-01-27 14:15 . 2010-01-27 14:15   132608   ----a-w-   c:\windows\system32\trzF0C.tmp
2010-01-27 14:14 . 2010-01-27 14:14   132608   ----a-w-   c:\windows\system32\trzEC8.tmp
2010-01-27 14:13 . 2010-01-27 14:13   132608   ----a-w-   c:\windows\system32\trzF7B.tmp
2010-01-27 14:12 . 2010-01-27 14:12   132608   ----a-w-   c:\windows\system32\trzE53.tmp
2010-01-27 14:11 . 2010-01-27 14:11   132608   ----a-w-   c:\windows\system32\trzF8D.tmp
2010-01-27 14:10 . 2010-01-27 14:10   132608   ----a-w-   c:\windows\system32\trzAD69.tmp
2010-01-27 14:09 . 2010-01-27 14:09   132608   ----a-w-   c:\windows\system32\trzC254.tmp
2010-01-27 14:08 . 2010-01-27 14:08   132608   ----a-w-   c:\windows\system32\trzD761.tmp
2010-01-27 14:07 . 2010-01-27 14:07   132608   ----a-w-   c:\windows\system32\trzEB67.tmp
2010-01-27 14:06 . 2010-01-27 14:06   132608   ----a-w-   c:\windows\system32\trzFE61.tmp
2010-01-27 14:05 . 2010-01-27 14:05   132608   ----a-w-   c:\windows\system32\trzEFE.tmp
2010-01-27 14:04 . 2010-01-27 14:04   132608   ----a-w-   c:\windows\system32\trzF1B.tmp
2010-01-27 14:03 . 2010-01-27 14:03   132608   ----a-w-   c:\windows\system32\trzDC7.tmp
2010-01-27 14:02 . 2010-01-27 14:02   132608   ----a-w-   c:\windows\system32\trzEBE.tmp
2010-01-27 14:01 . 2010-01-27 14:01   132608   ----a-w-   c:\windows\system32\trzEBD.tmp
2010-01-27 14:00 . 2010-01-27 14:00   132608   ----a-w-   c:\windows\system32\trzFE0.tmp
2010-01-27 13:59 . 2010-01-27 13:59   132608   ----a-w-   c:\windows\system32\trzFC7.tmp
2010-01-27 13:58 . 2010-01-27 13:58   132608   ----a-w-   c:\windows\system32\trzA8FF.tmp
2010-01-27 13:57 . 2010-01-27 13:57   132608   ----a-w-   c:\windows\system32\trzC07E.tmp
2010-01-27 13:56 . 2010-01-27 13:56   132608   ----a-w-   c:\windows\system32\trzD5F2.tmp
2010-01-27 13:55 . 2010-01-27 13:55   132608   ----a-w-   c:\windows\system32\trzEB0E.tmp
2010-01-27 13:54 . 2010-01-27 13:54   132608   ----a-w-   c:\windows\system32\trzFE8A.tmp
2010-01-27 13:53 . 2010-01-27 13:53   132608   ----a-w-   c:\windows\system32\trzF05.tmp
2010-01-27 13:52 . 2010-01-27 13:52   132608   ----a-w-   c:\windows\system32\trzDFC.tmp
2010-01-27 13:51 . 2010-01-27 13:51   132608   ----a-w-   c:\windows\system32\trzF18.tmp
2010-01-27 13:50 . 2010-01-27 13:50   132608   ----a-w-   c:\windows\system32\trzFC3.tmp
2010-01-27 13:49 . 2010-01-27 13:49   132608   ----a-w-   c:\windows\system32\trzF91.tmp
2010-01-27 13:48 . 2010-01-27 13:48   132608   ----a-w-   c:\windows\system32\trzE90.tmp
2010-01-27 13:47 . 2010-01-27 13:47   132608   ----a-w-   c:\windows\system32\trzE3F.tmp
2010-01-27 13:46 . 2010-01-27 13:46   132608   ----a-w-   c:\windows\system32\trzAB05.tmp
2010-01-27 13:45 . 2010-01-27 13:45   132608   ----a-w-   c:\windows\system32\trzC01D.tmp
2010-01-27 13:44 . 2010-01-27 13:44   132608   ----a-w-   c:\windows\system32\trzD443.tmp
2010-01-27 13:43 . 2010-01-27 13:43   132608   ----a-w-   c:\windows\system32\trzE963.tmp
2010-01-27 13:42 . 2010-01-27 13:42   132608   ----a-w-   c:\windows\system32\trzFB19.tmp
2010-01-27 13:41 . 2010-01-27 13:41   132608   ----a-w-   c:\windows\system32\trzF79.tmp
2010-01-27 13:40 . 2010-01-27 13:40   132608   ----a-w-   c:\windows\system32\trzFBC.tmp
2010-01-27 13:39 . 2010-01-27 13:39   132608   ----a-w-   c:\windows\system32\trzA3C.tmp
2010-01-27 13:38 . 2010-01-27 13:38   132608   ----a-w-   c:\windows\system32\trzE30.tmp
2010-01-27 13:37 . 2010-01-27 13:37   132608   ----a-w-   c:\windows\system32\trzEFB.tmp
2010-01-27 13:36 . 2010-01-27 13:36   132608   ----a-w-   c:\windows\system32\trzE1E.tmp
2010-01-27 13:35 . 2010-01-27 13:35   132608   ----a-w-   c:\windows\system32\trzF1A.tmp
2009-06-10 21:26 . 2009-07-14 02:04   9633792   --sha-r-   c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42   396800   --sha-w-   c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-01 39408]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 51712]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-12 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-12 150552]
"AmIcoSinglun"="c:\program files\AmIcoSingLun\AmIcoSinglun.exe" [2009-04-09 237568]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-06-12 497536]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2009-07-13 1474560]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"ATKOSD2"="c:\program files\ASUS\ATKOSD2\ATKOSD2.exe" [2009-07-07 8493624]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2009-04-20 159744]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-02-21 222504]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-09-24 210216]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-22 210216]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-01 122368]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-11 149280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-02-11 2756488]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FancyStart daemon.lnk - c:\windows\Installer\{60D6618B-153F-4353-8185-908E676E5888}\_DCE9A4DB2A5F2786140FA3.exe [2009-11-27 12862]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 17:57   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Camera ScreenSaver]
2009-11-27 12:43   72248   ----a-w-   c:\windows\AsScrProlog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Screen Saver Protector]
2009-11-27 12:43   3054136   ----a-w-   c:\windows\AsScrPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2008-07-18 10:52   104936   ------w-   c:\program files\CyberLink\Power2Go\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2008-02-22 02:19   62760   ----a-w-   c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-04-02 10:09   87336   ------w-   c:\program files\CyberLink\PowerDVD\PDVDServ.exe

