Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, Anti Spyware Has Totally Destroyed My Xp - Help!


  • This topic is locked This topic is locked
16 replies to this topic

#1 stripes

stripes

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 April 2008 - 04:21 PM

Hello and thanks so much for you help. My problems started when I began to get alerts stating that my computer security has been compromised. I received red popup alerts from Trendmicro, yellow alert signs in my tray, BINARENI.EXE, TROJAN BUSKY, SECURITY SYSTEM WARNING ABEBOT, recipeglut.....I already have Trendmicro - which has proved absolutely worthless. I decided to buy Spyware Doctor/Anti virus 2 days ago due to the fact that when I used their freeware it showed literally scores of errors. I bought from them online, downloaded, scanned and all seemed to be well. I turned off my computer. Lo and behold the next morning when I logged back on all the problems remained and had worsened. I used Spybot also. I then started on your tutorial page "Click Here First, May Not Be Malware" I ran the "repair/reset Winsock Settings" program from your site. My whole system crashed - blue screen of death. When my computer came back on I had a scrambled error messages that I could not quite read through my desktop icons. It erased my screen saver, destroyed my settings and removed ALL points of recovery from MS System restore. I have no way to fix the problems or return from whence I came. I've contacted both Trendmicro and Spyware Doctor but they can't seem to find the time to reply. I tried downloading programs from your site to begin my first post but upon opening the programming the window that connects us closes with no further explanation. I have no idea why that is happening - it never has before. I will paste the scan from the first site, run a copy of my scan from Hijack this and paste also - I received no Hijack prompt after downloading/saving/running other program. I am also not able to locate the "Options" you described to receive direct email. I consider myself pretty computer literate but now feel rather demented. If you can do ANYTHING for me I will be forever grateful. I just don't know what to do at this point. Thanks so very much in advance.

DXX pasted file:


Deckard's System Scanner v20071014.68
Run by ROBIN on 2008-04-17 15:12:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
59: 2008-04-17 20:13:47 UTC - RP103 - Deckard's System Scanner Restore Point
58: 2008-04-17 19:44:23 UTC - RP102 - Removed Norton Security Scan
57: 2008-04-17 19:41:49 UTC - RP101 - Removed SUPERAntiSpyware Free Edition
56: 2008-04-17 19:40:21 UTC - RP100 - Removed Sibelius Scorch (ActiveX Only)
55: 2008-04-17 19:21:56 UTC - RP99 - 4/16/08


-- First Restore Point --
1: 2008-04-17 13:28:31 UTC - RP45 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).


-- HijackThis (run as ROBIN.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:42 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\All Users\Application Data\bgjqtobq\zuzwdwna.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\otabcfwl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ROBIN\Local Settings\Temporary Internet Files\Content.IE5\DUAQ49DW\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ROBIN.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.com/ws/eBayISAPI.dll?Si...r=1&fromwl=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Explorer - {7348D74C-731B-DECE-9F8A-A37D8214708E} - C:\WINDOWS\system32\wlcstp32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [qazthvqf] C:\WINDOWS\system32\otabcfwl.exe
O4 - HKLM\..\Policies\Explorer\Run: [Fbqsa1IGaK] C:\Documents and Settings\All Users\Application Data\bgjqtobq\zuzwdwna.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126138013718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SrvKernel - {12a6c9e2-d2bf-42de-8dfc-60086cd91823} - C:\WINDOWS\Resources\SrvKernel.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 12128 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080402-162539-104 O1 - Hosts: 127.0.0.83 www.mvps.org
backup-20080402-162539-112 O1 - Hosts: 127.0.0.84 www.net-integration.net
backup-20080402-162539-135 O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
backup-20080402-162539-150 O1 - Hosts: 127.0.0.40 spybot.info
backup-20080402-162539-165 O1 - Hosts: 127.0.0.85 www.noadware.net
backup-20080402-162539-166 O1 - Hosts: 127.0.0.56 unwantedlinks.com
backup-20080402-162539-199 O1 - Hosts: 127.0.0.39 security.kolla.de
backup-20080402-162539-211 O1 - Hosts: 127.0.0.95 www.spychecker.com
backup-20080402-162539-221 O1 - Hosts: 127.0.0.59 www.auditmypc.com
backup-20080402-162539-238 O1 - Hosts: 127.0.0.38 secureie.com
backup-20080402-162539-265 O1 - Hosts: 127.0.0.42 spychecker.com
backup-20080402-162539-266 O1 - Hosts: 127.0.0.54 thiefware.com
backup-20080402-162539-276 O1 - Hosts: 127.0.0.65 www.eblocs.com
backup-20080402-162539-284 O1 - Hosts: 127.0.0.92 www.security.kolla.de
backup-20080402-162539-293 O1 - Hosts: 127.0.0.99 www.spyware.co.uk
backup-20080402-162539-299 O1 - Hosts: 127.0.0.96 www.spycop.com
backup-20080402-162539-311 O1 - Hosts: 127.0.0.44 spyguard.com
backup-20080402-162539-329 O1 - Hosts: 127.0.0.93 www.spybot.info
backup-20080402-162539-330 O1 - Hosts: 127.0.0.50 spywareremove.com
backup-20080402-162539-372 O1 - Hosts: 127.0.0.78 www.lurkhere.com
backup-20080402-162539-374 O1 - Hosts: 127.0.0.29 mvps.org
backup-20080402-162539-385 O1 - Hosts: 127.0.0.41 spychecker.com
backup-20080402-162539-421 O1 - Hosts: 127.0.0.28 moosoft.com
backup-20080402-162539-458 O1 - Hosts: 127.0.0.5 camtech2000.net
backup-20080402-162539-472 O1 - Hosts: 127.0.0.32 no-spybot.com
backup-20080402-162539-486 O1 - Hosts: 127.0.0.86 www.no-spybot.com
backup-20080402-162539-493 O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
backup-20080402-162539-497 O1 - Hosts: 127.0.0.27 mjc1.com
backup-20080402-162539-517 O1 - Hosts: 127.0.0.91 www.secureie.com
backup-20080402-162539-581 O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
backup-20080402-162539-616 O1 - Hosts: 127.0.0.30 net-integration.net
backup-20080402-162539-622 O1 - Hosts: 127.0.0.81 www.mjc1.com
backup-20080402-162539-634 O1 - Hosts: 127.0.0.2 auditmypc.com
backup-20080402-162539-662 O1 - Hosts: 127.0.0.94 www.spychecker.com
backup-20080402-162539-677 O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
backup-20080402-162539-678 O1 - Hosts: 127.0.0.4 bulletproofsoft.net
backup-20080402-162539-703 O1 - Hosts: 127.0.0.43 spycop.com
backup-20080402-162539-712 O1 - Hosts: 127.0.0.75 www.kephyr.com
backup-20080402-162539-723 O1 - Hosts: 127.0.0.34 pchell.com
backup-20080402-162539-732 O1 - Hosts: 127.0.0.58 wilders.org
backup-20080402-162539-739 O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
backup-20080402-162539-740 O1 - Hosts: 127.0.0.37 secure.spykiller.com
backup-20080402-162539-743 O1 - Hosts: 127.0.0.24 lurkhere.com
backup-20080402-162539-749 O1 - Hosts: 127.0.0.23 lavasoftusa.com
backup-20080402-162539-753 O1 - Hosts: 127.0.0.97 www.spyguard.com
backup-20080402-162539-760 O1 - Hosts: 127.0.0.47 spyware-cop.com
backup-20080402-162539-762 O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
backup-20080402-162539-783 O1 - Hosts: 127.0.0.45 spykiller.com
backup-20080402-162539-788 O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
backup-20080402-162539-794 O1 - Hosts: 127.0.0.82 www.moosoft.com
backup-20080402-162539-822 O1 - Hosts: 127.0.0.88 www.pchell.com
backup-20080402-162539-829 O1 - Hosts: 127.0.0.31 noadware.net
backup-20080402-162539-847 O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
backup-20080402-162539-852 O1 - Hosts: 127.0.0.72 www.hazeleger.net
backup-20080402-162539-854 O1 - Hosts: 127.0.0.8 ct7support.com
backup-20080402-162539-873 O1 - Hosts: 127.0.0.69 www.grc.com
backup-20080402-162539-884 O1 - Hosts: 127.0.0.71 www.hackfaq.org
backup-20080402-162539-890 O1 - Hosts: 127.0.0.98 www.spykiller.com
backup-20080402-162539-897 O1 - Hosts: 127.0.0.46 spyware.co.uk
backup-20080402-162539-929 O1 - Hosts: 127.0.0.51 spywareremove.com
backup-20080402-162539-944 O1 - Hosts: 127.0.0.21 kephyr.com
backup-20080402-162539-957 O1 - Hosts: 127.0.0.53 sunbelt-software.com
backup-20080402-162539-964 O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
backup-20080402-162539-965 O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
backup-20080402-162539-968 O1 - Hosts: 127.0.0.63 www.ct7support.com
backup-20080402-162539-984 O1 - Hosts: 127.0.0.49 spywarenuker.com
backup-20080402-162539-994 O1 - Hosts: 127.0.0.33 onlinepcfix.com

