Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Go to first new post Firefox -> google -> url hijack
Go to first new post Help! Everything not responding!
Go to first new post BSOD ntoskrnl.exe error after FBI Cyberc ...
Go to first new post Trojan virus
Go to first new post CMD.exe problme after removing FBI Virus
Go to first new post cant connect to internet!!
Go to first new post win32.trojan.agent on Ad-Aware
Go to first new post YellowMoxie Redirect
Go to first new post Audio Ads Playing in the Background + Ot ...
Go to first new post Click live search redirect..........Help ...
Go to first new post Blekko Lavasoft search engine removal
Go to first new post windows XP OBJECT DELAY LOAD
Go to first new post Printer Communication Problem- HKLM Boot ...
Go to first new post Infected with "Police Cybercrime In ...
Go to first new post adminstrator account not working
Search Search
Search for:
Tech Support Guy Forums > > >

Solved: Mal_otorun1 Infection.


(!)

Reply
Page 1 of 5 1 234 Last »
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
25-Mar-2009, 09:09 PM #1
Mal_otorun1 Infection.
Hello all of you hard working security experts.

I've been trying to assist a friend with ridding her PC of what she's calling Mal_otorun1, which was found by TrendMicro. We've made a few attempts at getting malwarebytes installed, which, at this point has been a no-go. The program simply won't open so that she can install it. I had a brilliant computer technician suggest that she rename the file, in hopes that it would install. I'm awaiting word on that right now. If we get lucky, and the program installs, I'll post the log here. In the meantime, here's her HJT log.

Thanks for your time.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:42 PM, on 3/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F81936B3-BFD0-4713-81E1-B19B2F7B8A45}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEECAD9-DC1E-4E98-9152-5684ED79B3A4}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12053 bytes
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
25-Mar-2009, 09:43 PM #2
Update. Renaming the file didn't work.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 89,517 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
25-Mar-2009, 09:57 PM #3
Let's see if she can get this one installed and run the scan.

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
__________________
Microsoft MVP - Consumer Security
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
25-Mar-2009, 10:04 PM #4
Thanks, Karen.

I'll post both of the logs as soon as she sends them to me.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 89,517 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
25-Mar-2009, 10:16 PM #5
Quote:
Originally Posted by Jonesiegirl View Post
Thanks, Karen.

I'll post both of the logs as soon as she sends them to me.
I'm signing off for the night so I'll check back tomorrow.
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
25-Mar-2009, 11:07 PM #6
Quote:
Originally Posted by Cookiegal View Post
I'm signing off for the night so I'll check back tomorrow.
It'll probably be Thursday night before I get the logs, Karen. (She's working long hours.)

I'll see you then.
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
25-Mar-2009, 11:15 PM #7
Oh! I spoke to soon! She just emailed them to me!

Combo Fix Log in this post. Next post will be her new HJT log.