R0 lullaby;lullaby;c:\windows\System32\drivers\lullaby.sys [11/27/2009 8:43 PM 15416]
R1 aswSP;aswSP;c:\windows\System32\drivers\aswSP.sys [2/18/2010 9:07 AM 162512]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [7/14/2009 7:52 AM 48128]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2/18/2010 9:07 AM 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2/18/2010 9:07 AM 51792]
R2 FastBootAgent;FastBootAgent;c:\windows\System32\Fast Boot\FastBootAgent.exe [11/27/2009 8:45 PM 306232]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\System32\drivers\ETD.sys [11/27/2009 8:35 PM 91136]
R3 VIAHdAudAddService;VIA High DEFINITION Audio Driver Service;c:\windows\System32\drivers\viahduaa.sys [11/27/2009 8:41 PM 1066496]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2010 2:09 PM 133104]
S3 AmUStor;AM USB Stroage Driver;c:\windows\System32\drivers\AmUStor.sys [5/26/2009 9:32 PM 25600]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\System32\drivers\ewusbfake.sys [12/14/2009 8:11 PM 103040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 06:09]

2010-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 06:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=GRfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Save video on Savevid.com - c:\\Program Files\\savevid\\redirect.htm
FF - ProfilePath - c:\users\asus\AppData\Roaming\Mozilla\Firefox\Profiles\zrgt56v5.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.livingtohim.com/
FF - prefs.js: keyword.URL -
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\users\asus\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{07B18EA1-A523-4961-B6BB-170DE4475CCA} - c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-RTHDBPL - c:\users\asus\AppData\Roaming\SystemProc\lsass.exe
HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
Denied: (A) (Users)
Denied: (A) (Everyone)
Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
Denied: (A) (Users)
Denied: (A) (Everyone)
Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
Denied: (A) (Users)
Denied: (A) (Everyone)
Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
Denied: (A) (Users)
Denied: (A) (Everyone)
Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2484)
c:\program files\Elantech\ETDApix.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\program files\ASUS\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\taskhost.exe
c:\program files\ASUS\SmartLogon\sensorsrv.exe
c:\program files\P4G\BatteryLife.exe
c:\program files\ASUS\ASUS CopyProtect\aspg.exe
c:\program files\ASUS\Splendid\ACMON.exe
c:\program files\ASUS\ControlDeck\ControlDeckStartUp.exe
c:\windows\System32\ACEngSvr.exe
c:\program files\ASUS\ATK Hotkey\HControl.exe
c:\windows\system32\conhost.exe
c:\program files\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files\ASUS\ATK Hotkey\WDC.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ASUS\NB Probe\SPM\spmgr.exe
c:\program files\Yahoo!\Messenger\YahooMessenger.exe
c:\windows\system32\sppsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ASUS\ASUS Live Update\ALU.exe
c:\program files\ASUS\Net4Switch\Net4Switch.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-02-24  16:33:58 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-24 08:33

Pre-Run: 81,487,085,568 bytes free
Post-Run: 81,947,578,368 bytes free

- - End Of File - - 061C6D56A3A2D1D5DBE9199162493882

Please download <a href="http://www.helpmyos.com/Cheetah-php-h15.htm?cheetah.zip" target="_blank">Cheetah-Anti-Rogue[/url], and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
• Double-click on Cheetah-Anti-Rogue.cmd to start.
• It will finish QUICKLY and launch a log.
• Post the contents of it in your next reply.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time
    

From the Sunbelt BLOG by Tom Kelchner

Quote

Microsoft Vice President of Trustworthy Computing Scott Charney, in a keynote address at the RSA security conference in SAN Francisco yesterday, called for quarantines on malware-infected PCs. His remarks were widely covered by a variety of web news outlets.