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>
R2 BCMNTIO - c:\program files\checkit\diagnostics\bcmntio.sys
R2 MAPMEM - c:\program files\checkit\diagnostics\mapmem.sys
R2 tmmbd (Trend Micro MBD Driver) - c:\windows\system32\drivers\tm_mbd_c.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 XIRLINK (Polaroid Digital 640) - c:\windows\system32\drivers\c-itnt.sys <Not Verified; Xirlink, Inc; C-it Digital Video PC Camera>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 InCDsrvR (InCD Helper (read only)) - c:\program files\ahead\incd\incdsrv.exe -r <Not Verified; Nero AG; Nero AG incdsrv>
R2 KodakSvc (Kodak AiO Device Service) - "c:\program files\kodak\printer\center\kodaksvc.exe" <Not Verified; SDSD; KodakSvc>
R3 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Inc.; Trend Micro Internet Security>
R3 PcScnSrv (Trend Micro Protection Against Spyware ) - "c:\progra~1\trendm~1\intern~1\pcscnsrv.exe" <Not Verified; Trend Micro Inc.; Trend Micro Internet Security>
R3 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Inc.; Trend Micro Internet Security>
R3 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S3 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 15:15:09 436 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job
2007-12-04 22:00:34 356 --a------ C:\WINDOWS\Tasks\Kodak AiO Scheduled Maintenance.job


-- Files created between 2008-03-17 and 2008-04-17 -----------------------------

2008-04-17 08:48:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-17 08:35:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-17 08:35:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-17 08:28:21 6556 --ahs---- C:\WINDOWS\system32\QqtDefii.ini2
2008-04-16 18:56:01 0 d-------- C:\Documents and Settings\ROBIN\Application Data\HouseCall 6.6
2008-04-16 18:36:34 94208 --a------ C:\WINDOWS\system32\otabcfwl.exe
2008-04-16 15:20:37 0 d-------- C:\VundoFix Backups
2008-04-16 12:52:32 0 d-------- C:\e6c6f4d2e36413b2f34b6497270707
2008-04-16 10:04:18 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-16 10:00:18 0 d-------- C:\Program Files\Common Files\PC Tools
2008-04-15 20:56:54 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-15 20:56:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-04-15 20:56:32 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-15 17:15:53 0 d-------- C:\Program Files\Spyware Doctor
2008-04-15 17:15:53 0 d-------- C:\Documents and Settings\ROBIN\Application Data\PC Tools
2008-04-15 11:35:18 0 dr-h----- C:\Documents and Settings\ROBIN\Recent
2008-04-15 11:06:03 10240 --a------ C:\WINDOWS\system32\wlcstp32.dll
2008-04-15 10:49:31 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-15 10:49:31 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-15 10:49:30 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-15 10:49:29 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-15 10:49:11 0 d-------- C:\Documents and Settings\All Users\Application Data\bgjqtobq
2008-04-06 11:51:44 0 dr-h----- C:\Documents and Settings\Steven\Recent
2008-04-02 17:29:29 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:29:23 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:29:23 0 d-------- C:\Documents and Settings\ROBIN\Application Data\SUPERAntiSpyware.com
2008-04-02 17:23:09 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-04-02 17:22:40 0 d-------- C:\Program Files\MSECACHE
2008-04-02 17:10:56 0 d-------- C:\Program Files\Viewpoint
2008-04-01 20:39:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-01 20:38:26 0 d-------- C:\Program Files\Common Files\iS3
2008-04-01 20:38:25 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-29 10:07:37 0 d-------- C:\Documents and Settings\Steven\Application Data\LimeWire
2008-03-29 00:46:22 0 d-------- C:\Documents and Settings\Steven\Application Data\Adobe
2008-03-28 10:57:18 0 d-------- C:\Documents and Settings\Steven\Application Data\Apple Computer


-- Find3M Report ---------------------------------------------------------------

2008-04-17 14:41:56 0 d-------- C:\Program Files\Common Files
2008-04-17 13:59:53 145838 --a------ C:\logfile
2008-04-09 19:59:15 0 d-------- C:\Documents and Settings\ROBIN\Application Data\Watchtower
2008-04-09 19:56:36 0 d-------- C:\Program Files\Watchtower
2008-04-02 18:32:18 0 d-------- C:\Program Files\Google
2008-04-02 18:32:06 0 --a------ C:\Documents and Settings\ROBIN\Application Data\.googlewebacchosts
2008-04-02 17:10:57 0 d-------- C:\Program Files\WebIQ
2008-02-29 18:16:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-24 18:35:12 0 d-------- C:\Documents and Settings\ROBIN\Application Data\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7348D74C-731B-DECE-9F8A-A37D8214708E}]
04/15/2008 11:06 AM 10240 --a------ C:\WINDOWS\system32\wlcstp32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/06/2003 03:16 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/16/2007 10:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [08/24/2006 10:25 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"SoundMan"="SOUNDMAN.EXE" [05/14/2003 12:20 AM C:\WINDOWS\SOUNDMAN.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [06/02/1999 11:31 AM]
"POINTER"="C:\Program Files\Microsoft Hardware\Mouse\point32.exe" [04/11/2002 01:47 PM]
"nwiz"="nwiz.exe" [10/06/2003 03:16 PM C:\WINDOWS\system32\nwiz.exe]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [03/21/2002 11:41 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 06:58 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 05:40 PM]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [04/03/2007 09:54 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 09:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/22/2007 10:00 AM]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [08/18/2006 02:06 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [02/25/2005 07:28 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"qazthvqf"="C:\WINDOWS\system32\otabcfwl.exe" [04/16/2008 06:36 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Google Updater"=C:\Program Files\Google\Google Updater\GoogleUpdater.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [8/31/2003 10:06:53 AM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [9/19/2007 5:33:46 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [9/4/1999 5:23:00 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"Fbqsa1IGaK"=C:\Documents and Settings\All Users\Application Data\bgjqtobq\zuzwdwna.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=1 (0x1)
"Btn_Search"=2 (0x2)
"NoBandCustomize"=1 (0x1)
"NoToolbarCustomize"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SrvKernel"= {12a6c9e2-d2bf-42de-8dfc-60086cd91823} - C:\WINDOWS\Resources\SrvKernel.dll [04/15/2008 10:49 AM 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifeDtqQ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakSvc"=2 (0x2)
"gusvc"=2 (0x2)




-- Hosts -----------------------------------------------------------------------

127.0.0.10 eblocs.com
127.0.0.12 forum.aumha.org
127.0.0.13 free-spyware-scan.com
127.0.0.14 free-web-browsers.com
127.0.0.15 grc.com
127.0.0.17 hackfaq.org
127.0.0.18 hazeleger.net
127.0.0.19 javacoolsoftware.com
127.0.0.100 www.spyware-cop.com
127.0.0.103 www.spywareremove.com

8406 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-17 15:19:23 ------------


HIJACK THIS pasted file:Deckard's System Scanner v20071014.68
Run by ROBIN on 2008-04-17 15:12:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
59: 2008-04-17 20:13:47 UTC - RP103 - Deckard's System Scanner Restore Point
58: 2008-04-17 19:44:23 UTC - RP102 - Removed Norton Security Scan
57: 2008-04-17 19:41:49 UTC - RP101 - Removed SUPERAntiSpyware Free Edition
56: 2008-04-17 19:40:21 UTC - RP100 - Removed Sibelius Scorch (ActiveX Only)
55: 2008-04-17 19:21:56 UTC - RP99 - 4/16/08


-- First Restore Point --
1: 2008-04-17 13:28:31 UTC - RP45 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).


