1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Mal_otorun1 Infection.

Discussion in 'Virus & Other Malware Removal' started by Jonesiegirl, Mar 25, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    Hello all of you hard working security experts. :)

    I've been trying to assist a friend with ridding her PC of what she's calling Mal_otorun1, which was found by TrendMicro. We've made a few attempts at getting malwarebytes installed, which, at this point has been a no-go. The program simply won't open so that she can install it. I had a brilliant computer technician suggest that she rename the file, in hopes that it would install. I'm awaiting word on that right now. If we get lucky, and the program installs, I'll post the log here. In the meantime, here's her HJT log.

    Thanks for your time. :)



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:43:42 PM, on 3/25/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Windows\WindowsMobile\wmdc.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
    C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (file missing)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
    O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
    O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F81936B3-BFD0-4713-81E1-B19B2F7B8A45}: NameServer = 85.255.112.61,85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEECAD9-DC1E-4E98-9152-5684ED79B3A4}: NameServer = 85.255.112.61,85.255.112.172
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
    O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
    O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 12053 bytes
     
  2. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    Update. Renaming the file didn't work.
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,645
    Let's see if she can get this one installed and run the scan.

    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  4. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    Thanks, Karen. :)

    I'll post both of the logs as soon as she sends them to me.
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,645
    I'm signing off for the night so I'll check back tomorrow.
     
  6. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    It'll probably be Thursday night before I get the logs, Karen. (She's working long hours.)

    I'll see you then. :)
     
  7. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    Oh! I spoke to soon! She just emailed them to me! (y)

    Combo Fix Log in this post. Next post will be her new HJT log. :)


    ComboFix 09-03-25.02 - Mary 2009-03-25 22:39:45.1 - NTFSx86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.893.294 [GMT -4:00]
    Running from: c:\users\Mary\Desktop\combofix.exe
    AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\Microsoft\Windows\Start Menu\Programs\MalwareCrush
    c:\programdata\Microsoft\Windows\Start Menu\Programs\MalwareCrush\MalwareCrush 3.7 Website.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\MalwareCrush\Uninstall MalwareCrush 3.7.lnk
    c:\recycler\S-8-9-82-100021030-100025445-100029154-5732.com
    c:\windows\system32\drivers\gaopdxwoqdyqbuwtouqadmxffotvbocsvisxxj.sys
    c:\windows\system32\gaopdxcdtxodjxampdgerxtnnetffapbegcftu.dll
    D:\Autorun.inf
    d:\recycler\S-8-9-82-100021030-100025445-100029154-5732.com

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_gaopdxserv.sys


    ((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
    .