He compared the threat from infected PCs with the threat from smokers in public places and resulting bans on smoking because of second-hand smoke: "You have a RIGHT to infect and GIVE yourself illness. You don't have the right to infect your neighbor. Computers are the same way." Charney didn’t DISCUSS specific techniques.

The idea has been discussed before but usually stumbles on the issue of forcing ISPs to shoulder the expense and legal problems from enforcing quarantines.

Story here.

Tom Kelchner

OTL logfile created on: 3/1/2010 5:04:01 PM - Run 1
OTL by OldTimer - Version 3.1.32.0     Folder = C:\Documents and Settings\Don\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 412 768 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 66.95 Gb Total Space | 49.90 Gb Free Space | 74.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: DON-7ZNRUN3UQBQ
Current User Name: Don
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - [2010/03/01 16:57:40 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
PRC - [2010/01/19 05:57:44 | 002,743,104 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/01/19 05:57:41 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/23 01:08:13 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/27 22:51:18 | 000,116,032 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\SMART Web Printing\hpswp_clipbook.exe
PRC - [2007/01/29 23:38:07 | 000,348,160 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010/03/01 16:57:40 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2010/01/19 05:57:41 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | RUNNING] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/01/19 05:57:41 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/01/19 05:57:41 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2007/01/29 23:38:07 | 000,348,160 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginen ame: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
 
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/05/17 09:52:32 | 000,000,000 | ---D | M]
 
[2008/05/22 11:49:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\Mozilla\Firefox\Profiles\ixvmyvam.default\extensions
 
O1 HOSTS File: ([2007/03/23 19:27:11 | 000,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains:   ([]msn in My Computer)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Reg Error: Key error.)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab (SysData Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182175791390 (MUWebControl Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab (GMNRev Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadblocker.com/activex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab (AxPulse Class)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://vpn.financialfreedom.com/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupSP1 Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.217.0.5 24.217.201.67 68.113.206.10
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Don\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Don\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/02/15 14:23:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*
 
NetSvcs: 6to4 -  File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/02/15 14:23:04 | 000,000,000 | ---D | M]
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp -  File not found
 
MsConfig - StartUpReg: Free Registry Fix - hkey= - key= - Reg Error: Value error. File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0
 
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
 
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: UploadMgr -  File not found
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
 
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - VECTOR Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {30C38EDD-7522-00A4-7262-9557AA7F6346} - Dynamic HTML Data Binding for Java
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4d64f3ba-f112-4efe-a02e-96680859937c} - KB918899
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5b7bf89d-d196-4c32-a303-a57b8ab7f18d} - KB918439
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CAAFB8F9-F8D1-3D27-9AAA-6301A4429440} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {dd772a76-bef3-44d7-8b39-502c8504c1f1} - KB925486
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {f15ee071-deb7-4cbb-951f-431c98338d8e} - KB911567
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
 
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
 
========== Files/Folders - Created Within 14 Days ==========
 
[2010/03/01 16:57:40 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
[2010/02/22 12:20:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Don\My Documents\answ mach
[2010/02/18 16:31:57 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/02/18 11:10:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Don\Recent
[2010/02/15 17:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Don\My Documents\cam pics
[2008/12/26 22:52:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/04/29 13:07:58 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/03/25 09:24:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
[2007/03/24 16:27:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Juniper Networks
[2007/02/15 17:17:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/02/15 14:27:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/02/15 14:27:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files - Modified Within 14 Days ==========
 