-- HijackThis (run as ROBIN.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:42 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\All Users\Application Data\bgjqtobq\zuzwdwna.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\otabcfwl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ROBIN\Local Settings\Temporary Internet Files\Content.IE5\DUAQ49DW\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ROBIN.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.com/ws/eBayISAPI.dll?Si...r=1&fromwl=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Explorer - {7348D74C-731B-DECE-9F8A-A37D8214708E} - C:\WINDOWS\system32\wlcstp32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [qazthvqf] C:\WINDOWS\system32\otabcfwl.exe
O4 - HKLM\..\Policies\Explorer\Run: [Fbqsa1IGaK] C:\Documents and Settings\All Users\Application Data\bgjqtobq\zuzwdwna.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126138013718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SrvKernel - {12a6c9e2-d2bf-42de-8dfc-60086cd91823} - C:\WINDOWS\Resources\SrvKernel.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 12128 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080402-162539-104 O1 - Hosts: 127.0.0.83 www.mvps.org
backup-20080402-162539-112 O1 - Hosts: 127.0.0.84 www.net-integration.net
backup-20080402-162539-135 O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
backup-20080402-162539-150 O1 - Hosts: 127.0.0.40 spybot.info
backup-20080402-162539-165 O1 - Hosts: 127.0.0.85 www.noadware.net
backup-20080402-162539-166 O1 - Hosts: 127.0.0.56 unwantedlinks.com
backup-20080402-162539-199 O1 - Hosts: 127.0.0.39 security.kolla.de
backup-20080402-162539-211 O1 - Hosts: 127.0.0.95 www.spychecker.com
backup-20080402-162539-221 O1 - Hosts: 127.0.0.59 www.auditmypc.com
backup-20080402-162539-238 O1 - Hosts: 127.0.0.38 secureie.com
backup-20080402-162539-265 O1 - Hosts: 127.0.0.42 spychecker.com
backup-20080402-162539-266 O1 - Hosts: 127.0.0.54 thiefware.com
backup-20080402-162539-276 O1 - Hosts: 127.0.0.65 www.eblocs.com
backup-20080402-162539-284 O1 - Hosts: 127.0.0.92 www.security.kolla.de
backup-20080402-162539-293 O1 - Hosts: 127.0.0.99 www.spyware.co.uk
backup-20080402-162539-299 O1 - Hosts: 127.0.0.96 www.spycop.com
backup-20080402-162539-311 O1 - Hosts: 127.0.0.44 spyguard.com
backup-20080402-162539-329 O1 - Hosts: 127.0.0.93 www.spybot.info
backup-20080402-162539-330 O1 - Hosts: 127.0.0.50 spywareremove.com
backup-20080402-162539-372 O1 - Hosts: 127.0.0.78 www.lurkhere.com
backup-20080402-162539-374 O1 - Hosts: 127.0.0.29 mvps.org
backup-20080402-162539-385 O1 - Hosts: 127.0.0.41 spychecker.com
backup-20080402-162539-421 O1 - Hosts: 127.0.0.28 moosoft.com
backup-20080402-162539-458 O1 - Hosts: 127.0.0.5 camtech2000.net
backup-20080402-162539-472 O1 - Hosts: 127.0.0.32 no-spybot.com
backup-20080402-162539-486 O1 - Hosts: 127.0.0.86 www.no-spybot.com
backup-20080402-162539-493 O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
backup-20080402-162539-497 O1 - Hosts: 127.0.0.27 mjc1.com
backup-20080402-162539-517 O1 - Hosts: 127.0.0.91 www.secureie.com
backup-20080402-162539-581 O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
backup-20080402-162539-616 O1 - Hosts: 127.0.0.30 net-integration.net
backup-20080402-162539-622 O1 - Hosts: 127.0.0.81 www.mjc1.com
backup-20080402-162539-634 O1 - Hosts: 127.0.0.2 auditmypc.com
backup-20080402-162539-662 O1 - Hosts: 127.0.0.94 www.spychecker.com
backup-20080402-162539-677 O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
backup-20080402-162539-678 O1 - Hosts: 127.0.0.4 bulletproofsoft.net
backup-20080402-162539-703 O1 - Hosts: 127.0.0.43 spycop.com
backup-20080402-162539-712 O1 - Hosts: 127.0.0.75 www.kephyr.com
backup-20080402-162539-723 O1 - Hosts: 127.0.0.34 pchell.com
backup-20080402-162539-732 O1 - Hosts: 127.0.0.58 wilders.org
backup-20080402-162539-739 O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
backup-20080402-162539-740 O1 - Hosts: 127.0.0.37 secure.spykiller.com
backup-20080402-162539-743 O1 - Hosts: 127.0.0.24 lurkhere.com
backup-20080402-162539-749 O1 - Hosts: 127.0.0.23 lavasoftusa.com
backup-20080402-162539-753 O1 - Hosts: 127.0.0.97 www.spyguard.com
backup-20080402-162539-760 O1 - Hosts: 127.0.0.47 spyware-cop.com
backup-20080402-162539-762 O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
backup-20080402-162539-783 O1 - Hosts: 127.0.0.45 spykiller.com
backup-20080402-162539-788 O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
backup-20080402-162539-794 O1 - Hosts: 127.0.0.82 www.moosoft.com
backup-20080402-162539-822 O1 - Hosts: 127.0.0.88 www.pchell.com
backup-20080402-162539-829 O1 - Hosts: 127.0.0.31 noadware.net
backup-20080402-162539-847 O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
backup-20080402-162539-852 O1 - Hosts: 127.0.0.72 www.hazeleger.net
backup-20080402-162539-854 O1 - Hosts: 127.0.0.8 ct7support.com
backup-20080402-162539-873 O1 - Hosts: 127.0.0.69 www.grc.com
backup-20080402-162539-884 O1 - Hosts: 127.0.0.71 www.hackfaq.org
backup-20080402-162539-890 O1 - Hosts: 127.0.0.98 www.spykiller.com
backup-20080402-162539-897 O1 - Hosts: 127.0.0.46 spyware.co.uk
backup-20080402-162539-929 O1 - Hosts: 127.0.0.51 spywareremove.com
backup-20080402-162539-944 O1 - Hosts: 127.0.0.21 kephyr.com
backup-20080402-162539-957 O1 - Hosts: 127.0.0.53 sunbelt-software.com
backup-20080402-162539-964 O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
backup-20080402-162539-965 O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
backup-20080402-162539-968 O1 - Hosts: 127.0.0.63 www.ct7support.com
backup-20080402-162539-984 O1 - Hosts: 127.0.0.49 spywarenuker.com
backup-20080402-162539-994 O1 - Hosts: 127.0.0.33 onlinepcfix.com

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>
R2 BCMNTIO - c:\program files\checkit\diagnostics\bcmntio.sys
R2 MAPMEM - c:\program files\checkit\diagnostics\mapmem.sys
R2 tmmbd (Trend Micro MBD Driver) - c:\windows\system32\drivers\tm_mbd_c.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 XIRLINK (Polaroid Digital 640) - c:\windows\system32\drivers\c-itnt.sys <Not Verified; Xirlink, Inc; C-it Digital Video PC Camera>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 InCDsrvR (InCD Helper (read only)) - c:\program files\ahead\incd\incdsrv.exe -r <Not Verified; Nero AG; Nero AG incdsrv>
R2 KodakSvc (Kodak AiO Device Service) - "c:\program files\kodak\printer\center\kodaksvc.exe" <Not Verified; SDSD; KodakSvc>
R3 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Inc.; Trend Micro Internet Security>
R3 PcScnSrv (Trend Micro Protection Against Spyware ) - "c:\progra~1\trendm~1\intern~1\pcscnsrv.exe" <Not Verified; Trend Micro Inc.; Trend Micro Internet Security>
R3 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Inc.; Trend Micro Internet Security>
R3 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S3 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 15:15:09 436 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job
2007-12-04 22:00:34 356 --a------ C:\WINDOWS\Tasks\Kodak AiO Scheduled Maintenance.job


-- Files created between 2008-03-17 and 2008-04-17 -----------------------------

2008-04-17 08:48:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-17 08:35:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-17 08:35:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-17 08:28:21 6556 --ahs---- C:\WINDOWS\system32\QqtDefii.ini2
2008-04-16 18:56:01 0 d-------- C:\Documents and Settings\ROBIN\Application Data\HouseCall 6.6
2008-04-16 18:36:34 94208 --a------ C:\WINDOWS\system32\otabcfwl.exe
2008-04-16 15:20:37 0 d-------- C:\VundoFix Backups
2008-04-16 12:52:32 0 d-------- C:\e6c6f4d2e36413b2f34b6497270707
2008-04-16 10:04:18 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-16 10:00:18 0 d-------- C:\Program Files\Common Files\PC Tools
2008-04-15 20:56:54 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-15 20:56:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-04-15 20:56:32 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-15 17:15:53 0 d-------- C:\Program Files\Spyware Doctor
2008-04-15 17:15:53 0 d-------- C:\Documents and Settings\ROBIN\Application Data\PC Tools
2008-04-15 11:35:18 0 dr-h----- C:\Documents and Settings\ROBIN\Recent
2008-04-15 11:06:03 10240 --a------ C:\WINDOWS\system32\wlcstp32.dll
2008-04-15 10:49:31 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-15 10:49:31 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-15 10:49:30 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-15 10:49:29 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-15 10:49:11 0 d-------- C:\Documents and Settings\All Users\Application Data\bgjqtobq
2008-04-06 11:51:44 0 dr-h----- C:\Documents and Settings\Steven\Recent
2008-04-02 17:29:29 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:29:23 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:29:23 0 d-------- C:\Documents and Settings\ROBIN\Application Data\SUPERAntiSpyware.com
2008-04-02 17:23:09 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-04-02 17:22:40 0 d-------- C:\Program Files\MSECACHE
2008-04-02 17:10:56 0 d-------- C:\Program Files\Viewpoint
2008-04-01 20:39:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-01 20:38:26 0 d-------- C:\Program Files\Common Files\iS3
2008-04-01 20:38:25 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-29 10:07:37 0 d-------- C:\Documents and Settings\Steven\Application Data\LimeWire
2008-03-29 00:46:22 0 d-------- C:\Documents and Settings\Steven\Application Data\Adobe
2008-03-28 10:57:18 0 d-------- C:\Documents and Settings\Steven\Application Data\Apple Computer


-- Find3M Report ---------------------------------------------------------------

2008-04-17 14:41:56 0 d-------- C:\Program Files\Common Files
2008-04-17 13:59:53 145838 --a------ C:\logfile
2008-04-09 19:59:15 0 d-------- C:\Documents and Settings\ROBIN\Application Data\Watchtower
2008-04-09 19:56:36 0 d-------- C:\Program Files\Watchtower
2008-04-02 18:32:18 0 d-------- C:\Program Files\Google
2008-04-02 18:32:06 0 --a------ C:\Documents and Settings\ROBIN\Application Data\.googlewebacchosts
2008-04-02 17:10:57 0 d-------- C:\Program Files\WebIQ
2008-02-29 18:16:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-24 18:35:12 0 d-------- C:\Documents and Settings\ROBIN\Application Data\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7348D74C-731B-DECE-9F8A-A37D8214708E}]
04/15/2008 11:06 AM 10240 --a------ C:\WINDOWS\system32\wlcstp32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/06/2003 03:16 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/16/2007 10:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [08/24/2006 10:25 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"SoundMan"="SOUNDMAN.EXE" [05/14/2003 12:20 AM C:\WINDOWS\SOUNDMAN.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [06/02/1999 11:31 AM]
"POINTER"="C:\Program Files\Microsoft Hardware\Mouse\point32.exe" [04/11/2002 01:47 PM]
"nwiz"="nwiz.exe" [10/06/2003 03:16 PM C:\WINDOWS\system32\nwiz.exe]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [03/21/2002 11:41 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 06:58 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 05:40 PM]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [04/03/2007 09:54 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 09:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/22/2007 10:00 AM]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [08/18/2006 02:06 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [02/25/2005 07:28 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"qazthvqf"="C:\WINDOWS\system32\otabcfwl.exe" [04/16/2008 06:36 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Google Updater"=C:\Program Files\Google\Google Updater\GoogleUpdater.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [8/31/2003 10:06:53 AM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [9/19/2007 5:33:46 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [9/4/1999 5:23:00 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"Fbqsa1IGaK"=C:\Documents and Settings\All Users\Application Data\bgjqtobq\zuzwdwna.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=1 (0x1)
"Btn_Search"=2 (0x2)
"NoBandCustomize"=1 (0x1)
"NoToolbarCustomize"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SrvKernel"= {12a6c9e2-d2bf-42de-8dfc-60086cd91823} - C:\WINDOWS\Resources\SrvKernel.dll [04/15/2008 10:49 AM 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifeDtqQ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakSvc"=2 (0x2)
"gusvc"=2 (0x2)