ComboFix 09-03-25.02 - Mary 2009-03-25 22:39:45.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.893.294 [GMT -4:00]
Running from: c:\users\Mary\Desktop\combofix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Windows\Start Menu\Programs\MalwareCrush
c:\programdata\Microsoft\Windows\Start Menu\Programs\MalwareCrush\MalwareCrush 3.7 Website.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\MalwareCrush\Uninstall MalwareCrush 3.7.lnk
c:\recycler\S-8-9-82-100021030-100025445-100029154-5732.com
c:\windows\system32\drivers\gaopdxwoqdyqbuwtouqadmxffotvbocsvisxxj.sys
c:\windows\system32\gaopdxcdtxodjxampdgerxtnnetffapbegcftu.dll
D:\Autorun.inf
d:\recycler\S-8-9-82-100021030-100025445-100029154-5732.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-25 22:18 . 2009-03-25 22:18 <DIR> d-------- c:\users\Mary\AppData\Roaming\VundoFixTool
2009-03-25 22:18 . 2009-03-25 22:18 <DIR> d-------- c:\program files\VundoFixTool
2009-03-25 21:35 . 2009-03-25 21:35 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-25 21:35 . 2009-03-25 21:35 <DIR> d-------- c:\programdata\Malwarebytes
2009-03-25 21:35 . 2009-03-25 21:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 21:35 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-25 21:35 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-24 19:51 . 2009-03-24 19:53 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-24 00:36 . 2009-03-24 00:36 <DIR> d--hs---- C:\found.000
2009-03-21 23:17 . 2009-03-23 20:28 <DIR> d-------- c:\windows\System32\Service
2009-03-21 22:44 . 2009-03-21 22:44 <DIR> d-------- c:\windows\LocalSSL
2009-03-21 22:36 . 2009-03-21 23:34 <DIR> d-------- c:\users\All Users\Trend Micro
2009-03-21 22:36 . 2009-03-21 23:34 <DIR> d-------- c:\programdata\Trend Micro
2009-03-21 22:22 . 2009-03-21 22:22 1,195,448 --a------ c:\windows\System32\drivers\vsapint.sys
2009-03-21 22:22 . 2009-03-21 22:22 256,528 --a------ c:\windows\System32\drivers\tmwfp.sys
2009-03-21 22:22 . 2009-03-21 22:22 205,328 --a------ c:\windows\System32\drivers\tmxpflt.sys
2009-03-21 22:22 . 2009-03-21 22:22 145,424 --a------ c:\windows\System32\drivers\tmlwf.sys
2009-03-21 22:22 . 2009-03-21 22:22 144,912 --a------ c:\windows\System32\drivers\tmcomm.sys
2009-03-21 22:22 . 2009-03-21 22:22 80,400 --a------ c:\windows\System32\drivers\tmtdi.sys
2009-03-21 22:22 . 2009-03-21 22:22 50,192 --a------ c:\windows\System32\drivers\tmactmon.sys
2009-03-21 22:22 . 2009-03-21 22:22 49,680 --a------ c:\windows\System32\drivers\tmevtmgr.sys
2009-03-21 22:22 . 2009-03-21 22:22 36,368 --a------ c:\windows\System32\drivers\tmpreflt.sys
2009-03-21 16:22 . 2009-03-21 16:23 113,159,154 --a------ c:\windows\MEMORY.DMP
2009-03-20 20:16 . 2009-03-20 20:16 <DIR> d-------- c:\users\Mary\AppData\Roaming\Talkback
2009-03-20 20:15 . 2009-03-20 20:16 <DIR> d-------- c:\users\Mary\AppData\Roaming\Thunderbird
2009-03-19 20:23 . 2009-03-21 11:32 <DIR> d----c--- c:\windows\System32\DRVSTORE
2009-03-19 20:22 . 2009-03-21 11:33 <DIR> d-------- c:\users\All Users\Lavasoft
2009-03-19 20:22 . 2009-03-21 11:33 <DIR> d-------- c:\programdata\Lavasoft
2009-03-19 18:32 . 2009-03-21 15:01 <DIR> d-------- c:\program files\SpywareGuard
2009-03-18 20:40 . 2009-03-18 20:40 <DIR> d-------- c:\program files\Alwil Software
2009-03-15 20:06 . 2009-03-15 20:06 <DIR> d-------- c:\program files\HDExtrem
2009-03-14 20:10 . 2009-03-18 20:25 <DIR> d-------- c:\users\All Users\McAfee
2009-03-14 20:10 . 2009-03-18 20:25 <DIR> d-------- c:\programdata\McAfee
2009-03-11 08:14 . 2009-03-11 08:15 <DIR> d-------- c:\program files\James Patterson's Women's Murder Club - A Darker Shade of Grey
2009-03-10 18:22 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 18:22 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 18:22 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-10 18:21 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-02 21:42 . 2009-03-02 21:42 <DIR> d-------- c:\users\Mary\AppData\Roaming\BrandX Games
2009-02-28 22:31 . 2009-02-28 22:31 <DIR> d-------- c:\users\All Users\BigFish
2009-02-28 22:31 . 2009-02-28 22:31 <DIR> d-------- c:\programdata\BigFish