[2010/03/01 16:57:40 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
[2010/03/01 12:24:22 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/01 12:16:40 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/01 12:16:23 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/03/01 12:14:35 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/01 12:14:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/28 00:51:53 | 009,961,472 | ---- | M] () -- C:\Documents and Settings\Don\NTUSER.DAT
[2010/02/28 00:51:53 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Don\ntuser.ini
[2010/02/28 00:51:36 | 005,370,756 | -H-- | M] () -- C:\Documents and Settings\Don\Local Settings\Application Data\IconCache.db
[2010/02/26 17:15:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2010/02/18 13:31:01 | 000,001,746 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\HijackThis (2).lnk
[2010/02/18 09:10:33 | 000,000,744 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010/02/18 13:41:27 | 000,001,746 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\HijackThis (2).lnk
[2010/02/18 09:09:53 | 000,000,744 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2009/07/05 11:55:21 | 000,005,070 | ---- | C] () -- C:\Program Files\justn.txt
[2009/04/02 11:13:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2008/05/16 13:45:41 | 000,002,550 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/01/12 11:55:27 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Don\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/03/09 15:06:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\viewlink.ini
[2007/03/08 11:24:53 | 000,000,990 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/03/08 11:24:53 | 000,000,091 | ---- | C] () -- C:\WINDOWS\calera.ini
[2007/03/08 11:24:43 | 000,269,312 | ---- | C] () -- C:\WINDOWS\System32\FPXIG.DLL
[2007/03/08 11:24:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\System32\IGFPX32P.DLL
[2007/03/08 11:24:43 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\JPEGACC.DLL
[2007/03/08 11:24:28 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\WELSOF32.DLL
[2007/02/15 20:06:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/02/15 18:11:52 | 000,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/02/15 14:58:19 | 000,000,025 | ---- | C] () -- C:\WINDOWS\mixerdef.ini
[2007/02/15 14:56:35 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2007/02/15 14:50:07 | 000,000,199 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2007/02/15 14:50:07 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2005/12/10 02:06:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/12/10 02:06:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/12/10 02:06:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/12/10 02:06:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/12/10 02:06:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/12/10 02:06:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/12/10 02:06:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
 
========== LOP Check ==========
 
[2010/01/26 11:00:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/01/16 13:11:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2009/03/10 12:44:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Laconic Software
[2009/01/16 13:13:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/05/28 11:54:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2010/01/09 11:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/02/18 10:59:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/07/28 15:54:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/12/10 12:38:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/08/12 14:07:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\Error Fix
[2009/06/27 10:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\GetRightToGo
[2009/07/01 08:17:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\IObit
[2007/03/23 12:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\Juniper Networks
[2009/03/10 12:21:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\Leadertech
[2007/02/15 21:40:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\OfficeUpdate12
[2009/01/16 13:13:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\ParetoLogic
[2007/09/27 09:14:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\TuneUp Software
[2009/07/03 15:15:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\uniblue
[2007/04/16 12:20:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\Wal-Mart Digital Photo Viewer
[2010/02/26 17:15:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\1-Click Maintenance.job
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.exe >
 
< %systemroot%\*. /mp /s >
 
< c:\$recycle.bin\*.* /s >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-02-17 06:50:21
 
 
< MD5 for: AGP440.SYS  >
[2007/02/15 16:21:17 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/23 21:20:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2007/02/15 16:21:17 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/09/23 21:20:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 00:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
 
< MD5 for: ATAPI.SYS  >
[2003/03/31 06:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2007/02/15 16:21:17 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/23 21:20:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2007/02/15 16:21:17 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/09/23 21:20:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
 
< MD5 for: AUTOCHK.EXE  >
[2008/04/13 18:12:12 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\WINDOWS\ServicePackFiles\i386\autochk.exe
[2008/04/13 18:12:12 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\WINDOWS\system32\autochk.exe
[2004/08/04 01:56:47 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=B3415B9D6026F65E43089ABED096C38C -- C:\WINDOWS\$NtServicePackUninstall$\autochk.exe
 
< MD5 for: BEEP.SYS  >
[2003/03/31 06:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\dllcache\beep.sys
[2003/03/31 06:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys
 
< MD5 for: EVENTLOG.DLL  >
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 01:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
 
< MD5 for: EXPLORER.EXE  >
[2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 05:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 01:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
 
< MD5 for: IMM32.DLL  >
[2008/04/13 18:11:54 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=0DA85218E92526972A821587E6A8BF8F -- C:\WINDOWS\ServicePackFiles\i386\imm32.dll
[2008/04/13 18:11:54 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=0DA85218E92526972A821587E6A8BF8F -- C:\WINDOWS\system32\imm32.dll
[2004/08/04 01:56:42 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=87CA7CE6469577F059297B9D6556D66D -- C:\WINDOWS\$NtServicePackUninstall$\imm32.dll
 