    2009-03-25 22:18 . 2009-03-25 22:18 <DIR> d-------- c:\users\Mary\AppData\Roaming\VundoFixTool
    2009-03-25 22:18 . 2009-03-25 22:18 <DIR> d-------- c:\program files\VundoFixTool
    2009-03-25 21:35 . 2009-03-25 21:35 <DIR> d-------- c:\users\All Users\Malwarebytes
    2009-03-25 21:35 . 2009-03-25 21:35 <DIR> d-------- c:\programdata\Malwarebytes
    2009-03-25 21:35 . 2009-03-25 21:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-03-25 21:35 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
    2009-03-25 21:35 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
    2009-03-24 19:51 . 2009-03-24 19:53 <DIR> d-------- c:\program files\Windows Live Safety Center
    2009-03-24 00:36 . 2009-03-24 00:36 <DIR> d--hs---- C:\found.000
    2009-03-21 23:17 . 2009-03-23 20:28 <DIR> d-------- c:\windows\System32\Service
    2009-03-21 22:44 . 2009-03-21 22:44 <DIR> d-------- c:\windows\LocalSSL
    2009-03-21 22:36 . 2009-03-21 23:34 <DIR> d-------- c:\users\All Users\Trend Micro
    2009-03-21 22:36 . 2009-03-21 23:34 <DIR> d-------- c:\programdata\Trend Micro
    2009-03-21 22:22 . 2009-03-21 22:22 1,195,448 --a------ c:\windows\System32\drivers\vsapint.sys
    2009-03-21 22:22 . 2009-03-21 22:22 256,528 --a------ c:\windows\System32\drivers\tmwfp.sys
    2009-03-21 22:22 . 2009-03-21 22:22 205,328 --a------ c:\windows\System32\drivers\tmxpflt.sys
    2009-03-21 22:22 . 2009-03-21 22:22 145,424 --a------ c:\windows\System32\drivers\tmlwf.sys
    2009-03-21 22:22 . 2009-03-21 22:22 144,912 --a------ c:\windows\System32\drivers\tmcomm.sys
    2009-03-21 22:22 . 2009-03-21 22:22 80,400 --a------ c:\windows\System32\drivers\tmtdi.sys
    2009-03-21 22:22 . 2009-03-21 22:22 50,192 --a------ c:\windows\System32\drivers\tmactmon.sys
    2009-03-21 22:22 . 2009-03-21 22:22 49,680 --a------ c:\windows\System32\drivers\tmevtmgr.sys
    2009-03-21 22:22 . 2009-03-21 22:22 36,368 --a------ c:\windows\System32\drivers\tmpreflt.sys
    2009-03-21 16:22 . 2009-03-21 16:23 113,159,154 --a------ c:\windows\MEMORY.DMP
    2009-03-20 20:16 . 2009-03-20 20:16 <DIR> d-------- c:\users\Mary\AppData\Roaming\Talkback
    2009-03-20 20:15 . 2009-03-20 20:16 <DIR> d-------- c:\users\Mary\AppData\Roaming\Thunderbird
    2009-03-19 20:23 . 2009-03-21 11:32 <DIR> d----c--- c:\windows\System32\DRVSTORE
    2009-03-19 20:22 . 2009-03-21 11:33 <DIR> d-------- c:\users\All Users\Lavasoft
    2009-03-19 20:22 . 2009-03-21 11:33 <DIR> d-------- c:\programdata\Lavasoft
    2009-03-19 18:32 . 2009-03-21 15:01 <DIR> d-------- c:\program files\SpywareGuard
    2009-03-18 20:40 . 2009-03-18 20:40 <DIR> d-------- c:\program files\Alwil Software
    2009-03-15 20:06 . 2009-03-15 20:06 <DIR> d-------- c:\program files\HDExtrem
    2009-03-14 20:10 . 2009-03-18 20:25 <DIR> d-------- c:\users\All Users\McAfee
    2009-03-14 20:10 . 2009-03-18 20:25 <DIR> d-------- c:\programdata\McAfee
    2009-03-11 08:14 . 2009-03-11 08:15 <DIR> d-------- c:\program files\James Patterson's Women's Murder Club - A Darker Shade of Grey
    2009-03-10 18:22 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
    2009-03-10 18:22 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
    2009-03-10 18:22 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
    2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
    2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
    2009-03-10 18:21 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
    2009-03-02 21:42 . 2009-03-02 21:42 <DIR> d-------- c:\users\Mary\AppData\Roaming\BrandX Games
    2009-02-28 22:31 . 2009-02-28 22:31 <DIR> d-------- c:\users\All Users\BigFish
    2009-02-28 22:31 . 2009-02-28 22:31 <DIR> d-------- c:\programdata\BigFish

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-25 00:55 --------- d-----w c:\users\Mary\AppData\Roaming\ComcastToolbar
    2009-03-23 21:20 --------- d---a-w c:\programdata\TEMP
    2009-03-23 21:18 --------- d-----w c:\program files\Mystery Case Files - Ravenhearst
    2009-03-23 20:30 --------- d-----w c:\users\Mary\AppData\Roaming\WeatherBug
    2009-03-23 01:29 --------- d-----w c:\program files\Trend Micro
    2009-03-20 00:27 --------- d-----w c:\program files\Google
    2009-03-12 00:58 --------- d-----w c:\program files\WildGames
    2009-03-12 00:50 --------- d-----w c:\program files\MSN Games
    2009-03-11 12:27 --------- d-----w c:\users\Mary\AppData\Roaming\Flood Light Games
    2009-03-11 12:27 --------- d-----w c:\programdata\Flood Light Games
    2009-03-11 07:05 --------- d-----w c:\programdata\Microsoft Help
    2009-02-25 02:27 --------- d-----w c:\users\Mary\AppData\Roaming\WildTangent
    2009-02-25 02:26 --------- d-----w c:\programdata\WildTangent
    2009-02-20 20:17 --------- d-----w c:\users\Mary\AppData\Roaming\HSA
    2009-02-20 12:32 --------- d-----w c:\programdata\GameHouse
    2009-02-14 03:56 --------- d-----w c:\programdata\HoverBee Studios
    2009-02-12 13:51 --------- d-----w c:\program files\AIM6
    2009-02-12 13:50 --------- d-----w c:\programdata\Viewpoint
    2009-02-12 13:50 --------- d-----w c:\programdata\acccore
    2009-02-12 13:50 --------- d-----w c:\program files\Common Files\Software Update Utility
    2009-02-12 13:48 --------- d-----w c:\programdata\AOL Downloads
    2009-02-11 23:10 936,288 ----a-w c:\windows\System32\Incinerator.dll
    2009-02-09 02:14 --------- d-----w c:\users\Mary\AppData\Roaming\Jetsetter
    2009-01-31 03:49 --------- d-----w c:\users\Mary\AppData\Roaming\Island
    2009-01-31 02:49 --------- d-----w c:\users\Mary\AppData\Roaming\RobinsonCrusoe
    2009-01-31 02:40 --------- d-----w c:\program files\Adventures of Robinson Crusoe
    2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
    2008-07-19 00:40 174 --sha-w c:\program files\desktop.ini
    2007-12-13 23:08 0 ----a-w c:\users\Mary\AppData\Roaming\wklnhst.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
    "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-21 497008]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "VundoFixTool"="c:\program files\VundoFixTool\VundoFixTool.exe" [2009-03-24 19451904]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
    "iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2009-02-11 314224]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-21 970808]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
    "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-21 497008]

    c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-07 50688]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AutoUpdateDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3586541812-533695731-4199019274-1000]
    "EnableNotificationsRef"=dword:00000002