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 00:55 --------- d-----w c:\users\Mary\AppData\Roaming\ComcastToolbar
2009-03-23 21:20 --------- d---a-w c:\programdata\TEMP
2009-03-23 21:18 --------- d-----w c:\program files\Mystery Case Files - Ravenhearst
2009-03-23 20:30 --------- d-----w c:\users\Mary\AppData\Roaming\WeatherBug
2009-03-23 01:29 --------- d-----w c:\program files\Trend Micro
2009-03-20 00:27 --------- d-----w c:\program files\Google
2009-03-12 00:58 --------- d-----w c:\program files\WildGames
2009-03-12 00:50 --------- d-----w c:\program files\MSN Games
2009-03-11 12:27 --------- d-----w c:\users\Mary\AppData\Roaming\Flood Light Games
2009-03-11 12:27 --------- d-----w c:\programdata\Flood Light Games
2009-03-11 07:05 --------- d-----w c:\programdata\Microsoft Help
2009-02-25 02:27 --------- d-----w c:\users\Mary\AppData\Roaming\WildTangent
2009-02-25 02:26 --------- d-----w c:\programdata\WildTangent
2009-02-20 20:17 --------- d-----w c:\users\Mary\AppData\Roaming\HSA
2009-02-20 12:32 --------- d-----w c:\programdata\GameHouse
2009-02-14 03:56 --------- d-----w c:\programdata\HoverBee Studios
2009-02-12 13:51 --------- d-----w c:\program files\AIM6
2009-02-12 13:50 --------- d-----w c:\programdata\Viewpoint
2009-02-12 13:50 --------- d-----w c:\programdata\acccore
2009-02-12 13:50 --------- d-----w c:\program files\Common Files\Software Update Utility
2009-02-12 13:48 --------- d-----w c:\programdata\AOL Downloads
2009-02-11 23:10 936,288 ----a-w c:\windows\System32\Incinerator.dll
2009-02-09 02:14 --------- d-----w c:\users\Mary\AppData\Roaming\Jetsetter
2009-01-31 03:49 --------- d-----w c:\users\Mary\AppData\Roaming\Island
2009-01-31 02:49 --------- d-----w c:\users\Mary\AppData\Roaming\RobinsonCrusoe
2009-01-31 02:40 --------- d-----w c:\program files\Adventures of Robinson Crusoe
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-07-19 00:40 174 --sha-w c:\program files\desktop.ini
2007-12-13 23:08 0 ----a-w c:\users\Mary\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-21 497008]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"VundoFixTool"="c:\program files\VundoFixTool\VundoFixTool.exe" [2009-03-24 19451904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2009-02-11 314224]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-21 970808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-21 497008]