< MD5 for: KERNEL32.DLL  >
[2007/04/16 10:07:27 | 000,986,112 | ---- | M] (Microsoft Corporation) MD5=09F7CB3687F86EDAA4CA081F7AB66C03 -- C:\WINDOWS\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[2006/07/05 04:57:10 | 000,985,088 | ---- | M] (Microsoft Corporation) MD5=0FDD84928A5DDE2510761B7EC76CCEC9 -- C:\WINDOWS\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[2004/08/04 01:56:42 | 000,983,552 | ---- | M] (Microsoft Corporation) MD5=888190E31455FAD793312F8D087146EB -- C:\WINDOWS\$NtUninstallKB917422$\kernel32.dll
[2003/03/31 06:00:00 | 000,930,304 | ---- | M] (Microsoft Corporation) MD5=8F162DC91D67D87C1A481BF602A9DAC8 -- C:\WINDOWS\$NtUninstallKB917422_0$\kernel32.dll
[2007/04/16 09:52:53 | 000,984,576 | ---- | M] (Microsoft Corporation) MD5=A01F9CA902A88F7CED06884174D6419D -- C:\WINDOWS\$NtServicePackUninstall$\kernel32.dll
[2009/03/21 08:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\system32\dllcache\kernel32.dll
[2009/03/21 08:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\system32\kernel32.dll
[2008/04/13 18:11:56 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=C24B983D211C34DA8FCC1AC38477971D -- C:\WINDOWS\$NtUninstallKB959426$\kernel32.dll
[2008/04/13 18:11:56 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=C24B983D211C34DA8FCC1AC38477971D -- C:\WINDOWS\ServicePackFiles\i386\kernel32.dll
[2006/07/05 04:55:01 | 000,984,064 | ---- | M] (Microsoft Corporation) MD5=D8DB5397DE07577C1CB50BA6D23B3AD4 -- C:\WINDOWS\$hf_mig$\KB917422\SP2GDR\kernel32.dll
[2006/07/05 04:55:01 | 000,984,064 | ---- | M] (Microsoft Corporation) MD5=D8DB5397DE07577C1CB50BA6D23B3AD4 -- C:\WINDOWS\$NtUninstallKB935839$\kernel32.dll
[2009/03/21 07:59:23 | 000,991,744 | ---- | M] (Microsoft Corporation) MD5=DA11D9D6ECBDF0F93436A4B7C13F7BEC -- C:\WINDOWS\$hf_mig$\KB959426\SP3QFE\kernel32.dll
 
< MD5 for: MSWSOCK.DLL  >
[2008/06/20 11:41:10 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=097722F235A1FB698BF9234E01B52637 -- C:\WINDOWS\$NtServicePackUninstall$\mswsock.dll
[2008/06/20 11:36:11 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=1DFCA7713EA5A70D5D93B436AEA0317A -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[2004/08/04 01:56:44 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll
[2008/06/20 11:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[2008/06/20 11:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\system32\dllcache\mswsock.dll
[2008/06/20 11:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\system32\mswsock.dll
[2008/04/13 18:12:01 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\ServicePackFiles\i386\mswsock.dll
[2008/06/20 11:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll
 
< MD5 for: NDIS.SYS  >
[2008/04/13 13:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\ServicePackFiles\i386\ndis.sys
[2008/04/13 13:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\system32\drivers\ndis.sys
[2004/08/04 00:14:28 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=558635D3AF1C7546D26067D5D9B6959E -- C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
 
< MD5 for: NETLOGON.DLL  >
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 01:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
 
< MD5 for: NTFS.SYS  >
[2007/02/09 05:23:36 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=05AB81909514BFD69CBB1F2C147CF6B9 -- C:\WINDOWS\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[2007/02/09 05:10:35 | 000,574,464 | ---- | M] (Microsoft Corporation) MD5=19A811EF5F1ED5C926A028CE107FF1AF -- C:\WINDOWS\$NtServicePackUninstall$\ntfs.sys
[2008/04/13 13:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\ServicePackFiles\i386\ntfs.sys
[2008/04/13 13:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\system32\drivers\ntfs.sys
[2004/08/04 00:15:09 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\WINDOWS\$NtUninstallKB930916$\ntfs.sys
 
< MD5 for: NTMSSVC.DLL  >
[2008/04/13 18:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\ServicePackFiles\i386\ntmssvc.dll
[2008/04/13 18:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\system32\ntmssvc.dll
[2004/08/04 01:56:44 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=B62F29C00AC55A761B2E45877D85EA0F -- C:\WINDOWS\$NtServicePackUninstall$\ntmssvc.dll
 
< MD5 for: PROQUOTA.EXE  >
[2004/08/04 01:56:55 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\$NtServicePackUninstall$\proquota.exe
[2008/04/13 18:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\ServicePackFiles\i386\proquota.exe
[2008/04/13 18:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\proquota.exe
 
< MD5 for: QMGR.DLL  >
[2004/08/04 01:56:44 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll
[2008/04/13 18:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\ServicePackFiles\i386\qmgr.dll
[2008/04/13 18:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\bits\qmgr.dll
[2008/04/13 18:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\qmgr.dll
[2003/03/31 06:00:00 | 000,221,696 | ---- | M] (Microsoft Corporation) MD5=6A1CF14D0E7D0B2241F552223769C8A7 -- C:\WINDOWS\$NtUninstallKB842773$\qmgr.dll
 
< MD5 for: SCECLI.DLL  >
[2004/08/04 01:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
 
< MD5 for: SFCFILES.DLL  >
[2004/08/04 01:56:45 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\$NtServicePackUninstall$\sfcfiles.dll
[2008/04/13 18:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\ServicePackFiles\i386\sfcfiles.dll
[2008/04/13 18:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\system32\sfcfiles.dll
 