-- Hosts -----------------------------------------------------------------------

127.0.0.10 eblocs.com
127.0.0.12 forum.aumha.org
127.0.0.13 free-spyware-scan.com
127.0.0.14 free-web-browsers.com
127.0.0.15 grc.com
127.0.0.17 hackfaq.org
127.0.0.18 hazeleger.net
127.0.0.19 javacoolsoftware.com
127.0.0.100 www.spyware-cop.com
127.0.0.103 www.spywareremove.com

8406 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-17 15:19:23 ------------

:thumbsup:

Removed e-mail address to protect from spambots. ~ OB

Edited by Orange Blossom, 17 April 2008 - 04:27 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:03 PM

Posted 18 April 2008 - 07:34 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
Let's work on getting rid of the malware on your computer first and then we'll troubleshoot your other issues.


First you must disable Spybot's Teatimer function before proceeding with this fix. Otherwise it will intefere with hijackthis.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.



Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: Explorer - {7348D74C-731B-DECE-9F8A-A37D8214708E} - C:\WINDOWS\system32\wlcstp32.dll
O4 - HKCU\..\Run: [qazthvqf] C:\WINDOWS\system32\otabcfwl.exe
O4 - HKLM\..\Policies\Explorer\Run: [Fbqsa1IGaK] C:\Documents and Settings\All Users\Application Data\bgjqtobq\zuzwdwna.exe



Reboot and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 stripes

stripes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 18 April 2008 - 02:30 PM

Dear Sam - I can't tell you how grateful and appreciative I feel at this moment - I would give you my first born son - though I do believe he is the one who brought this trouble upon me in the first place. Below is my latest Hijack This scan. I hope I am replying in the proper way - please be sure to advise if not. Again - I bow before your magnificence. - Stripes


ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:47 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.com/ws/eBayISAPI.dll?Si...r=1&fromwl=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7348D74C-731B-DECE-9F8A-A37D8214708E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126138013718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SrvKernel - {12a6c9e2-d2bf-42de-8dfc-60086cd91823} - C:\WINDOWS\Resources\SrvKernel.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 11584 bytes

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:03 PM

Posted 19 April 2008 - 07:44 AM

You are doing everything perfectly. :thumbsup:
This is going to take a couple more steps, but we'll get you cleaned up.



Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 stripes

stripes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 19 April 2008 - 10:51 AM

Good morning - and thanks so very very much again Sam.

I did just as you said - lst run failed due to the fact Spybot was lurking in the back ground. I uninstalled Spybot and re-ran ComboFix. Attached below is a copying of the ComboFix Log. I hope I did things correctly. Thanks so much again Sam -

ComboFix 08-04-18.3 - ROBIN 2008-04-19 10:42:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.819 [GMT -5:00]
Running from: C:\Documents and Settings\ROBIN\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\resources\SrvKernel.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Cache\chart 1.bmp
C:\WINDOWS\system32\Cache\ding.bmp
C:\WINDOWS\system32\Cache\document.bmp
C:\WINDOWS\system32\Cache\msg.bin
C:\WINDOWS\system32\Cache\Thumbs.db
C:\WINDOWS\system32\Cache\web app.bmp
C:\WINDOWS\system32\QqtDefii.ini
C:\WINDOWS\system32\QqtDefii.ini2
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32VBIEWER.OCX

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-18 13:53 . 2008-04-18 13:53 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\MySpace
2008-04-17 15:12 . 2008-04-17 15:12 <DIR> d-------- C:\Deckard
2008-04-16 18:56 . 2008-04-16 19:12 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\HouseCall 6.6
2008-04-16 18:36 . 2008-04-16 18:36 94,208 --a------ C:\WINDOWS\system32\otabcfwl.exe
2008-04-16 15:20 . 2008-04-16 15:20 <DIR> d-------- C:\VundoFix Backups
2008-04-16 12:52 . 2008-04-16 12:52 <DIR> d-------- C:\e6c6f4d2e36413b2f34b6497270707
2008-04-16 10:04 . 2008-04-16 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-16 10:04 . 2008-04-16 10:00 159,112 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-04-16 10:00 . 2008-04-16 10:04 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-04-15 17:16 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-15 17:16 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-15 17:16 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-15 17:16 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-15 17:15 . 2008-04-17 13:54 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-15 17:15 . 2008-04-15 17:15 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\PC Tools
2008-04-15 11:06 . 2008-04-15 11:06 10,240 --a------ C:\WINDOWS\system32\wlcstp32.dll
2008-04-15 10:49 . 2008-04-15 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\bgjqtobq
2008-04-09 21:21 . 2008-04-09 21:21 0 --a------ C:\20080410022116187.loc
2008-04-09 21:20 . 2008-04-09 21:20 0 --a------ C:\20080410022054890.loc
2008-04-09 21:20 . 2008-04-09 21:20 0 --a------ C:\20080410022030578.loc
2008-04-09 21:02 . 2008-04-09 21:02 0 --a------ C:\20080410020218875.loc
2008-04-09 21:01 . 2008-04-09 21:01 0 --a------ C:\20080410020151562.loc
2008-04-09 20:44 . 2008-04-09 20:44 0 --a------ C:\20080410014407250.loc
2008-04-09 20:43 . 2008-04-09 20:43 0 --a------ C:\20080410014310921.loc
2008-04-02 17:29 . 2008-04-02 18:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:29 . 2008-04-02 17:29 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\SUPERAntiSpyware.com
2008-04-02 17:29 . 2008-04-02 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:23 . 2008-04-02 17:23 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-02 17:22 . 2008-04-02 17:22 <DIR> d-------- C:\Program Files\MSECACHE
2008-04-02 17:10 . 2008-04-02 17:10 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-01 20:39 . 2008-04-01 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-01 20:38 . 2008-04-01 20:38 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-04-01 20:38 . 2008-04-02 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-29 10:07 . 2008-03-29 12:23 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\LimeWire
2008-03-28 12:08 . 2008-03-28 12:08 0 --a------ C:\20080328170848875.loc
2008-03-28 10:57 . 2008-03-28 10:57 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 15:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-19 15:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 15:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-19 13:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-10 00:59 --------- d-----w C:\Documents and Settings\ROBIN\Application Data\Watchtower
2008-04-10 00:56 --------- d-----w C:\Program Files\Watchtower
2008-04-02 23:32 --------- d-----w C:\Program Files\Google
2008-04-02 22:10 --------- d-----w C:\Program Files\WebIQ
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-29 23:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2006-03-07 23:26 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 10:00 68856]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 14:06 315392]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 19:28 212992]
"qazthvqf"="C:\WINDOWS\system32\otabcfwl.exe" [2008-04-16 18:36 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-16 10:51 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-24 22:25 3112960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"SoundMan"="SOUNDMAN.EXE" [2003-05-14 00:20 55296 C:\WINDOWS\SOUNDMAN.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [1999-06-02 11:31 34816]
"POINTER"="C:\Program Files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 13:47 176128]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 23:41 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 17:40 155648]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-04-03 09:54 753664]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Google Updater"="C:\Program Files\Google\Google Updater\GoogleUpdater.exe" [2007-08-22 10:00 124912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2003-08-31 10:06:53 209016]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 17:23:00 53317]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Search"= 2 (0x2)
"NoBandCustomize"= 1 (0x1)
"NoToolbarCustomize"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakSvc"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-16 10:00]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 18:09]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 19:04]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 18:09]
S3 XIRLINK;Polaroid Digital 640;C:\WINDOWS\system32\DRIVERS\C-itNT.sys [2000-11-29 11:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 20:15:09 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
"2007-12-05 03:00:34 C:\WINDOWS\Tasks\Kodak AiO Scheduled Maintenance.job"
- C:\Program Files\Kodak\Printer\Center\Kodak.Statistics.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 10:44:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 10:46:16
ComboFix-quarantined-files.txt 2008-04-19 15:45:45

Pre-Run: 11,600,117,760 bytes free
Post-Run: 11,588,034,560 bytes free

179 --- E O F --- 2008-04-19 01:05:26

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:03 PM

Posted 19 April 2008 - 03:51 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\VundoFix Backups
C:\Documents and Settings\All Users\Application Data\bgjqtobq

File::
C:\WINDOWS\system32\otabcfwl.exe
C:\WINDOWS\system32\wlcstp32.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qazthvqf"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 stripes

stripes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 20 April 2008 - 06:50 PM

Dear Sam, So sorry for the delay in replying. I tried to follow the steps last evening but couldn't seem to come up with the same options under File/Save As Type......I couldn't figure out where I was going wrong. Finally upon returning this evenings I saw clearly.....I wasn't following the steps within Notepad.....I feel so dumb, this computer has made my head pop, snap and crackle like a piece of bacon cooking. I'd stick my head in the oven but as luck would have it - it's electric not gas. Alas! I'm no longer able to think clearly nor coherently.....to make a long sorry story even longer.....I noticed that when I turned my computer on this evening PC Cleaner instantly loaded and did a scan - I don't have PC cleaner, at least not by choice. I didn't know if it was part of any download links from the Bleeping Computer site or just another uninvited guest.