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{7F4889EC-579F-4D71-BC1B-ACE9ABEB4DC1}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
    "{30D010D9-E843-48E6-83EB-2ED46FB6211B}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
    "{D175FBC6-119E-4BAC-B7B0-A4946739773A}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
    "{C7C5BC49-1135-49B3-AC17-01597EDD2642}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
    "{35326614-FB84-42E7-BF60-5F936509910C}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
    "{E25E7D60-921A-4539-8D75-1A1EA3F4CC93}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
    "{B6C57DB6-A5B2-48E0-9ECF-FBF2147C5FCF}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
    "{9E09E2AA-4AFA-4018-9F7E-A65A93C32D20}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
    "{9092D829-87CB-41EC-B0F8-3E2BE9DD81B8}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
    "{9B96259D-F91D-4360-8FD9-850741F16CC6}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
    "{B73EF684-E652-4107-BC47-99763993A09E}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
    "{898AAC2C-DBD2-40FB-B61B-D2BE8145D176}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
    "{CCB12DA5-6F1C-4A95-AE49-2D18700E5B38}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
    "{DECEAC32-1BBE-4553-A413-3F1DDCF1368C}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
    "{C7AA985A-5D2F-4576-848B-A93E2DCB2E2A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    "{85D01A0F-A054-4324-A234-C72BBA3CF210}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    "{FEF1D0DD-9EDC-4906-89CB-97AFB12E19F0}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
    "{CD535AD3-67B9-446D-A3E4-A2D6E49396BC}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
    "{866044E7-7FAC-4076-BD99-0F5084694057}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    "{9180FD48-7387-489A-924E-BEEB225636B9}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    "{289800C0-E530-474A-A1E0-F817BCA96F2E}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
    "{41F88FB0-2148-43C6-8658-BA36E8967025}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
    "{E52E6BD5-FE5A-4ECA-BDFF-C75FB87A2681}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{CB7355D1-1809-42C8-B009-94420BD70062}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
    "{9A057361-D3C4-40B8-B280-8243DA722E0E}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
    "{C2EC1CC5-F054-49FA-8B78-5BF4DD2738FE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{0F2210C7-5EFE-466F-80ED-05938DAE4221}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{6A8E1455-2A88-4EF3-B76D-D1501D9BB31E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{19B1BE35-B2F5-4887-B4F3-48B1407E4780}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{0C2CDAC7-139F-416B-8E1E-09561D5C0983}"= UDP:c:\program files\AIM6\aim6.exe:AIM
    "{FE5E8346-43E1-4945-B5CB-E7A59CFA2C45}"= TCP:c:\program files\AIM6\aim6.exe:AIM
    "{123BCAF2-EA42-447C-9930-2B67591190C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
    "{D7D4F645-8AE3-480D-9981-D0C135D7DC3F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
    "{B35DADDE-B647-4CBA-BD43-09E926448E4D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{AC93B261-6543-47D3-9B7A-86BDDE3A73AB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{98291DEC-E2A0-401E-B9A1-CE59642DF7DB}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
    "{EF8ED2C2-A5BD-420E-940B-6F90B9CB085B}"= Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
    "{94F7C70A-8D87-423F-93D5-9D659DAD7D43}"= UDP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
    "{6719C64E-E781-4E84-A13F-77B6960CBAD0}"= TCP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
    "{8155B286-8452-450C-9D3E-A11A2ADD3AAF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{9DB4DD33-5831-4A88-8842-5F2112CADFC5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{919EC946-E465-425A-A0D7-3932482D6D64}"= UDP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exe:DriveScrubber 3
    "{A44216C4-DF98-4A08-803F-5BADEE4914C6}"= TCP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exe:DriveScrubber 3
    "{791E7A25-C7ED-438C-8E00-03C39A2AA1EC}"= UDP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
    "{0A82E8FF-B4FA-4B81-A2B4-EE2B6EFC7591}"= TCP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
    "{4EB7C6D7-F5FA-4C04-A064-F9CFBE9B0F2B}"= UDP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
    "{77B5D989-46F3-4CEA-B105-9A408F5795C6}"= TCP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
    "{9CB1B822-24A0-47E6-BBFE-239B7A16632B}"= UDP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
    "{75DFE27C-43F4-40C3-A66C-C80FEFBC04A9}"= TCP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
    "{90556DEB-23C8-4183-908B-F3E784C94954}"= UDP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger
    "{A7D5F094-3EE4-4540-9A8B-6D752808752F}"= TCP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger
    "{B15FD292-C021-4385-92D6-82BA4C06E71F}"= Disabled:UDP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
    "{5E5DB1EB-B1C8-4DD8-A285-EB4EEAA8F0F9}"= Disabled:TCP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
    "{2E9E2649-60D6-4597-AD7A-AC31DBE5D83F}"= Disabled:c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
    "{70F4D63B-9EB7-44BE-8316-CAB0C1536CEF}"= Disabled:UDP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
    "{8F8B6735-C493-4DEB-BD0D-CA4652702BCE}"= Disabled:TCP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
    "{5CB05E5B-D12B-444E-A87D-EF922193D54A}"= Disabled:UDP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
    "{2D4B8DCC-A3BB-407C-AD4D-297EAEAB0513}"= Disabled:TCP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
    "{CC7DCEBD-DD82-40D6-92EB-38BF6645BC82}"= Disabled:UDP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
    "{5613C2FD-9840-4C1A-831E-73715877A339}"= Disabled:TCP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
    "{9812BCE1-D6F9-4C50-812E-620FB6000DA0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{A230A7F3-5617-4FE9-80DA-83871D49A375}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{46C8DB4B-F3C3-4F49-A1F0-02994D0706D6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{3710AAC5-F10D-4B6C-A276-F72423F6FD19}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{ED47475A-1765-4DC1-93FF-FC36DFE14C0B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{9D4A312A-3F91-4CD0-86C9-F516F9CCA80D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{AAF5B073-7BE8-4D32-8735-A62DE90F72EE}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{9D8D69B2-24A8-48F8-9B42-A71BF03811FF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{A9411C03-217C-4F44-9AEE-8C577116C8DC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{0E37C095-FC56-44AA-B246-E50CEAEAFE0E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{28DFEE7A-8E04-4BEE-A5E9-87B7346620B4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{03565B16-AB53-4E22-B571-9D3E9FD8AFCF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
    "EnableFirewall"= 0 (0x0)
    "DoNotAllowExceptions"= 1 (0x1)