< MD5 for: SPOOLSV.EXE  >
[2004/08/04 01:56:57 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=7435B108B935E42EA92CA94F59C8E717 -- C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
[2003/03/31 06:00:00 | 000,051,200 | ---- | M] (Microsoft Corporation) MD5=9B4155BA58192D4073082B8FC5D42612 -- C:\WINDOWS\$NtUninstallKB896423_0$\spoolsv.exe
[2005/06/10 18:17:13 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=AD3D9D191AEA7B5445FE1D82FFBB4788 -- C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[2008/04/13 18:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=D8E14A61ACC1D4A6CD0D38AEBAC7FA3B -- C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
[2008/04/13 18:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=D8E14A61ACC1D4A6CD0D38AEBAC7FA3B -- C:\WINDOWS\system32\spoolsv.exe
[2005/06/10 17:53:32 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=DA81EC57ACD4CDC3D4C51CF3D409AF9F -- C:\WINDOWS\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
[2005/06/10 17:53:32 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=DA81EC57ACD4CDC3D4C51CF3D409AF9F -- C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
 
< MD5 for: SRSVC.DLL  >
[2008/04/13 18:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\ServicePackFiles\i386\srsvc.dll
[2008/04/13 18:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\system32\srsvc.dll
[2004/08/04 01:56:45 | 000,170,496 | ---- | M] (Microsoft Corporation) MD5=92BDF74F12D6CBEC43C94D4B7F804838 -- C:\WINDOWS\$NtServicePackUninstall$\srsvc.dll
 
< MD5 for: SVCHOST.EXE  >
[2008/04/13 18:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 18:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 01:56:57 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
 
< MD5 for: TERMSRV.DLL  >
[2004/08/04 01:56:46 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=B60C877D16D9C880B952FDA04ADF16E6 -- C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll
[2008/04/13 18:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\ServicePackFiles\i386\termsrv.dll
[2008/04/13 18:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\system32\termsrv.dll
 
< MD5 for: USERINIT.EXE  >
[2004/08/04 01:56:57 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 18:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 18:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe
 
< MD5 for: WS2_32.DLL  >
[2008/04/13 18:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
[2008/04/13 18:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll
[2004/08/04 01:56:46 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
[2006/05/19 06:15:33 | 000,070,656 | ---- | M] (Microsoft Corporation) MD5=3748E0FC8C1B6ADA49F98C8E69A4228C -- C:\WINDOWS\$NtUninstallKB922819_0$\ws2_32.dll
[2003/03/31 06:00:00 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=8529C295DF59B564D37A73B5629162B1 -- C:\WINDOWS\$NtUninstallKB914388_0$\ws2_32.dll
 
< MD5 for: XMLPROV.DLL  >
[2008/04/13 18:12:11 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\ServicePackFiles\i386\xmlprov.dll
[2008/04/13 18:12:11 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\system32\xmlprov.dll
[2004/08/04 01:56:46 | 000,129,536 | ---- | M] (Microsoft Corporation) MD5=EEF46DAB68229A14DA3D8E73C99E2959 -- C:\WINDOWS\$NtServicePackUninstall$\xmlprov.dll
 
< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 18:11:52 | 000,357,888 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2008/04/13 18:11:52 | 000,205,312 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[6 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
 
< %systemroot%\Tasks\*.job /lockedfiles >
 
========== Alternate Data Streams ==========
 
Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D287FACF
Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B63300D1
Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

There has been a virus which is spreading through MSN / Live messenger which shows you a link in the IM window with a text which says “Hi, this is your photo?" --

Do not click on the link on this message, this takes you to a URL which infects your computer with a nasty virus.

Complete details here. Beware of the New “hi. this is your photo?” MSN Virus

If you do find yourself infected with this or any other virus you can get help here. Read this before requesting malware removal help
My friend has an issue like this and it's shown up him chatting to me RANDOMLY (while offline) with a phishing link.

It changes each time, "Check out my new photo collection", "I made a huge amount of cash using google adsense, check out this", etc.

The link LOOKS fishy but also changes, has a generated code on the end of it. If you click it asks you to login to view with your msn details. If you ever return to the site or go there without that code it will just say 'Hello!'.

Friend says he removed it and it comes back, MAYBE this will help him out. Might be a bit DIFFERENT but cheers.Thanks for the EXTRA information.

Avira found JAVA.dldr.agen.na.1 and another variant. IE is locked up and pop-up Security Warnings are making it impossible to get anything to run. The HJT exe won't run and the SuperAntiSpyware exe won't run, both start but terminate almost immediately. My AT&T Parental Controls app is locked up and I've pulled the network cable so this thing doesn't do even more damage.

What now?Try not to restart the computer until one of the tools we use does it  for you or tells you to.

1) Please download and run the below  tool named Rkill (courtesy of BleepingComputer.com) which  may help allow other programs to run.
 
There are 4 different  versions. If one of them won't run then download and try to run the next  one.
 
Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your  antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

*  Double-click on the Rkill desktop icon to run the tool.
*  If using Vista or Windows 7 right-click on it and  choose Run As Administrator.
* A  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

*  If Rkill does not run from the first link, delete the file, then  download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until  the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Once you've gotten one of them to run then try to immediately run the following.


2) Download and run exeHelper

*  Please download  exeHelper from Raktor to your desktop.
* Double-click on  exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
*  Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs  together (they will both be in the one file).