c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-07 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3586541812-533695731-4199019274-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7F4889EC-579F-4D71-BC1B-ACE9ABEB4DC1}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{30D010D9-E843-48E6-83EB-2ED46FB6211B}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{D175FBC6-119E-4BAC-B7B0-A4946739773A}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{C7C5BC49-1135-49B3-AC17-01597EDD2642}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{35326614-FB84-42E7-BF60-5F936509910C}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{E25E7D60-921A-4539-8D75-1A1EA3F4CC93}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{B6C57DB6-A5B2-48E0-9ECF-FBF2147C5FCF}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{9E09E2AA-4AFA-4018-9F7E-A65A93C32D20}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{9092D829-87CB-41EC-B0F8-3E2BE9DD81B8}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{9B96259D-F91D-4360-8FD9-850741F16CC6}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{B73EF684-E652-4107-BC47-99763993A09E}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{898AAC2C-DBD2-40FB-B61B-D2BE8145D176}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{CCB12DA5-6F1C-4A95-AE49-2D18700E5B38}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{DECEAC32-1BBE-4553-A413-3F1DDCF1368C}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{C7AA985A-5D2F-4576-848B-A93E2DCB2E2A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{85D01A0F-A054-4324-A234-C72BBA3CF210}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{FEF1D0DD-9EDC-4906-89CB-97AFB12E19F0}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{CD535AD3-67B9-446D-A3E4-A2D6E49396BC}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{866044E7-7FAC-4076-BD99-0F5084694057}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{9180FD48-7387-489A-924E-BEEB225636B9}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{289800C0-E530-474A-A1E0-F817BCA96F2E}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{41F88FB0-2148-43C6-8658-BA36E8967025}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{E52E6BD5-FE5A-4ECA-BDFF-C75FB87A2681}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{CB7355D1-1809-42C8-B009-94420BD70062}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{9A057361-D3C4-40B8-B280-8243DA722E0E}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{C2EC1CC5-F054-49FA-8B78-5BF4DD2738FE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0F2210C7-5EFE-466F-80ED-05938DAE4221}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6A8E1455-2A88-4EF3-B76D-D1501D9BB31E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{19B1BE35-B2F5-4887-B4F3-48B1407E4780}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0C2CDAC7-139F-416B-8E1E-09561D5C0983}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{FE5E8346-43E1-4945-B5CB-E7A59CFA2C45}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{123BCAF2-EA42-447C-9930-2B67591190C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D7D4F645-8AE3-480D-9981-D0C135D7DC3F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B35DADDE-B647-4CBA-BD43-09E926448E4D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AC93B261-6543-47D3-9B7A-86BDDE3A73AB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{98291DEC-E2A0-401E-B9A1-CE59642DF7DB}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{EF8ED2C2-A5BD-420E-940B-6F90B9CB085B}"= Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{94F7C70A-8D87-423F-93D5-9D659DAD7D43}"= UDP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{6719C64E-E781-4E84-A13F-77B6960CBAD0}"= TCP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{8155B286-8452-450C-9D3E-A11A2ADD3AAF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9DB4DD33-5831-4A88-8842-5F2112CADFC5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{919EC946-E465-425A-A0D7-3932482D6D64}"= UDP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exeriveScrubber 3
"{A44216C4-DF98-4A08-803F-5BADEE4914C6}"= TCP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exeriveScrubber 3
"{791E7A25-C7ED-438C-8E00-03C39A2AA1EC}"= UDP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
"{0A82E8FF-B4FA-4B81-A2B4-EE2B6EFC7591}"= TCP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
"{4EB7C6D7-F5FA-4C04-A064-F9CFBE9B0F2B}"= UDP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
"{77B5D989-46F3-4CEA-B105-9A408F5795C6}"= TCP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
"{9CB1B822-24A0-47E6-BBFE-239B7A16632B}"= UDP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
"{75DFE27C-43F4-40C3-A66C-C80FEFBC04A9}"= TCP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
"{90556DEB-23C8-4183-908B-F3E784C94954}"= UDP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger
"{A7D5F094-3EE4-4540-9A8B-6D752808752F}"= TCP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger
"{B15FD292-C021-4385-92D6-82BA4C06E71F}"= Disabled:UDP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{5E5DB1EB-B1C8-4DD8-A285-EB4EEAA8F0F9}"= Disabled:TCP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{2E9E2649-60D6-4597-AD7A-AC31DBE5D83F}"= Disabled:c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{70F4D63B-9EB7-44BE-8316-CAB0C1536CEF}"= Disabled:UDP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{8F8B6735-C493-4DEB-BD0D-CA4652702BCE}"= Disabled:TCP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{5CB05E5B-D12B-444E-A87D-EF922193D54A}"= Disabled:UDP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
"{2D4B8DCC-A3BB-407C-AD4D-297EAEAB0513}"= Disabled:TCP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
"{CC7DCEBD-DD82-40D6-92EB-38BF6645BC82}"= Disabled:UDP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
"{5613C2FD-9840-4C1A-831E-73715877A339}"= Disabled:TCP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
"{9812BCE1-D6F9-4C50-812E-620FB6000DA0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A230A7F3-5617-4FE9-80DA-83871D49A375}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{46C8DB4B-F3C3-4F49-A1F0-02994D0706D6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3710AAC5-F10D-4B6C-A276-F72423F6FD19}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{ED47475A-1765-4DC1-93FF-FC36DFE14C0B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9D4A312A-3F91-4CD0-86C9-F516F9CCA80D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AAF5B073-7BE8-4D32-8735-A62DE90F72EE}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9D8D69B2-24A8-48F8-9B42-A71BF03811FF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A9411C03-217C-4F44-9AEE-8C577116C8DC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0E37C095-FC56-44AA-B246-E50CEAEAFE0E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{28DFEE7A-8E04-4BEE-A5E9-87B7346620B4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{03565B16-AB53-4E22-B571-9D3E9FD8AFCF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

R1 ElRawDisk;ElRawDisk;c:\windows\System32\drivers\elrawdsk.sys [2008-05-11 12800]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [2009-03-21 145424]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2007-12-07 73728]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-21 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [2009-03-21 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-21 492888]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2009-03-21 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-21 677128]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [2009-03-21 256528]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-15 24652]
R2 VundoFixToolSrv;VundoFixTool Scanning Engine;c:\program files\VundoFixTool\VundoFixTool.srv.exe [2009-03-24 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2008-01-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2009-03-21 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []

2009-03-25 c:\windows\Tasks\User_Feed_Synchronization-{04FDB26F-EAC6-4E4E-A4A1-98E788060B08}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 03:33]

2009-03-26 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool\VundoFixTool.exe [2009-03-24 09:34]

2009-03-26 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool [2009-03-25 22:18]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = actsvr.comcast:8100
Trusted Zone: internet
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 22:51:02
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
Completion time: 2009-03-25 22:54:37
ComboFix-quarantined-files.txt 2009-03-26 02:54:32

Pre-Run: 96,109,043,712 bytes free
Post-Run: 96,074,567,680 bytes free

328 --- E O F --- 2009-03-15 07:28:01
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
25-Mar-2009, 11:16 PM #8
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:42 PM, on 3/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F81936B3-BFD0-4713-81E1-B19B2F7B8A45}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEECAD9-DC1E-4E98-9152-5684ED79B3A4}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12053 bytes
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 89,517 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
26-Mar-2009, 05:10 PM #9
If there's an entry in Add or Remove programs for Winferno\RegistryPowerCleaner then have her uninstall it from therefore doing the following. If it doesn't exist then just carry on with the rest of the instructions.

Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
c:\windows\Tasks\rpc.job
c:\windows\Tasks\VundoFixTool Scheduled Scan.job

Folder::
c:\program files\Winferno
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.


Please see if she can run MalwareBytes now that ComboFix has cleaned up some of the mess.

Also, have her do this please:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.
__________________
Microsoft MVP - Consumer Security
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
26-Mar-2009, 09:21 PM #10
You're getting her there, Karen!!


ComboFix 09-03-25.04 - Mary 2009-03-26 20:14:19.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.893.221 [GMT -4:00]
Running from: c:\users\Mary\Desktop\combofix.exe
Command switches used :: c:\users\Mary\Desktop\CFscript.txt.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\Tasks\rpc.job
c:\windows\Tasks\VundoFixTool Scheduled Scan.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\gaopdxwoqdyqbuwtouqadmxffotvbocsvisxxj.sys
c:\windows\system32\gaopdxcounter
c:\windows\Tasks\rpc.job
c:\windows\Tasks\VundoFixTool Scheduled Scan.job
.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.
2009-03-26 19:17 . 2009-03-26 19:17
d-------- c:\users\Mary\AppData\Roaming\Malwarebytes
2009-03-26 05:39 . 2009-03-05 22:17 1,195,512 --a------ c:\windows\System32\drivers\vsapint.sys
2009-03-26 05:39 . 2009-03-05 22:17 205,328 --a------ c:\windows\System32\drivers\tmxpflt.sys
2009-03-26 05:39 . 2009-03-05 22:17 36,368 --a------ c:\windows\System32\drivers\tmpreflt.sys
2009-03-25 22:18 . 2009-03-25 22:18
d-------- c:\users\Mary\AppData\Roaming\VundoFixTool
2009-03-25 22:18 . 2009-03-25 22:18
d-------- c:\program files\VundoFixTool
2009-03-25 21:35 . 2009-03-25 21:35
d-------- c:\users\All Users\Malwarebytes
2009-03-25 21:35 . 2009-03-25 21:35
d-------- c:\programdata\Malwarebytes
2009-03-25 21:35 . 2009-03-26 19:19
d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 21:35 . 2009-03-26 16:49 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-25 21:35 . 2009-03-26 16:49 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-24 19:51 . 2009-03-24 19:53
d-------- c:\program files\Windows Live Safety Center
2009-03-24 00:36 . 2009-03-24 00:36
d--hs---- C:\found.000
2009-03-21 23:17 . 2009-03-23 20:28
d-------- c:\windows\System32\Service
2009-03-21 22:44 . 2009-03-21 22:44
d-------- c:\windows\LocalSSL
2009-03-21 22:36 . 2009-03-21 23:34
d-------- c:\users\All Users\Trend Micro
2009-03-21 22:36 . 2009-03-21 23:34
d-------- c:\programdata\Trend Micro
2009-03-21 22:22 . 2009-03-03 19:12 256,528 --a------ c:\windows\System32\drivers\tmwfp.sys
2009-03-21 22:22 . 2009-03-03 04:34 150,032 --a------ c:\windows\System32\drivers\tmcomm.sys
2009-03-21 22:22 . 2009-03-03 19:12 145,424 --a------ c:\windows\System32\drivers\tmlwf.sys
2009-03-21 22:22 . 2009-03-03 19:12 80,400 --a------ c:\windows\System32\drivers\tmtdi.sys
2009-03-21 22:22 . 2009-03-03 04:34 50,192 --a------ c:\windows\System32\drivers\tmevtmgr.sys
2009-03-21 22:22 . 2009-03-03 04:34 50,192 --a------ c:\windows\System32\drivers\tmactmon.sys
2009-03-21 16:22 . 2009-03-21 16:23 113,159,154 --a------ c:\windows\MEMORY.DMP
2009-03-20 20:16 . 2009-03-20 20:16
d-------- c:\users\Mary\AppData\Roaming\Talkback
2009-03-20 20:15 . 2009-03-20 20:16
d-------- c:\users\Mary\AppData\Roaming\Thunderbird
2009-03-19 20:23 . 2009-03-21 11:32
d----c--- c:\windows\System32\DRVSTORE
2009-03-19 20:22 . 2009-03-21 11:33
d-------- c:\users\All Users\Lavasoft
2009-03-19 20:22 . 2009-03-21 11:33
d-------- c:\programdata\Lavasoft
2009-03-19 18:32 . 2009-03-21 15:01
d-------- c:\program files\SpywareGuard
2009-03-18 20:40 . 2009-03-18 20:40
d-------- c:\program files\Alwil Software
2009-03-15 20:06 . 2009-03-26 19:48
d-------- c:\program files\HDExtrem
2009-03-14 20:10 . 2009-03-18 20:25
d-------- c:\users\All Users\McAfee
2009-03-14 20:10 . 2009-03-18 20:25
d-------- c:\programdata\McAfee
2009-03-11 08:14 . 2009-03-11 08:15
d-------- c:\program files\James Patterson's Women's Murder Club - A Darker Shade of Grey
2009-03-10 18:22 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 18:22 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 18:22 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-10 18:21 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-02 21:42 . 2009-03-02 21:42
d-------- c:\users\Mary\AppData\Roaming\BrandX Games
2009-02-28 22:31 . 2009-02-28 22:31
d-------- c:\users\All Users\BigFish
2009-02-28 22:31 . 2009-02-28 22:31
d-------- c:\programdata\BigFish
,