Attached first is the Combofix log with the Hijack This log to follow.

Once again Sam, thank you very very much for all your help, patience, time.....thank you.

ComboFix Log:

ComboFix 08-04-18.3 - ROBIN 2008-04-20 18:31:20.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.812 [GMT -5:00]
Running from: C:\Documents and Settings\ROBIN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ROBIN\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\otabcfwl.exe
C:\WINDOWS\system32\wlcstp32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\bgjqtobq
C:\Documents and Settings\All Users\Application Data\bgjqtobq\zuzwdwna.exe
C:\Program Files\PC-Cleaner
C:\Program Files\PC-Cleaner\com\pcsd.dll
C:\Program Files\PC-Cleaner\PC-Cleaner.db
C:\Program Files\PC-Cleaner\PC-Cleaner.exe
C:\Program Files\PC-Cleaner\pccleaner.pkg
C:\Program Files\PC-Cleaner\program.info
C:\Program Files\PC-Cleaner\Uninstall.exe
C:\VundoFix Backups
C:\WINDOWS\system32\otabcfwl.exe
C:\WINDOWS\system32\wlcstp32.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-20 18:05 . 2008-04-20 18:13 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\PC-Cleaner
2008-04-18 13:53 . 2008-04-18 13:53 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\MySpace
2008-04-17 15:12 . 2008-04-17 15:12 <DIR> d-------- C:\Deckard
2008-04-16 18:56 . 2008-04-16 19:12 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\HouseCall 6.6
2008-04-16 12:52 . 2008-04-16 12:52 <DIR> d-------- C:\e6c6f4d2e36413b2f34b6497270707
2008-04-16 10:04 . 2008-04-16 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-16 10:04 . 2008-04-16 10:00 159,112 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-04-16 10:00 . 2008-04-16 10:04 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-04-15 17:16 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-15 17:16 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-15 17:16 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-15 17:16 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-15 17:15 . 2008-04-17 13:54 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-15 17:15 . 2008-04-15 17:15 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\PC Tools
2008-04-09 21:21 . 2008-04-09 21:21 0 --a------ C:\20080410022116187.loc
2008-04-09 21:20 . 2008-04-09 21:20 0 --a------ C:\20080410022054890.loc
2008-04-09 21:20 . 2008-04-09 21:20 0 --a------ C:\20080410022030578.loc
2008-04-09 21:02 . 2008-04-09 21:02 0 --a------ C:\20080410020218875.loc
2008-04-09 21:01 . 2008-04-09 21:01 0 --a------ C:\20080410020151562.loc
2008-04-09 20:44 . 2008-04-09 20:44 0 --a------ C:\20080410014407250.loc
2008-04-09 20:43 . 2008-04-09 20:43 0 --a------ C:\20080410014310921.loc
2008-04-02 17:29 . 2008-04-02 18:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:29 . 2008-04-02 17:29 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\SUPERAntiSpyware.com
2008-04-02 17:29 . 2008-04-02 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:23 . 2008-04-02 17:23 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-02 17:22 . 2008-04-02 17:22 <DIR> d-------- C:\Program Files\MSECACHE
2008-04-02 17:10 . 2008-04-02 17:10 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-01 20:39 . 2008-04-01 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-01 20:38 . 2008-04-01 20:38 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-04-01 20:38 . 2008-04-02 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-29 10:07 . 2008-03-29 12:23 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\LimeWire
2008-03-28 12:08 . 2008-03-28 12:08 0 --a------ C:\20080328170848875.loc
2008-03-28 10:57 . 2008-03-28 10:57 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-19 15:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-19 15:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 15:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 00:59 --------- d-----w C:\Documents and Settings\ROBIN\Application Data\Watchtower
2008-04-10 00:56 --------- d-----w C:\Program Files\Watchtower
2008-04-02 23:32 --------- d-----w C:\Program Files\Google
2008-04-02 22:10 --------- d-----w C:\Program Files\WebIQ
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-29 23:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2006-03-07 23:26 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_10.45.32.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 01:02:03 69,120 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-04-19 23:56:36 69,120 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2008-04-19 01:02:09 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-04-19 23:56:45 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2008-04-19 01:01:27 4,444,160 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-04-19 23:56:19 4,444,160 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2008-04-19 01:02:11 483,840 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-04-19 23:56:47 483,840 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2008-04-19 01:01:55 3,036,160 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-04-19 23:56:27 3,036,160 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2008-04-19 01:02:14 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-04-19 23:56:49 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2008-04-19 01:02:14 113,664 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2008-04-19 23:56:49 113,664 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2008-04-19 01:02:10 261,120 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-04-19 23:56:45 261,120 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2008-04-19 01:01:52 5,431,296 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-04-19 23:56:25 5,431,296 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-04-19 01:02:00 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-04-19 23:56:33 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2008-04-19 01:01:54 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-04-19 23:56:26 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2008-04-19 01:02:02 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-04-19 23:56:36 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2008-04-19 01:02:06 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-04-19 23:56:40 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2008-04-19 01:02:07 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-04-19 23:56:41 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2008-04-19 01:02:07 6,656 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-04-19 23:56:42 6,656 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2008-04-19 01:02:15 348,160 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-04-19 23:56:50 348,160 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2008-04-19 01:02:15 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-04-19 23:56:51 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2008-04-19 01:02:17 655,360 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-04-19 23:56:51 655,360 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2008-04-19 01:02:17 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-04-19 23:56:52 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2008-04-19 01:02:08 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-04-19 23:56:43 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2008-04-19 01:02:06 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-04-19 23:56:41 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2008-04-19 01:02:05 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-04-19 23:56:39 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2008-04-19 01:02:12 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-04-19 23:56:47 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2008-04-19 01:02:04 671,744 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-04-19 23:56:38 671,744 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2008-04-19 01:01:35 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-04-19 23:56:21 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2008-04-19 01:02:13 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-04-19 23:56:49 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2008-04-19 01:02:04 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-04-19 23:56:37 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2008-04-19 01:02:04 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-04-19 23:56:37 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2008-04-19 01:02:08 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-04-19 23:56:44 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2008-04-19 01:02:09 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-04-19 23:56:44 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2008-04-19 01:01:54 425,984 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-04-19 23:56:27 425,984 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2008-04-19 01:01:56 741,376 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-04-19 23:56:29 741,376 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2008-04-19 01:01:57 933,888 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-04-19 23:56:30 933,888 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2008-04-19 01:02:19 5,070,848 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-04-19 23:56:53 5,070,848 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2008-04-19 01:02:16 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-04-19 23:56:51 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2008-04-19 01:02:01 401,408 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-04-19 23:56:34 401,408 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2008-04-19 01:02:13 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-04-19 23:56:48 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2008-04-19 01:01:38 630,784 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-04-19 23:56:21 630,784 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2008-04-19 01:02:14 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-04-19 23:56:49 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2008-04-19 01:02:12 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-04-19 23:56:48 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2008-04-19 01:02:11 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-04-19 23:56:46 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2008-04-19 01:02:10 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-04-19 23:56:46 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2008-04-19 01:01:42 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-04-19 23:56:22 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2008-04-19 01:01:45 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-04-19 23:56:23 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2008-04-19 01:01:59 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-04-19 23:56:32 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2008-04-19 01:02:00 90,112 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-04-19 23:56:33 90,112 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2008-04-19 01:01:58 839,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-04-19 23:56:32 839,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2008-04-19 01:02:02 5,013,504 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-04-19 23:56:35 5,013,504 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2008-04-19 01:01:48 2,068,480 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-04-19 23:56:23 2,068,480 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2008-04-19 01:01:57 3,076,096 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-04-19 23:56:31 3,076,096 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-04-19 16:55:55 299,008 ------w C:\WINDOWS\assembly\temp\8EIMQUY269\System.Runtime.Remoting.dll
+ 2008-04-19 16:55:10 4,444,160 ------w C:\WINDOWS\assembly\temp\8FJNRVY26A\mscorlib.dll
+ 2008-04-19 16:55:31 2,068,480 ------w C:\WINDOWS\assembly\temp\AHLPTX159D\System.XML.dll
+ 2008-04-19 16:55:42 3,076,096 ------w C:\WINDOWS\assembly\temp\EMPUY259DH\System.dll
+ 2008-04-19 16:55:41 933,888 ------w C:\WINDOWS\assembly\temp\IPTX148CGL\System.Deployment.dll
+ 2008-04-19 16:55:46 5,013,504 ------w C:\WINDOWS\assembly\temp\KRVZ37AEIM\System.Windows.Forms.dll
+ 2008-04-19 16:55:39 425,984 ------w C:\WINDOWS\assembly\temp\NTX148CGKN\System.configuration.dll
+ 2008-04-19 16:55:27 114,688 ------w C:\WINDOWS\assembly\temp\V269EILPTX\System.ServiceProcess.dll
- 2008-04-19 15:34:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 23:04:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-19 01:02:44 76,628 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-19 23:57:01 76,628 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-19 01:02:44 437,678 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-19 23:57:01 437,678 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-04-19 01:02:06 8,192 ----a-w C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2008-04-19 23:56:40 8,192 ----a-w C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2008-04-19 01:02:14 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2008-04-19 23:56:49 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2008-04-19 01:02:14 113,664 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2008-04-19 23:56:49 113,664 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 10:00 68856]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 14:06 315392]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 19:28 212992]
"PC-Cleaner"="C:\Program Files\PC-Cleaner\PC-Cleaner.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-16 10:51 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-24 22:25 3112960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"SoundMan"="SOUNDMAN.EXE" [2003-05-14 00:20 55296 C:\WINDOWS\SOUNDMAN.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [1999-06-02 11:31 34816]
"POINTER"="C:\Program Files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 13:47 176128]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 23:41 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 17:40 155648]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-04-03 09:54 753664]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Google Updater"="C:\Program Files\Google\Google Updater\GoogleUpdater.exe" [2007-08-22 10:00 124912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2003-08-31 10:06:53 209016]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 17:23:00 53317]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Search"= 2 (0x2)
"NoBandCustomize"= 1 (0x1)
"NoToolbarCustomize"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakSvc"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-16 10:00]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 18:09]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 19:04]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 18:09]
S3 XIRLINK;Polaroid Digital 640;C:\WINDOWS\system32\DRIVERS\C-itNT.sys [2000-11-29 11:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 20:15:09 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
"2007-12-05 03:00:34 C:\WINDOWS\Tasks\Kodak AiO Scheduled Maintenance.job"
- C:\Program Files\Kodak\Printer\Center\Kodak.Statistics.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 18:34:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-20 18:35:35
ComboFix-quarantined-files.txt 2008-04-20 23:35:26
ComboFix2.txt 2008-04-19 15:46:18