3) If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.Unfortunately, none of the Rkill apps produced a log file. The DOS box would open, some text would briefly appear than the box would close and the bogus Security Warning would pop and say that some file (cmd.exe or pev.rkexe, for instance) was infected and asking me if I wanted to start the (bogus) AV application.

The machine still has not been restarted since the problem first surfaced.Restart the computer into Safe Mode and try running them.rkill.com ran after computer was restarted in safe mode.

rkill log as requested:

This log file is LOCATED at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Dad on 02/26/2010 at 23:55:45.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Dad\Desktop\rkill.com


Rkill completed on 02/26/2010  at 23:55:46.

exeHelper log as requested:

exeHelper by Raktor
Build 20091220
Run at 23:56:22 on 02/26/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Malwarebytes log as requested:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service PACK 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/27/2010 12:10:02 AM
mbam-log-2010-02-27 (00-10-02).txt

Scan type: Quick Scan
Objects scanned: 151375
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes could not update and gave an error message (screenshot in the attached jpeg file).

Thank you.

[Saving space, attachment deleted by admin]Try this please. Run Rkill and exeHelper again if needed but try it from Normal Mode first.

If you already have COMBOFIX be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixRebooted to Normal mode, ComboFix ran.

ComboFix log as requested:

ComboFix 10-02-27.04 - Dad 02/27/2010  11:32:58.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.978.584 [GMT -8:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mom\Local Settings\Application Data\ftbdbb
c:\documents and settings\Mom\Local Settings\Application Data\ftbdbb\krarsftav.exe
c:\recycler\S-1-5-21-4033299657-1658935796-1921181509-500

.
(((((((((((((((((((((((((   Files Created from 2010-01-27 to 2010-02-27  )))))))))))))))))))))))))))))))
.

2010-02-27 08:12 . 2010-01-08 00:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 08:12 . 2010-02-27 08:12   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-27 08:12 . 2010-01-08 00:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-27 07:59 . 2010-02-27 07:59   --------   d-----w-   c:\documents and settings\Dad\Application Data\Malwarebytes
2010-02-27 07:59 . 2010-02-27 07:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-22 08:20 . 2010-02-22 08:20   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-02-21 02:45 . 2010-02-21 03:29   --------   d-----w-   c:\documents and settings\Mom\Local Settings\Application Data\CutePDF Writer
2010-02-17 03:32 . 2010-02-17 03:32   --------   d-----w-   c:\documents and settings\James\Local Settings\Application Data\Identities
2010-02-14 11:14 . 2010-02-14 11:14   --------   d-----w-   c:\documents and settings\Sam\Local Settings\Application Data\Freecorder
2010-02-14 11:14 . 2010-02-14 11:14   --------   d-----w-   c:\documents and settings\Sam\Local Settings\Application Data\Conduit
2010-02-14 10:49 . 2010-02-14 10:49   --------   d-sh--w-   c:\documents and settings\Sam\PrivacIE