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 00:55 --------- d-----w c:\users\Mary\AppData\Roaming\ComcastToolbar
2009-03-23 21:20 --------- d---a-w c:\programdata\TEMP
2009-03-23 21:18 --------- d-----w c:\program files\Mystery Case Files - Ravenhearst
2009-03-23 20:30 --------- d-----w c:\users\Mary\AppData\Roaming\WeatherBug
2009-03-23 01:29 --------- d-----w c:\program files\Trend Micro
2009-03-20 00:27 --------- d-----w c:\program files\Google
2009-03-12 00:58 --------- d-----w c:\program files\WildGames
2009-03-12 00:50 --------- d-----w c:\program files\MSN Games
2009-03-11 12:27 --------- d-----w c:\users\Mary\AppData\Roaming\Flood Light Games
2009-03-11 12:27 --------- d-----w c:\programdata\Flood Light Games
2009-03-11 07:05 --------- d-----w c:\programdata\Microsoft Help
2009-02-25 02:27 --------- d-----w c:\users\Mary\AppData\Roaming\WildTangent
2009-02-25 02:26 --------- d-----w c:\programdata\WildTangent
2009-02-20 20:17 --------- d-----w c:\users\Mary\AppData\Roaming\HSA
2009-02-20 12:32 --------- d-----w c:\programdata\GameHouse
2009-02-14 03:56 --------- d-----w c:\programdata\HoverBee Studios
2009-02-12 13:51 --------- d-----w c:\program files\AIM6
2009-02-12 13:50 --------- d-----w c:\programdata\Viewpoint
2009-02-12 13:50 --------- d-----w c:\programdata\acccore
2009-02-12 13:50 --------- d-----w c:\program files\Common Files\Software Update Utility
2009-02-12 13:48 --------- d-----w c:\programdata\AOL Downloads
2009-02-11 23:10 936,288 ----a-w c:\windows\System32\Incinerator.dll
2009-02-09 02:14 --------- d-----w c:\users\Mary\AppData\Roaming\Jetsetter
2009-01-31 03:49 --------- d-----w c:\users\Mary\AppData\Roaming\Island
2009-01-31 02:49 --------- d-----w c:\users\Mary\AppData\Roaming\RobinsonCrusoe
2009-01-31 02:40 --------- d-----w c:\program files\Adventures of Robinson Crusoe
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-07-19 00:40 174 --sha-w c:\program files\desktop.ini
2007-12-13 23:08 0 ----a-w c:\users\Mary\AppData\Roaming\wklnhst.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-03-25_22.52.14.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 00:11:50 6,438,912 ----a-w c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
- 2009-03-26 01:34:00 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-03-26 09:57:34 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
- 2009-03-26 02:37:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-26 09:53:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-03-26 02:37:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-26 09:53:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-26 02:50:52 262,144 ----a-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-03-26 09:56:17 262,144 ----a-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-03-26 02:51:08 262,144 ----a-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-03-26 09:56:10 262,144 ----a-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-03-26 01:30:46 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-03-27 00:11:31 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
- 2009-03-26 01:30:46 32,768 ------w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2009-03-27 00:11:31 32,768 ------w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2009-03-26 01:30:46 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
+ 2009-03-27 00:11:31 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2009-03-26 02:31:25 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-03-27 00:12:22 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2009-03-26 02:37:05 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-03-26 09:57:56 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-03-26 02:40:00 10,694 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3586541812-533695731-4199019274-1000_UserData.bin
+ 2009-03-26 09:56:26 10,710 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3586541812-533695731-4199019274-1000_UserData.bin
- 2009-03-26 02:40:00 73,278 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-26 09:56:25 73,372 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-26 02:39:55 51,638 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-26 09:56:07 52,262 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-03-26 00:34:15 259,752 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-03-26 23:10:15 260,222 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-13 492808]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"VundoFixTool"="c:\program files\VundoFixTool\VundoFixTool.exe" [2009-03-24 19451904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2009-02-11 314224]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-13 995528]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-13 492808]
c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-07 50688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3586541812-533695731-4199019274-1000]
"EnableNotificationsRef"=dword:00000002
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7F4889EC-579F-4D71-BC1B-ACE9ABEB4DC1}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{30D010D9-E843-48E6-83EB-2ED46FB6211B}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{D175FBC6-119E-4BAC-B7B0-A4946739773A}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{C7C5BC49-1135-49B3-AC17-01597EDD2642}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{35326614-FB84-42E7-BF60-5F936509910C}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{E25E7D60-921A-4539-8D75-1A1EA3F4CC93}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{B6C57DB6-A5B2-48E0-9ECF-FBF2147C5FCF}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{9E09E2AA-4AFA-4018-9F7E-A65A93C32D20}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{9092D829-87CB-41EC-B0F8-3E2BE9DD81B8}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{9B96259D-F91D-4360-8FD9-850741F16CC6}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{B73EF684-E652-4107-BC47-99763993A09E}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{898AAC2C-DBD2-40FB-B61B-D2BE8145D176}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{CCB12DA5-6F1C-4A95-AE49-2D18700E5B38}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{DECEAC32-1BBE-4553-A413-3F1DDCF1368C}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{C7AA985A-5D2F-4576-848B-A93E2DCB2E2A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{85D01A0F-A054-4324-A234-C72BBA3CF210}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{FEF1D0DD-9EDC-4906-89CB-97AFB12E19F0}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{CD535AD3-67B9-446D-A3E4-A2D6E49396BC}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{866044E7-7FAC-4076-BD99-0F5084694057}