Pre-Run: 11,774,205,952 bytes free
Post-Run: 11,801,956,352 bytes free

299 --- E O F --- 2008-04-19 23:58:15


Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:07 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.com/ws/eBayISAPI.dll?Si...r=1&fromwl=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [PC-Cleaner] "C:\Program Files\PC-Cleaner\PC-Cleaner.exe" hide
O4 - HKUS\S-1-5-18\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126138013718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SrvKernel - {12a6c9e2-d2bf-42de-8dfc-60086cd91823} - (no file)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 10777 bytes

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:03 PM

Posted 21 April 2008 - 06:59 AM

It does look like it crept in there somehow. We'll take care of it.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Documents and Settings\ROBIN\Application Data\PC-Cleaner
C:\Program Files\PC-Cleaner

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC-Cleaner"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 stripes

stripes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 21 April 2008 - 09:18 AM

Top Of The Morning To You Sam!

- and as always, thank you very much for ALL of your undeserved help.

Below will be the new ComboFix Scan followed by the new Hijack this scan.
Thank you for going through them and advising me.

Have A Great Day,

Robin

ComboFix 08-04-18.3 - ROBIN 2008-04-21 8:46:59.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.819 [GMT -5:00]
Running from: C:\Documents and Settings\ROBIN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ROBIN\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ROBIN\Application Data\PC-Cleaner
C:\Documents and Settings\ROBIN\Application Data\PC-Cleaner\log.dat
C:\Documents and Settings\ROBIN\Application Data\PC-Cleaner\settings.dat

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-18 13:53 . 2008-04-18 13:53 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\MySpace
2008-04-17 15:12 . 2008-04-17 15:12 <DIR> d-------- C:\Deckard
2008-04-16 18:56 . 2008-04-16 19:12 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\HouseCall 6.6
2008-04-16 12:52 . 2008-04-16 12:52 <DIR> d-------- C:\e6c6f4d2e36413b2f34b6497270707
2008-04-16 10:04 . 2008-04-16 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-16 10:04 . 2008-04-16 10:00 159,112 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-04-16 10:00 . 2008-04-16 10:04 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-04-15 17:16 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-15 17:16 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-15 17:16 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-15 17:16 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-15 17:15 . 2008-04-17 13:54 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-15 17:15 . 2008-04-15 17:15 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\PC Tools
2008-04-09 21:21 . 2008-04-09 21:21 0 --a------ C:\20080410022116187.loc
2008-04-09 21:20 . 2008-04-09 21:20 0 --a------ C:\20080410022054890.loc
2008-04-09 21:20 . 2008-04-09 21:20 0 --a------ C:\20080410022030578.loc
2008-04-09 21:02 . 2008-04-09 21:02 0 --a------ C:\20080410020218875.loc
2008-04-09 21:01 . 2008-04-09 21:01 0 --a------ C:\20080410020151562.loc
2008-04-09 20:44 . 2008-04-09 20:44 0 --a------ C:\20080410014407250.loc
2008-04-09 20:43 . 2008-04-09 20:43 0 --a------ C:\20080410014310921.loc
2008-04-02 17:29 . 2008-04-02 18:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:29 . 2008-04-02 17:29 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\SUPERAntiSpyware.com
2008-04-02 17:29 . 2008-04-02 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:23 . 2008-04-02 17:23 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-02 17:22 . 2008-04-02 17:22 <DIR> d-------- C:\Program Files\MSECACHE
2008-04-02 17:10 . 2008-04-02 17:10 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-01 20:39 . 2008-04-01 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-01 20:38 . 2008-04-01 20:38 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-04-01 20:38 . 2008-04-02 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-29 10:07 . 2008-03-29 12:23 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\LimeWire
2008-03-28 12:08 . 2008-03-28 12:08 0 --a------ C:\20080328170848875.loc
2008-03-28 10:57 . 2008-03-28 10:57 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-19 15:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-19 15:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 15:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 00:59 --------- d-----w C:\Documents and Settings\ROBIN\Application Data\Watchtower
2008-04-10 00:56 --------- d-----w C:\Program Files\Watchtower
2008-04-02 23:32 --------- d-----w C:\Program Files\Google
2008-04-02 22:10 --------- d-----w C:\Program Files\WebIQ
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-29 23:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2006-03-07 23:26 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot_2008-04-20_18.35.14.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 23:56:36 69,120 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-04-21 01:11:53 69,120 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2008-04-19 23:56:45 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-04-21 01:11:58 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2008-04-19 23:56:19 4,444,160 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-04-21 01:11:39 4,444,160 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2008-04-19 23:56:47 483,840 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-04-21 01:12:00 483,840 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2008-04-19 23:56:27 3,036,160 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-04-21 01:11:45 3,036,160 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2008-04-19 23:56:49 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-04-21 01:12:03 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2008-04-19 23:56:49 113,664 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2008-04-21 01:12:03 113,664 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2008-04-19 23:56:45 261,120 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-04-21 01:11:59 261,120 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2008-04-19 23:56:25 5,431,296 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-04-21 01:11:43 5,431,296 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-04-19 23:56:33 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-04-21 01:11:50 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2008-04-19 23:56:26 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-04-21 01:11:44 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2008-04-19 23:56:36 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-04-21 01:11:52 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2008-04-19 23:56:40 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-04-21 01:11:55 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2008-04-19 23:56:41 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-04-21 01:11:56 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2008-04-19 23:56:42 6,656 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-04-21 01:11:57 6,656 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2008-04-19 23:56:50 348,160 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-04-21 01:12:03 348,160 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2008-04-19 23:56:51 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-04-21 01:12:04 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2008-04-19 23:56:51 655,360 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-04-21 01:12:05 655,360 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2008-04-19 23:56:52 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-04-21 01:12:05 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2008-04-19 23:56:43 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-04-21 01:11:57 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2008-04-19 23:56:41 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-04-21 01:11:56 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2008-04-19 23:56:39 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-04-21 01:11:55 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2008-04-19 23:56:47 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-04-21 01:12:00 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2008-04-19 23:56:38 671,744 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-04-21 01:11:54 671,744 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2008-04-19 23:56:21 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-04-21 01:11:40 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2008-04-19 23:56:49 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-04-21 01:12:02 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2008-04-19 23:56:37 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-04-21 01:11:54 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2008-04-19 23:56:37 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-04-21 01:11:54 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2008-04-19 23:56:44 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-04-21 01:11:58 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2008-04-19 23:56:44 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-04-21 01:11:58 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2008-04-19 23:56:27 425,984 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-04-21 01:11:45 425,984 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2008-04-19 23:56:29 741,376 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-04-21 01:11:46 741,376 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2008-04-19 23:56:30 933,888 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-04-21 01:11:47 933,888 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2008-04-19 23:56:53 5,070,848 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-04-21 01:12:07 5,070,848 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2008-04-19 23:56:51 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-04-21 01:12:04 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2008-04-19 23:56:34 401,408 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-04-21 01:11:51 401,408 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2008-04-19 23:56:48 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-04-21 01:12:01 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2008-04-19 23:56:21 630,784 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-04-21 01:11:40 630,784 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2008-04-19 23:56:49 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-04-21 01:12:02 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2008-04-19 23:56:48 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-04-21 01:12:01 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2008-04-19 23:56:46 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-04-21 01:12:00 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2008-04-19 23:56:46 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-04-21 01:11:59 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2008-04-19 23:56:22 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-04-21 01:11:41 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2008-04-19 23:56:23 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-04-21 01:11:41 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2008-04-19 23:56:32 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-04-21 01:11:49 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2008-04-19 23:56:33 90,112 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-04-21 01:11:50 90,112 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2008-04-19 23:56:32 839,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-04-21 01:11:48 839,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2008-04-19 23:56:35 5,013,504 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-04-21 01:11:52 5,013,504 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2008-04-19 23:56:23 2,068,480 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-04-21 01:11:42 2,068,480 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2008-04-19 23:56:31 3,076,096 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-04-21 01:11:48 3,076,096 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-04-19 23:56:46 299,008 ------w C:\WINDOWS\assembly\temp\5CGKOSW048\System.Runtime.Remoting.dll
+ 2008-04-19 23:56:19 4,444,160 ------w C:\WINDOWS\assembly\temp\FMQVY26ADH\mscorlib.dll
+ 2008-04-19 23:56:35 5,013,504 ------w C:\WINDOWS\assembly\temp\GMQUX159DH\System.Windows.Forms.dll
+ 2008-04-19 23:56:30 933,888 ------w C:\WINDOWS\assembly\temp\IOSW048CGK\System.Deployment.dll
+ 2008-04-19 23:56:31 3,076,096 ------w C:\WINDOWS\assembly\temp\NTX159CGKO\System.dll
+ 2008-04-19 23:56:23 114,688 ------w C:\WINDOWS\assembly\temp\PX148CGKNR\System.ServiceProcess.dll
+ 2008-04-19 23:56:23 2,068,480 ------w C:\WINDOWS\assembly\temp\QX148CGLPT\System.XML.dll
+ 2008-04-19 23:56:27 425,984 ------w C:\WINDOWS\assembly\temp\RX259DHLPT\System.configuration.dll
- 2008-04-20 23:04:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 13:35:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-19 23:57:01 76,628 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-21 01:12:14 76,628 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-19 23:57:01 437,678 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-21 01:12:14 437,678 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-04-19 23:56:40 8,192 ----a-w C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2008-04-21 01:11:55 8,192 ----a-w C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2008-04-19 23:56:49 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2008-04-21 01:12:03 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2008-04-19 23:56:49 113,664 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2008-04-21 01:12:03 113,664 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 10:00 68856]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 14:06 315392]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 19:28 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-16 10:51 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-24 22:25 3112960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"SoundMan"="SOUNDMAN.EXE" [2003-05-14 00:20 55296 C:\WINDOWS\SOUNDMAN.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [1999-06-02 11:31 34816]
"POINTER"="C:\Program Files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 13:47 176128]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 23:41 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 17:40 155648]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-04-03 09:54 753664]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Google Updater"="C:\Program Files\Google\Google Updater\GoogleUpdater.exe" [2007-08-22 10:00 124912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2003-08-31 10:06:53 209016]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 17:23:00 53317]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Search"= 2 (0x2)
"NoBandCustomize"= 1 (0x1)
"NoToolbarCustomize"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakSvc"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-16 10:00]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 18:09]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 19:04]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 18:09]
S3 XIRLINK;Polaroid Digital 640;C:\WINDOWS\system32\DRIVERS\C-itNT.sys [2000-11-29 11:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 20:15:09 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
"2007-12-05 03:00:34 C:\WINDOWS\Tasks\Kodak AiO Scheduled Maintenance.job"
- C:\Program Files\Kodak\Printer\Center\Kodak.Statistics.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 08:49:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-21 8:51:10
ComboFix-quarantined-files.txt 2008-04-21 13:50:51
ComboFix2.txt 2008-04-20 23:35:36
ComboFix3.txt 2008-04-19 15:46:18