    R1 ElRawDisk;ElRawDisk;c:\windows\System32\drivers\elrawdsk.sys [2008-05-11 12800]
    R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [2009-03-21 145424]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2007-12-07 73728]
    R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
    R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
    R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-21 181584]
    R2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [2009-03-21 49680]
    R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-21 492888]
    R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2009-03-21 36368]
    R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-21 677128]
    R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [2009-03-21 256528]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-15 24652]
    R2 VundoFixToolSrv;VundoFixTool Scanning Engine;c:\program files\VundoFixTool\VundoFixTool.srv.exe [2009-03-24 315392]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    .
    Contents of the 'Scheduled Tasks' folder

    2009-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

    2008-01-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

    2009-03-21 c:\windows\Tasks\rpc.job
    - c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []

    2009-03-25 c:\windows\Tasks\User_Feed_Synchronization-{04FDB26F-EAC6-4E4E-A4A1-98E788060B08}.job
    - c:\windows\system32\msfeedssync.exe [2008-01-19 03:33]

    2009-03-26 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
    - c:\program files\VundoFixTool\VundoFixTool.exe [2009-03-24 09:34]

    2009-03-26 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
    - c:\program files\VundoFixTool [2009-03-25 22:18]
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)


    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = actsvr.comcast:8100
    Trusted Zone: internet
    Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    .
    .
    ------- File Associations -------
    .
    JSEFile=NOTEPAD.EXE %1
    VBEFile=NOTEPAD.EXE %1
    VBSFile=NOTEPAD.EXE %1
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-25 22:51:02
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    Completion time: 2009-03-25 22:54:37
    ComboFix-quarantined-files.txt 2009-03-26 02:54:32

    Pre-Run: 96,109,043,712 bytes free
    Post-Run: 96,074,567,680 bytes free

    328 --- E O F --- 2009-03-15 07:28:01
     
  8. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:43:42 PM, on 3/25/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Windows\WindowsMobile\wmdc.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
    C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (file missing)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
    O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
    O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F81936B3-BFD0-4713-81E1-B19B2F7B8A45}: NameServer = 85.255.112.61,85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEECAD9-DC1E-4E98-9152-5684ED79B3A4}: NameServer = 85.255.112.61,85.255.112.172
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
    O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
    O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 12053 bytes
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,645
    If there's an entry in Add or Remove programs for Winferno\RegistryPowerCleaner then have her uninstall it from therefore doing the following. If it doesn't exist then just carry on with the rest of the instructions.

    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    File::
    c:\windows\Tasks\rpc.job
    c:\windows\Tasks\VundoFixTool Scheduled Scan.job
    
    Folder::
    c:\program files\Winferno
    
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.


    Please see if she can run MalwareBytes now that ComboFix has cleaned up some of the mess.