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{9180FD48-7387-489A-924E-BEEB225636B9}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{289800C0-E530-474A-A1E0-F817BCA96F2E}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{41F88FB0-2148-43C6-8658-BA36E8967025}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{E52E6BD5-FE5A-4ECA-BDFF-C75FB87A2681}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{CB7355D1-1809-42C8-B009-94420BD70062}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{9A057361-D3C4-40B8-B280-8243DA722E0E}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{C2EC1CC5-F054-49FA-8B78-5BF4DD2738FE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0F2210C7-5EFE-466F-80ED-05938DAE4221}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6A8E1455-2A88-4EF3-B76D-D1501D9BB31E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{19B1BE35-B2F5-4887-B4F3-48B1407E4780}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0C2CDAC7-139F-416B-8E1E-09561D5C0983}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{FE5E8346-43E1-4945-B5CB-E7A59CFA2C45}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{123BCAF2-EA42-447C-9930-2B67591190C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D7D4F645-8AE3-480D-9981-D0C135D7DC3F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B35DADDE-B647-4CBA-BD43-09E926448E4D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AC93B261-6543-47D3-9B7A-86BDDE3A73AB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{98291DEC-E2A0-401E-B9A1-CE59642DF7DB}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{EF8ED2C2-A5BD-420E-940B-6F90B9CB085B}"= Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{94F7C70A-8D87-423F-93D5-9D659DAD7D43}"= UDP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{6719C64E-E781-4E84-A13F-77B6960CBAD0}"= TCP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{8155B286-8452-450C-9D3E-A11A2ADD3AAF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9DB4DD33-5831-4A88-8842-5F2112CADFC5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{919EC946-E465-425A-A0D7-3932482D6D64}"= UDP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exeriveScrubber 3
"{A44216C4-DF98-4A08-803F-5BADEE4914C6}"= TCP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exeriveScrubber 3
"{791E7A25-C7ED-438C-8E00-03C39A2AA1EC}"= UDP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
"{0A82E8FF-B4FA-4B81-A2B4-EE2B6EFC7591}"= TCP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
"{4EB7C6D7-F5FA-4C04-A064-F9CFBE9B0F2B}"= UDP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
"{77B5D989-46F3-4CEA-B105-9A408F5795C6}"= TCP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
"{9CB1B822-24A0-47E6-BBFE-239B7A16632B}"= UDP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
"{75DFE27C-43F4-40C3-A66C-C80FEFBC04A9}"= TCP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
"{90556DEB-23C8-4183-908B-F3E784C94954}"= UDP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger
"{A7D5F094-3EE4-4540-9A8B-6D752808752F}"= TCP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger
"{B15FD292-C021-4385-92D6-82BA4C06E71F}"= Disabled:UDP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{5E5DB1EB-B1C8-4DD8-A285-EB4EEAA8F0F9}"= Disabled:TCP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{2E9E2649-60D6-4597-AD7A-AC31DBE5D83F}"= Disabled:c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{70F4D63B-9EB7-44BE-8316-CAB0C1536CEF}"= Disabled:UDP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{8F8B6735-C493-4DEB-BD0D-CA4652702BCE}"= Disabled:TCP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{5CB05E5B-D12B-444E-A87D-EF922193D54A}"= Disabled:UDP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
"{2D4B8DCC-A3BB-407C-AD4D-297EAEAB0513}"= Disabled:TCP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
"{CC7DCEBD-DD82-40D6-92EB-38BF6645BC82}"= Disabled:UDP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
"{5613C2FD-9840-4C1A-831E-73715877A339}"= Disabled:TCP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
"{9812BCE1-D6F9-4C50-812E-620FB6000DA0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A230A7F3-5617-4FE9-80DA-83871D49A375}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{46C8DB4B-F3C3-4F49-A1F0-02994D0706D6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3710AAC5-F10D-4B6C-A276-F72423F6FD19}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{ED47475A-1765-4DC1-93FF-FC36DFE14C0B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9D4A312A-3F91-4CD0-86C9-F516F9CCA80D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AAF5B073-7BE8-4D32-8735-A62DE90F72EE}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9D8D69B2-24A8-48F8-9B42-A71BF03811FF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A9411C03-217C-4F44-9AEE-8C577116C8DC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0E37C095-FC56-44AA-B246-E50CEAEAFE0E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{28DFEE7A-8E04-4BEE-A5E9-87B7346620B4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{03565B16-AB53-4E22-B571-9D3E9FD8AFCF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{DB98AAF7-0058-4355-B069-A249FA8159B8}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3C74B2C8-61D7-4797-A0BA-B6FF82106464}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8168BCE6-D599-4EF9-A266-1F9F9E059BA7}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)
R1 ElRawDisk;ElRawDisk;c:\windows\System32\drivers\elrawdsk.sys [2008-05-11 12800]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [2009-03-21 145424]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2007-12-07 73728]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-21 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [2009-03-21 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-21 497008]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2009-03-26 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-21 677128]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [2009-03-21 256528]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-15 24652]
R2 VundoFixToolSrv;VundoFixTool Scanning Engine;c:\program files\VundoFixTool\VundoFixTool.srv.exe [2009-03-24 315392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
2009-03-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
2008-01-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2009-03-26 c:\windows\Tasks\User_Feed_Synchronization-{04FDB26F-EAC6-4E4E-A4A1-98E788060B08}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 03:33]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = actsvr.comcast:8100
Trusted Zone: internet
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 20:30:38
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