Pre-Run: 11,674,550,272 bytes free
Post-Run: 11,676,450,816 bytes free

286 --- E O F --- 2008-04-21 01:13:07


New Hijack This Log:

ComboFix 08-04-18.3 - ROBIN 2008-04-21 8:46:59.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.819 [GMT -5:00]
Running from: C:\Documents and Settings\ROBIN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ROBIN\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ROBIN\Application Data\PC-Cleaner
C:\Documents and Settings\ROBIN\Application Data\PC-Cleaner\log.dat
C:\Documents and Settings\ROBIN\Application Data\PC-Cleaner\settings.dat

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-18 13:53 . 2008-04-18 13:53 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\MySpace
2008-04-17 15:12 . 2008-04-17 15:12 <DIR> d-------- C:\Deckard
2008-04-16 18:56 . 2008-04-16 19:12 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\HouseCall 6.6
2008-04-16 12:52 . 2008-04-16 12:52 <DIR> d-------- C:\e6c6f4d2e36413b2f34b6497270707
2008-04-16 10:04 . 2008-04-16 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-16 10:04 . 2008-04-16 10:00 159,112 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-04-16 10:00 . 2008-04-16 10:04 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-04-15 17:16 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-15 17:16 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-15 17:16 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-15 17:16 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-15 17:15 . 2008-04-17 13:54 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-15 17:15 . 2008-04-15 17:15 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\PC Tools
2008-04-09 21:21 . 2008-04-09 21:21 0 --a------ C:\20080410022116187.loc
2008-04-09 21:20 . 2008-04-09 21:20 0 --a------ C:\20080410022054890.loc
2008-04-09 21:20 . 2008-04-09 21:20 0 --a------ C:\20080410022030578.loc
2008-04-09 21:02 . 2008-04-09 21:02 0 --a------ C:\20080410020218875.loc
2008-04-09 21:01 . 2008-04-09 21:01 0 --a------ C:\20080410020151562.loc
2008-04-09 20:44 . 2008-04-09 20:44 0 --a------ C:\20080410014407250.loc
2008-04-09 20:43 . 2008-04-09 20:43 0 --a------ C:\20080410014310921.loc
2008-04-02 17:29 . 2008-04-02 18:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:29 . 2008-04-02 17:29 <DIR> d-------- C:\Documents and Settings\ROBIN\Application Data\SUPERAntiSpyware.com
2008-04-02 17:29 . 2008-04-02 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:23 . 2008-04-02 17:23 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-02 17:22 . 2008-04-02 17:22 <DIR> d-------- C:\Program Files\MSECACHE
2008-04-02 17:10 . 2008-04-02 17:10 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-01 20:39 . 2008-04-01 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-01 20:38 . 2008-04-01 20:38 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-04-01 20:38 . 2008-04-02 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-29 10:07 . 2008-03-29 12:23 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\LimeWire
2008-03-28 12:08 . 2008-03-28 12:08 0 --a------ C:\20080328170848875.loc
2008-03-28 10:57 . 2008-03-28 10:57 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-19 15:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-19 15:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 15:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 00:59 --------- d-----w C:\Documents and Settings\ROBIN\Application Data\Watchtower
2008-04-10 00:56 --------- d-----w C:\Program Files\Watchtower
2008-04-02 23:32 --------- d-----w C:\Program Files\Google
2008-04-02 22:10 --------- d-----w C:\Program Files\WebIQ
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-29 23:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2006-03-07 23:26 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot_2008-04-20_18.35.14.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 23:56:36 69,120 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-04-21 01:11:53 69,120 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2008-04-19 23:56:45 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-04-21 01:11:58 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2008-04-19 23:56:19 4,444,160 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-04-21 01:11:39 4,444,160 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2008-04-19 23:56:47 483,840 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-04-21 01:12:00 483,840 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2008-04-19 23:56:27 3,036,160 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-04-21 01:11:45 3,036,160 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2008-04-19 23:56:49 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-04-21 01:12:03 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2008-04-19 23:56:49 113,664 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2008-04-21 01:12:03 113,664 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2008-04-19 23:56:45 261,120 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-04-21 01:11:59 261,120 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2008-04-19 23:56:25 5,431,296 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-04-21 01:11:43 5,431,296 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-04-19 23:56:33 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-04-21 01:11:50 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2008-04-19 23:56:26 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-04-21 01:11:44 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2008-04-19 23:56:36 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-04-21 01:11:52 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2008-04-19 23:56:40 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-04-21 01:11:55 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2008-04-19 23:56:41 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-04-21 01:11:56 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2008-04-19 23:56:42 6,656 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-04-21 01:11:57 6,656 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2008-04-19 23:56:50 348,160 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-04-21 01:12:03 348,160 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2008-04-19 23:56:51 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-04-21 01:12:04 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2008-04-19 23:56:51 655,360 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-04-21 01:12:05 655,360 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2008-04-19 23:56:52 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-04-21 01:12:05 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2008-04-19 23:56:43 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-04-21 01:11:57 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2008-04-19 23:56:41 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-04-21 01:11:56 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2008-04-19 23:56:39 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-04-21 01:11:55 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2008-04-19 23:56:47 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-04-21 01:12:00 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2008-04-19 23:56:38 671,744 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-04-21 01:11:54 671,744 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2008-04-19 23:56:21 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-04-21 01:11:40 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2008-04-19 23:56:49 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-04-21 01:12:02 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2008-04-19 23:56:37 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-04-21 01:11:54 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2008-04-19 23:56:37 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-04-21 01:11:54 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2008-04-19 23:56:44 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-04-21 01:11:58 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2008-04-19 23:56:44 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-04-21 01:11:58 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2008-04-19 23:56:27 425,984 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-04-21 01:11:45 425,984 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2008-04-19 23:56:29 741,376 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-04-21 01:11:46 741,376 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2008-04-19 23:56:30 933,888 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-04-21 01:11:47 933,888 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2008-04-19 23:56:53 5,070,848 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-04-21 01:12:07 5,070,848 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2008-04-19 23:56:51 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-04-21 01:12:04 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2008-04-19 23:56:34 401,408 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-04-21 01:11:51 401,408 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2008-04-19 23:56:48 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-04-21 01:12:01 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2008-04-19 23:56:21 630,784 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-04-21 01:11:40 630,784 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2008-04-19 23:56:49 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-04-21 01:12:02 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2008-04-19 23:56:48 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-04-21 01:12:01 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2008-04-19 23:56:46 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-04-21 01:12:00 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2008-04-19 23:56:46 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-04-21 01:11:59 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2008-04-19 23:56:22 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-04-21 01:11:41 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2008-04-19 23:56:23 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-04-21 01:11:41 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2008-04-19 23:56:32 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-04-21 01:11:49 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2008-04-19 23:56:33 90,112 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-04-21 01:11:50 90,112 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2008-04-19 23:56:32 839,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-04-21 01:11:48 839,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2008-04-19 23:56:35 5,013,504 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-04-21 01:11:52 5,013,504 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2008-04-19 23:56:23 2,068,480 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-04-21 01:11:42 2,068,480 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2008-04-19 23:56:31 3,076,096 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-04-21 01:11:48 3,076,096 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-04-19 23:56:46 299,008 ------w C:\WINDOWS\assembly\temp\5CGKOSW048\System.Runtime.Remoting.dll
+ 2008-04-19 23:56:19 4,444,160 ------w C:\WINDOWS\assembly\temp\FMQVY26ADH\mscorlib.dll
+ 2008-04-19 23:56:35 5,013,504 ------w C:\WINDOWS\assembly\temp\GMQUX159DH\System.Windows.Forms.dll
+ 2008-04-19 23:56:30 933,888 ------w C:\WINDOWS\assembly\temp\IOSW048CGK\System.Deployment.dll
+ 2008-04-19 23:56:31 3,076,096 ------w C:\WINDOWS\assembly\temp\NTX159CGKO\System.dll
+ 2008-04-19 23:56:23 114,688 ------w C:\WINDOWS\assembly\temp\PX148CGKNR\System.ServiceProcess.dll
+ 2008-04-19 23:56:23 2,068,480 ------w C:\WINDOWS\assembly\temp\QX148CGLPT\System.XML.dll
+ 2008-04-19 23:56:27 425,984 ------w C:\WINDOWS\assembly\temp\RX259DHLPT\System.configuration.dll
- 2008-04-20 23:04:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 13:35:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-19 23:57:01 76,628 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-21 01:12:14 76,628 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-19 23:57:01 437,678 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-21 01:12:14 437,678 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-04-19 23:56:40 8,192 ----a-w C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2008-04-21 01:11:55 8,192 ----a-w C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2008-04-19 23:56:49 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2008-04-21 01:12:03 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2008-04-19 23:56:49 113,664 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2008-04-21 01:12:03 113,664 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 10:00 68856]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 14:06 315392]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 19:28 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-16 10:51 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-24 22:25 3112960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"SoundMan"="SOUNDMAN.EXE" [2003-05-14 00:20 55296 C:\WINDOWS\SOUNDMAN.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [1999-06-02 11:31 34816]
"POINTER"="C:\Program Files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 13:47 176128]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 23:41 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 17:40 155648]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-04-03 09:54 753664]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Google Updater"="C:\Program Files\Google\Google Updater\GoogleUpdater.exe" [2007-08-22 10:00 124912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2003-08-31 10:06:53 209016]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 17:23:00 53317]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Search"= 2 (0x2)
"NoBandCustomize"= 1 (0x1)
"NoToolbarCustomize"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakSvc"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-16 10:00]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 18:09]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 19:04]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 18:09]
S3 XIRLINK;Polaroid Digital 640;C:\WINDOWS\system32\DRIVERS\C-itNT.sys [2000-11-29 11:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 20:15:09 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
"2007-12-05 03:00:34 C:\WINDOWS\Tasks\Kodak AiO Scheduled Maintenance.job"
- C:\Program Files\Kodak\Printer\Center\Kodak.Statistics.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 08:49:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-21 8:51:10
ComboFix-quarantined-files.txt 2008-04-21 13:50:51
ComboFix2.txt 2008-04-20 23:35:36
ComboFix3.txt 2008-04-19 15:46:18