    Also, have her do this please:

    Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.
     
  10. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    You're getting her there, Karen!! (y)


    ComboFix 09-03-25.04 - Mary 2009-03-26 20:14:19.2 - NTFSx86
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6001.1.1252.1.1033.18.893.221 [GMT -4:00]
    Running from: c:\users\Mary\Desktop\combofix.exe
    Command switches used :: c:\users\Mary\Desktop\CFscript.txt.txt
    AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
    * Created a new restore point
    FILE ::
    c:\windows\Tasks\rpc.job
    c:\windows\Tasks\VundoFixTool Scheduled Scan.job
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\windows\system32\drivers\gaopdxwoqdyqbuwtouqadmxffotvbocsvisxxj.sys
    c:\windows\system32\gaopdxcounter
    c:\windows\Tasks\rpc.job
    c:\windows\Tasks\VundoFixTool Scheduled Scan.job
    .
    ((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
    .
    2009-03-26 19:17 . 2009-03-26 19:17
    d-------- c:\users\Mary\AppData\Roaming\Malwarebytes
    2009-03-26 05:39 . 2009-03-05 22:17 1,195,512 --a------ c:\windows\System32\drivers\vsapint.sys
    2009-03-26 05:39 . 2009-03-05 22:17 205,328 --a------ c:\windows\System32\drivers\tmxpflt.sys
    2009-03-26 05:39 . 2009-03-05 22:17 36,368 --a------ c:\windows\System32\drivers\tmpreflt.sys
    2009-03-25 22:18 . 2009-03-25 22:18
    d-------- c:\users\Mary\AppData\Roaming\VundoFixTool
    2009-03-25 22:18 . 2009-03-25 22:18
    d-------- c:\program files\VundoFixTool
    2009-03-25 21:35 . 2009-03-25 21:35
    d-------- c:\users\All Users\Malwarebytes
    2009-03-25 21:35 . 2009-03-25 21:35
    d-------- c:\programdata\Malwarebytes
    2009-03-25 21:35 . 2009-03-26 19:19
    d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-03-25 21:35 . 2009-03-26 16:49 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
    2009-03-25 21:35 . 2009-03-26 16:49 15,504 --a------ c:\windows\System32\drivers\mbam.sys
    2009-03-24 19:51 . 2009-03-24 19:53
    d-------- c:\program files\Windows Live Safety Center
    2009-03-24 00:36 . 2009-03-24 00:36
    d--hs---- C:\found.000
    2009-03-21 23:17 . 2009-03-23 20:28
    d-------- c:\windows\System32\Service
    2009-03-21 22:44 . 2009-03-21 22:44
    d-------- c:\windows\LocalSSL
    2009-03-21 22:36 . 2009-03-21 23:34
    d-------- c:\users\All Users\Trend Micro
    2009-03-21 22:36 . 2009-03-21 23:34
    d-------- c:\programdata\Trend Micro
    2009-03-21 22:22 . 2009-03-03 19:12 256,528 --a------ c:\windows\System32\drivers\tmwfp.sys
    2009-03-21 22:22 . 2009-03-03 04:34 150,032 --a------ c:\windows\System32\drivers\tmcomm.sys
    2009-03-21 22:22 . 2009-03-03 19:12 145,424 --a------ c:\windows\System32\drivers\tmlwf.sys
    2009-03-21 22:22 . 2009-03-03 19:12 80,400 --a------ c:\windows\System32\drivers\tmtdi.sys
    2009-03-21 22:22 . 2009-03-03 04:34 50,192 --a------ c:\windows\System32\drivers\tmevtmgr.sys
    2009-03-21 22:22 . 2009-03-03 04:34 50,192 --a------ c:\windows\System32\drivers\tmactmon.sys
    2009-03-21 16:22 . 2009-03-21 16:23 113,159,154 --a------ c:\windows\MEMORY.DMP
    2009-03-20 20:16 . 2009-03-20 20:16
    d-------- c:\users\Mary\AppData\Roaming\Talkback
    2009-03-20 20:15 . 2009-03-20 20:16
    d-------- c:\users\Mary\AppData\Roaming\Thunderbird
    2009-03-19 20:23 . 2009-03-21 11:32
    d----c--- c:\windows\System32\DRVSTORE
    2009-03-19 20:22 . 2009-03-21 11:33
    d-------- c:\users\All Users\Lavasoft
    2009-03-19 20:22 . 2009-03-21 11:33
    d-------- c:\programdata\Lavasoft
    2009-03-19 18:32 . 2009-03-21 15:01
    d-------- c:\program files\SpywareGuard
    2009-03-18 20:40 . 2009-03-18 20:40
    d-------- c:\program files\Alwil Software
    2009-03-15 20:06 . 2009-03-26 19:48
    d-------- c:\program files\HDExtrem
    2009-03-14 20:10 . 2009-03-18 20:25
    d-------- c:\users\All Users\McAfee
    2009-03-14 20:10 . 2009-03-18 20:25
    d-------- c:\programdata\McAfee
    2009-03-11 08:14 . 2009-03-11 08:15
    d-------- c:\program files\James Patterson's Women's Murder Club - A Darker Shade of Grey
    2009-03-10 18:22 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
    2009-03-10 18:22 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
    2009-03-10 18:22 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
    2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
    2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
    2009-03-10 18:21 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
    2009-03-02 21:42 . 2009-03-02 21:42
    d-------- c:\users\Mary\AppData\Roaming\BrandX Games
    2009-02-28 22:31 . 2009-02-28 22:31
    d-------- c:\users\All Users\BigFish
    2009-02-28 22:31 . 2009-02-28 22:31
    d-------- c:\programdata\BigFish
    ,