c:\users\Mary\AppData\Local\Temp\catchme.dll 53248 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
Completion time: 2009-03-26 20:42:05
ComboFix-quarantined-files.txt 2009-03-27 00:41:48
ComboFix2.txt 2009-03-26 02:54:39
Pre-Run: 95,515,959,296 bytes free
Post-Run: 97,931,313,152 bytes free
348 --- E O F --- 2009-03-15 07:28:01
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
26-Mar-2009, 09:26 PM #11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:42 PM, on 3/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F81936B3-BFD0-4713-81E1-B19B2F7B8A45}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEECAD9-DC1E-4E98-9152-5684ED79B3A4}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12053 bytes
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
26-Mar-2009, 09:26 PM #12
She's running malwarebytes right now.
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
26-Mar-2009, 09:30 PM #13
Karen, you want a full scan of malwarebytes, right?
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 89,517 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
26-Mar-2009, 10:02 PM #14
Yes, if it will complete. Otherwise, she can do the quick scan.
Jonesiegirl's Avatar
Member with 359 posts.
THREAD STARTER
  
Join Date: Apr 2003
26-Mar-2009, 10:04 PM #15
She chose the full scan, which is still running.
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 5 1 234 Last »
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join Today!

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


TECH SUPPORT GUY
WELCOME
FOLLOW US
 
You Are Using: Server ID
All times are GMT -4. The time now is 12:41 PM.
Advertisements do not imply our endorsement of that product or service.
Copyright © 1996 - 2013 TechGuy, Inc. All rights reserved. Privacy & Terms.

Trusted Website Back to the Top ↑