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 08:51 . 2009-10-25 21:50   1   ----a-w-   c:\documents and settings\Mom\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-19 06:32 . 2009-10-28 05:32   1   ----a-w-   c:\documents and settings\James\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-14 10:21 . 2009-11-01 05:39   1   ----a-w-   c:\documents and settings\Sam\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-18 19:15 . 2009-10-25 03:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-01-18 19:10 . 2010-01-18 19:09   1924200   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-01-17 05:19 . 2010-01-17 05:19   23472   ----a-w-   c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-17 05:19 . 2010-01-17 05:19   --------   d-----w-   c:\documents and settings\Mom\Application Data\Intuit
2010-01-17 05:11 . 2010-01-17 05:07   --------   d-----w-   c:\program files\Quicken
2010-01-17 05:10 . 2010-01-17 05:10   4997120   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\161127-161225.dll
2010-01-17 05:08 . 2010-01-17 05:08   991232   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\16141-16157.dll
2010-01-17 05:08 . 2010-01-17 05:08   241664   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-01-17 05:08 . 2010-01-17 05:08   843776   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\161225-161321.dll
2010-01-17 05:08 . 2010-01-17 05:08   462848   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\161321-16141.dll
2010-01-17 05:08 . 2010-01-17 05:08   1008   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2010-01-17 05:08 . 2010-01-17 05:08   23472   ----a-w-   c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-17 05:07 . 2010-01-17 05:07   --------   d-----w-   c:\documents and settings\Dad\Application Data\Intuit
2010-01-17 05:07 . 2010-01-17 05:07   --------   d-----w-   c:\program files\Common Files\Palo Alto Software
2010-01-17 05:07 . 2010-01-17 05:07   --------   d-----w-   c:\program files\Common Files\Intuit
2010-01-17 05:06 . 2010-01-17 05:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\Intuit
2010-01-13 06:55 . 2009-10-25 05:42   1   ----a-w-   c:\documents and settings\Dad\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-05 06:57 . 2009-12-19 04:43   --------   d-----w-   c:\documents and settings\Mom\Application Data\Smilebox
2010-01-02 04:54 . 2009-12-31 19:06   --------   d-----w-   c:\program files\ATT Internet Tools
2009-12-31 23:10 . 2009-12-31 23:10   --------   d-----w-   c:\documents and settings\Dad\Application Data\OpenDNS Updater
2009-12-31 23:10 . 2009-12-31 23:10   --------   d-----w-   c:\program files\OpenDNS Updater
2009-12-31 19:06 . 2009-12-31 19:06   24576   ----a-w-   c:\windows\system32\msxml3a.dll
2009-12-31 16:50 . 2004-08-04 06:14   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-24 01:42 . 2010-01-06 06:11   52224   ----a-w-   c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\imr34ayi.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
2009-12-24 01:42 . 2010-01-06 06:11   101376   ----a-w-   c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\imr34ayi.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
2009-12-21 19:14 . 2004-08-04 07:56   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-12-19 04:43 . 2009-12-19 04:43   57943   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\uninstall.exe
2009-12-16 18:43 . 2004-08-04 07:56   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15   2146304   ----a-w-   c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2004-08-04 07:56   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 06:20   2145280   ----a-w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2006-02-28 09:00   2023936   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2009-12-08 00:37 . 2009-10-25 03:34   56816   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-12-07 12:22 . 2009-12-07 12:22   266888   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxTray.exe
2009-12-07 12:22 . 2009-12-07 12:22   205448   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxDvd.exe
2009-12-07 12:22 . 2009-12-07 12:14   373384   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxStarter.exe
2009-12-07 12:22 . 2009-12-07 11:39   168584   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxBrowserEngine.dll
2009-12-07 12:14 . 2009-12-07 12:14   1593992   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxClient.exe
2009-12-07 11:39 . 2009-12-07 11:39   344712   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxDvdEngine.dll
2009-12-07 11:39 . 2009-12-07 11:39   123528   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxUpdater.exe
2009-12-05 13:33 . 2009-12-05 13:33   23472   ----a-w-   c:\documents and settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-04 18:22 . 2004-08-04 06:15   455424   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2009-12-03 16:54 . 2009-12-03 16:54   70984   ----a-w-   c:\documents and settings\Mom\g2mdlhlpx.exe
2010-01-02 04:50 . 2010-01-02 04:50   94208   ----a-w-   c:\program files\mozilla firefox\components\blsfflock.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-11-10 02:38   2331672   ----a-w-   c:\program files\Freecorder\tbFree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-01-24 2289664]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2009-11-16 839168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-07 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-07 137752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-26 1015808]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-07 408344]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-05-23 677408]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-10-08 127036]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]
"blspcloader"="c:\program files\ATT Internet Tools\blsloader.exe" [2010-01-02 107856]

c:\documents and settings\James\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Mom\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Sam\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Dad\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30   74240   ----a-r-   c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      SbHpNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [6/13/2007 4:53 PM 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 12:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [6/14/2007 3:22 PM 13184]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [4/18/2007 6:32 PM 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [6/13/2007 4:53 PM 5808]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/24/2009 7:34 PM 108289]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/3/2004 11:56 PM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/3/2004 11:56 PM 14336]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [7/9/2007 4:03 PM 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [10/24/2009 5:11 PM 576024]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [10/24/2009 4:57 PM 2521880]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/24/2009 4:09 PM 44800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance   REG_MULTI_SZ      ASBroker ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 19:30   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gbcph.org/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\imr34ayi.default\
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\imr34ayi.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\imr34ayi.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - component: c:\program files\Mozilla Firefox\components\blsfflock.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-emxamgqa - c:\documents and settings\Mom\Local Settings\Application Data\ftbdbb\krarsftav.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 11:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(744)
c:\windows\SbHpNp.dll

- - - - - - - > 'explorer.exe'(3376)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\documents and settings\Dad\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\ATT Internet Tools\blshook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\windows\system32\ifxtcs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-02-27  11:56:53 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-27 19:56

Pre-Run: 63,368,904,704 bytes free
Post-Run: 63,747,186,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7BFFD4F9093CB94CAA6AF6725A62F153


[Saving space, attachment deleted by admin]Looks okay. How is the computer running now?

I am suspicious of this file so let's scan it and see what it says.

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:
Code: [Select]c:\windows\system32\drivers\SafeBoot.sys* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.After clicking "Submit file" it returns a "Status: File is empty (0 bytes).

When I navigate to this file (SafeBoot.sys) directly it shows 98.7 KB, created on 6/13/2007.

Operation of the PC seems to have stabilized. I'm having problems getting to the internet; the AT&T Parental Controls application does not seem to recognize my (parent) password. I found a workaround and will uninstall this app and keep checking.Okay lets do this then.


* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log
No threats found by eSet online scanner; consequently, no option was available to list the found threats or export to text file.

Running again just to make sure I didn't overlook something...If there was no log then that means nothing was found.


If there are no more malware issues we can finish up now.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Scanner
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.