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-25 00:55 --------- d-----w c:\users\Mary\AppData\Roaming\ComcastToolbar
    2009-03-23 21:20 --------- d---a-w c:\programdata\TEMP
    2009-03-23 21:18 --------- d-----w c:\program files\Mystery Case Files - Ravenhearst
    2009-03-23 20:30 --------- d-----w c:\users\Mary\AppData\Roaming\WeatherBug
    2009-03-23 01:29 --------- d-----w c:\program files\Trend Micro
    2009-03-20 00:27 --------- d-----w c:\program files\Google
    2009-03-12 00:58 --------- d-----w c:\program files\WildGames
    2009-03-12 00:50 --------- d-----w c:\program files\MSN Games
    2009-03-11 12:27 --------- d-----w c:\users\Mary\AppData\Roaming\Flood Light Games
    2009-03-11 12:27 --------- d-----w c:\programdata\Flood Light Games
    2009-03-11 07:05 --------- d-----w c:\programdata\Microsoft Help
    2009-02-25 02:27 --------- d-----w c:\users\Mary\AppData\Roaming\WildTangent
    2009-02-25 02:26 --------- d-----w c:\programdata\WildTangent
    2009-02-20 20:17 --------- d-----w c:\users\Mary\AppData\Roaming\HSA
    2009-02-20 12:32 --------- d-----w c:\programdata\GameHouse
    2009-02-14 03:56 --------- d-----w c:\programdata\HoverBee Studios
    2009-02-12 13:51 --------- d-----w c:\program files\AIM6
    2009-02-12 13:50 --------- d-----w c:\programdata\Viewpoint
    2009-02-12 13:50 --------- d-----w c:\programdata\acccore
    2009-02-12 13:50 --------- d-----w c:\program files\Common Files\Software Update Utility
    2009-02-12 13:48 --------- d-----w c:\programdata\AOL Downloads
    2009-02-11 23:10 936,288 ----a-w c:\windows\System32\Incinerator.dll
    2009-02-09 02:14 --------- d-----w c:\users\Mary\AppData\Roaming\Jetsetter
    2009-01-31 03:49 --------- d-----w c:\users\Mary\AppData\Roaming\Island
    2009-01-31 02:49 --------- d-----w c:\users\Mary\AppData\Roaming\RobinsonCrusoe
    2009-01-31 02:40 --------- d-----w c:\program files\Adventures of Robinson Crusoe
    2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
    2008-07-19 00:40 174 --sha-w c:\program files\desktop.ini
    2007-12-13 23:08 0 ----a-w c:\users\Mary\AppData\Roaming\wklnhst.dat
    .
    ((((((((((((((((((((((((((((( SnapShot@2009-03-25_22.52.14.68 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-03-27 00:11:50 6,438,912 ----a-w c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
    - 2009-03-26 01:34:00 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
    + 2009-03-26 09:57:34 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
    - 2009-03-26 02:37:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2009-03-26 09:53:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-03-26 02:37:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2009-03-26 09:53:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2009-03-26 02:50:52 262,144 ----a-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
    + 2009-03-26 09:56:17 262,144 ----a-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
    - 2009-03-26 02:51:08 262,144 ----a-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
    + 2009-03-26 09:56:10 262,144 ----a-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
    - 2009-03-26 01:30:46 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-03-27 00:11:31 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-03-26 01:30:46 32,768 ------w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-03-27 00:11:31 32,768 ------w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-03-26 01:30:46 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-03-27 00:11:31 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-03-26 02:31:25 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
    + 2009-03-27 00:12:22 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
    - 2009-03-26 02:37:05 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
    + 2009-03-26 09:57:56 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
    - 2009-03-26 02:40:00 10,694 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3586541812-533695731-4199019274-1000_UserData.bin
    + 2009-03-26 09:56:26 10,710 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3586541812-533695731-4199019274-1000_UserData.bin
    - 2009-03-26 02:40:00 73,278 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-03-26 09:56:25 73,372 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2009-03-26 02:39:55 51,638 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-03-26 09:56:07 52,262 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2009-03-26 00:34:15 259,752 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
    + 2009-03-26 23:10:15 260,222 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
    "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-13 492808]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "VundoFixTool"="c:\program files\VundoFixTool\VundoFixTool.exe" [2009-03-24 19451904]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
    "iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2009-02-11 314224]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-13 995528]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
    "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-13 492808]
    c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-07 50688]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AutoUpdateDisableNotify"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3586541812-533695731-4199019274-1000]
    "EnableNotificationsRef"=dword:00000002
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
    "EnableFirewall"= 0 (0x0)