Pre-Run: 11,674,550,272 bytes free
Post-Run: 11,676,450,816 bytes free

286 --- E O F --- 2008-04-21 01:13:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:56 AM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.com/ws/eBayISAPI.dll?Si...r=1&fromwl=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126138013718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SrvKernel - {12a6c9e2-d2bf-42de-8dfc-60086cd91823} - (no file)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 10646 bytes

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:03 PM

Posted 22 April 2008 - 05:58 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O21 - SSODL: SrvKernel - {12a6c9e2-d2bf-42de-8dfc-60086cd91823} - (no file)



===============


Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.


Overall I like the way your logs are looking now. How is your computer behaving? Any problems or issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 stripes

stripes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 05 May 2008 - 04:51 PM

Dear Sam,

It has been a few days. I had the real influenza and thus I have been down and then behind with the obligations of living. I did everything just as you said and for a day or two things seemed to be OK. Then my computer started running extra slow again. So slow in fact that I am unable to really make any use of the computer at all. I have giving way to despair and have felt very heavy hearted and anxious over the computer mess. I wanted to do my best to try to figure things out before hounding one again. I thought that I would spend today trying to get things in order with the computer. I started out at 8:30 am and have only now been able to get online and make any headway at all.

My Trend Micro seems to be causing more problems than it is worth. The file size has bloated to over 400 MBs - is this the normal size? I've emailed TM but I only seem to receive remedial information but no real solutions or answers. The past few days when I try to get on the net TM causes such a drag. Today it used the Virus alert Pop-ups stating that ComboFix and Smith were viruses and thus shut down access to them. Immediately my computer came to a stand still, shut down....when I did turn it back on I had the "Recover Desktop" mess going on with no real way to fix it. After about 3 hours I was able to restore to an earlier date. It is only a matter of time (minutes) before TM acts up again.

I do have Spyware Docter installed but not running at the same time TM is. Do you think it would be advisable to just uninstall TM? I almost did once before and I received a warning message stating that if I were to go ahead and uninstall I would not be able to reinstall. At the moment I feel that would be just fine. What if any program should I replace it with?

I have repeatedly been getting MS updates that are not successfully downloading I was also getting a message stating new hardware had been found - when I clicked on the add button I would receive an error message stating that Windows could not find the hardware or install it. This past November I added 1 GB of memory but I am unsure now if the computer even recognizes it. I ran a snails pace defrag yesterday only to find out my computer only has 27% free space - how did that happen?

I will attach my newest Hijack This log for your viewing pleasure.

I'm so sorry Sam. I've honestly done my best so as not to waste your time. Any advise or direction would be sorely appreciated. I did my best so as not to darken your door again. Mayhap the time has come to just get a new computer.

Standing On The Ledge (or staring down on a full sheet pan of fudge brownies)

Stripes


ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:40 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.com/ws/eBayISAPI.dll?Si...r=1&fromwl=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126138013718
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 10356 bytes

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:03 PM

Posted 06 May 2008 - 09:56 AM

First off, don't worry about bothering me. I'm here to help. :thumbsup:

I don't see any signs of malware in your log, but we can clean up some stuff that might help.

These are programs that you have running at startup and in the background that are not necessary. You can control this by fixing these lines with hijackthis.

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?




Next, I still see signs of Symantec (Norton ) in your log. Since you're not running that program any longer, let's clean that up too.
Fix these lines with hijackthis.

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab



Click Start > Run and type these commands hitting enter after each one:

sc stop CLTNetCnService

sc delete CLTNetCnService

sc stop Symantec Core LC

sc delete Symantec Core LC



Reboot your computer.


Now check to see if this folder is present and delete it if so.

C:\Program Files\Common Files\Symantec Shared


Now show me a new hijackthis log and let me know things are working any better.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 stripes

stripes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 06 May 2008 - 11:03 AM

Hi Sam,

Thanks so much for your kindly help.

I ran the Hijack This as instructed and made the listed deletions. When I restart my computer 3 of the items still remain: 04 HKLM [NvCpl Daemon...., 04 HKCU Photoshow Deluxe Manager...., & 04 HKCU....Google Toolbar....

Somehow they reload regardless of being deleted. Is there a better way to force these three to beat it?

I also keep receiving a notification to download MS latest updates for KB110806. For some reason the latest updates keep failing. I've done some research on this site and at MS. Some advise to delete all Framework files then reinstall. Others say to download Dial-A-Fix then proceed with caution. Yet others think the problem lies with the Windows Media Player with rather foggy advice on uninstalling/reinstalling. Have you heard or seen anything about this problem and if so what would you advise me to try?

Thanks so much once again Sam.

The Computer Loser

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:00 AM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.com/ws/eBayISAPI.dll?Si...r=1&fromwl=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126138013718
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8663 bytes

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:03 PM

Posted 07 May 2008 - 12:54 AM

Fix these lines with Hijackthis.

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe (file missing)



Reboot your computer. This step is important.

Please post a new hijackthis log.


Are you getting any error code with the failed installation of the update?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 stripes

stripes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 14 May 2008 - 10:20 AM

Hi Sam,

I have done just as you have instructed - over and over again, but upon restarting my computer, numerous items rear their ugly head once again. I've tried turning off Trend Micro, deleting in
Safe Mode. I've checked about the web for clues as to why the files keep returning but can't seem to find any answers that work. I didn't want to waste your time until I exhausted all avenues. What do you think could be the cause? Attached below is the latest scan that I completed this morning after many new attempts at deleting and restarting. I thought it best to just show you what appears after rebooting. Thanks so much Sam.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:59 AM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.com/ws/eBayISAPI.dll?Si...r=1&fromwl=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126138013718
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: Fly - C:\WINDOWS\SYSTEM32\smart.dll
O20 - Winlogon Notify: Love - C:\WINDOWS\SYSTEM32\LoveFly.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8381 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users