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{7F4889EC-579F-4D71-BC1B-ACE9ABEB4DC1}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
    "{30D010D9-E843-48E6-83EB-2ED46FB6211B}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
    "{D175FBC6-119E-4BAC-B7B0-A4946739773A}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
    "{C7C5BC49-1135-49B3-AC17-01597EDD2642}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
    "{35326614-FB84-42E7-BF60-5F936509910C}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
    "{E25E7D60-921A-4539-8D75-1A1EA3F4CC93}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
    "{B6C57DB6-A5B2-48E0-9ECF-FBF2147C5FCF}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
    "{9E09E2AA-4AFA-4018-9F7E-A65A93C32D20}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
    "{9092D829-87CB-41EC-B0F8-3E2BE9DD81B8}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
    "{9B96259D-F91D-4360-8FD9-850741F16CC6}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
    "{B73EF684-E652-4107-BC47-99763993A09E}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
    "{898AAC2C-DBD2-40FB-B61B-D2BE8145D176}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
    "{CCB12DA5-6F1C-4A95-AE49-2D18700E5B38}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
    "{DECEAC32-1BBE-4553-A413-3F1DDCF1368C}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
    "{C7AA985A-5D2F-4576-848B-A93E2DCB2E2A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    "{85D01A0F-A054-4324-A234-C72BBA3CF210}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    "{FEF1D0DD-9EDC-4906-89CB-97AFB12E19F0}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
    "{CD535AD3-67B9-446D-A3E4-A2D6E49396BC}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
    "{866044E7-7FAC-4076-BD99-0F5084694057}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    "{9180FD48-7387-489A-924E-BEEB225636B9}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
    "{289800C0-E530-474A-A1E0-F817BCA96F2E}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
    "{41F88FB0-2148-43C6-8658-BA36E8967025}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
    "{E52E6BD5-FE5A-4ECA-BDFF-C75FB87A2681}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{CB7355D1-1809-42C8-B009-94420BD70062}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
    "{9A057361-D3C4-40B8-B280-8243DA722E0E}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
    "{C2EC1CC5-F054-49FA-8B78-5BF4DD2738FE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{0F2210C7-5EFE-466F-80ED-05938DAE4221}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{6A8E1455-2A88-4EF3-B76D-D1501D9BB31E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{19B1BE35-B2F5-4887-B4F3-48B1407E4780}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{0C2CDAC7-139F-416B-8E1E-09561D5C0983}"= UDP:c:\program files\AIM6\aim6.exe:AIM
    "{FE5E8346-43E1-4945-B5CB-E7A59CFA2C45}"= TCP:c:\program files\AIM6\aim6.exe:AIM
    "{123BCAF2-EA42-447C-9930-2B67591190C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
    "{D7D4F645-8AE3-480D-9981-D0C135D7DC3F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
    "{B35DADDE-B647-4CBA-BD43-09E926448E4D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{AC93B261-6543-47D3-9B7A-86BDDE3A73AB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{98291DEC-E2A0-401E-B9A1-CE59642DF7DB}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
    "{EF8ED2C2-A5BD-420E-940B-6F90B9CB085B}"= Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
    "{94F7C70A-8D87-423F-93D5-9D659DAD7D43}"= UDP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
    "{6719C64E-E781-4E84-A13F-77B6960CBAD0}"= TCP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
    "{8155B286-8452-450C-9D3E-A11A2ADD3AAF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{9DB4DD33-5831-4A88-8842-5F2112CADFC5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{919EC946-E465-425A-A0D7-3932482D6D64}"= UDP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exe:DriveScrubber 3
    "{A44216C4-DF98-4A08-803F-5BADEE4914C6}"= TCP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exe:DriveScrubber 3
    "{791E7A25-C7ED-438C-8E00-03C39A2AA1EC}"= UDP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
    "{0A82E8FF-B4FA-4B81-A2B4-EE2B6EFC7591}"= TCP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
    "{4EB7C6D7-F5FA-4C04-A064-F9CFBE9B0F2B}"= UDP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
    "{77B5D989-46F3-4CEA-B105-9A408F5795C6}"= TCP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
    "{9CB1B822-24A0-47E6-BBFE-239B7A16632B}"= UDP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
    "{75DFE27C-43F4-40C3-A66C-C80FEFBC04A9}"= TCP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
    "{90556DEB-23C8-4183-908B-F3E784C94954}"= UDP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger
    "{A7D5F094-3EE4-4540-9A8B-6D752808752F}"= TCP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger
    "{B15FD292-C021-4385-92D6-82BA4C06E71F}"= Disabled:UDP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
    "{5E5DB1EB-B1C8-4DD8-A285-EB4EEAA8F0F9}"= Disabled:TCP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
    "{2E9E2649-60D6-4597-AD7A-AC31DBE5D83F}"= Disabled:c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
    "{70F4D63B-9EB7-44BE-8316-CAB0C1536CEF}"= Disabled:UDP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
    "{8F8B6735-C493-4DEB-BD0D-CA4652702BCE}"= Disabled:TCP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
    "{5CB05E5B-D12B-444E-A87D-EF922193D54A}"= Disabled:UDP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
    "{2D4B8DCC-A3BB-407C-AD4D-297EAEAB0513}"= Disabled:TCP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
    "{CC7DCEBD-DD82-40D6-92EB-38BF6645BC82}"= Disabled:UDP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
    "{5613C2FD-9840-4C1A-831E-73715877A339}"= Disabled:TCP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
    "{9812BCE1-D6F9-4C50-812E-620FB6000DA0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{A230A7F3-5617-4FE9-80DA-83871D49A375}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{46C8DB4B-F3C3-4F49-A1F0-02994D0706D6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{3710AAC5-F10D-4B6C-A276-F72423F6FD19}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{ED47475A-1765-4DC1-93FF-FC36DFE14C0B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{9D4A312A-3F91-4CD0-86C9-F516F9CCA80D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{AAF5B073-7BE8-4D32-8735-A62DE90F72EE}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{9D8D69B2-24A8-48F8-9B42-A71BF03811FF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{A9411C03-217C-4F44-9AEE-8C577116C8DC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{0E37C095-FC56-44AA-B246-E50CEAEAFE0E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{28DFEE7A-8E04-4BEE-A5E9-87B7346620B4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{03565B16-AB53-4E22-B571-9D3E9FD8AFCF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{DB98AAF7-0058-4355-B069-A249FA8159B8}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{3C74B2C8-61D7-4797-A0BA-B6FF82106464}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{8168BCE6-D599-4EF9-A266-1F9F9E059BA7}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
    "EnableFirewall"= 0 (0x0)
    "DoNotAllowExceptions"= 1 (0x1)
    R1 ElRawDisk;ElRawDisk;c:\windows\System32\drivers\elrawdsk.sys [2008-05-11 12800]
    R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [2009-03-21 145424]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2007-12-07 73728]
    R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
    R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
    R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-21 181584]
    R2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [2009-03-21 50192]
    R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-21 497008]
    R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2009-03-26 36368]
    R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-21 677128]
    R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [2009-03-21 256528]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-15 24652]
    R2 VundoFixToolSrv;VundoFixTool Scanning Engine;c:\program files\VundoFixTool\VundoFixTool.srv.exe [2009-03-24 315392]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    .
    Contents of the 'Scheduled Tasks' folder
    2009-03-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
    2008-01-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
    2009-03-26 c:\windows\Tasks\User_Feed_Synchronization-{04FDB26F-EAC6-4E4E-A4A1-98E788060B08}.job
    - c:\windows\system32\msfeedssync.exe [2008-01-19 03:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = actsvr.comcast:8100
    Trusted Zone: internet
    Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    .
    **************************************************************************
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-26 20:30:38
    Windows 6.0.6001 Service Pack 1 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...

    c:\users\Mary\AppData\Local\Temp\catchme.dll 53248 bytes executable
    scan completed successfully
    hidden files: 1
    **************************************************************************

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    [HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    Completion time: 2009-03-26 20:42:05
    ComboFix-quarantined-files.txt 2009-03-27 00:41:48
    ComboFix2.txt 2009-03-26 02:54:39
    Pre-Run: 95,515,959,296 bytes free
    Post-Run: 97,931,313,152 bytes free
    348 --- E O F --- 2009-03-15 07:28:01
     
  11. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:43:42 PM, on 3/25/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Windows\WindowsMobile\wmdc.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
    C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (file missing)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
    O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
    O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:

    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F81936B3-BFD0-4713-81E1-B19B2F7B8A45}: NameServer = 85.255.112.61,85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEECAD9-DC1E-4E98-9152-5684ED79B3A4}: NameServer = 85.255.112.61,85.255.112.172
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
    O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
    O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
    --
    End of file - 12053 bytes
     
  12. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    She's running malwarebytes right now. (y)
     
  13. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    Karen, you want a full scan of malwarebytes, right?
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,645
    Yes, if it will complete. Otherwise, she can do the quick scan.
     
  15. Jonesiegirl

    Jonesiegirl Thread Starter

    Joined:
    Apr 4, 2003
    Messages:
    360
    She chose the full scan, which is still running.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/812793