# Locked out of System Restore, Task Manager, Windows Security update, etc.



## mahwah66 (Jun 10, 2008)

Hi,
I downloaded file from an unreliable source and gave my system some big problems. It immediately put "Error Cleaner" and "Privacy Protector" shortcuts on my desktop and gave it a url-linked gif background. All my system dates now display with "VIRUS ALERT!" appended, and alert dialog boxes appear at frequent intervals (although not now, running in safe mode). It has hidden many tools and files (Start menu has no Start, Programs, Control Panel; no hard drives visible when I explore "My Computer') and has disabled the Windows Security auto-update (which I can't change). I cannot use the System Restore, and when I look at the System Volume Information\_restore directory, each folder has its rp.log and RestorePointSize files modified.

I actually began to follow the advice of another thread and downloaded Kaspersky, but I could not install it. Thanks for any help. My HJT log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:06: VIRUS ALERT!, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM\aim.exe
C:\downloads\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: rtsplgob - {0939FF27-A717-4F67-96B5-555F9510F17F} - C:\WINDOWS\rtsplgob.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\QtZgAcer.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [apiuv.exe] C:\WINDOWS\apiuv.exe
O4 - HKLM\..\Run: [e0Xf] C:\WINDOWS\iovkidek.exe
O4 - HKLM\..\Run: [Akknvwf] C:\Program Files\Fxkbmh\Lbeaysy.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\ACERUS~1\LOCALS~1\Temp\printsrv.exe/r
O4 - HKLM\..\Run: [2629165f] rundll32.exe "C:\WINDOWS\system32\qmoffujt.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1213095264416
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://share.adoramapix.com/components/aurigma/ImageUploader4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.adoramapix.com/components/ImageUploader3.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: xkefqtgs - {AC858574-3F5C-4736-BA9D-0B2C4594843F} - C:\WINDOWS\xkefqtgs.dll
O21 - SSODL: rnopbfgt - {705D4667-8154-4B4E-B7A7-6867F63A0930} - C:\WINDOWS\rnopbfgt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 12767 bytes


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.*


----------



## mahwah66 (Jun 10, 2008)

Hi and thanks for replying to my post. I had run ComboFix before your reply (I hope that was not bad--was desperate to use the computer in the intervening days). After running ComboFix in safe mode, my date/clock settings were restored, the warning desktop image and shortcuts were deleted, and I was able to access the task manager. But when I restarted the computer normally, the original problems returned, complete with the frequent virus alert dialog boxes. I went back to running in safe mode, ran ComboFix again, and stayed in safe mode until I got your reply. Then I followed your instructions. Below is the SDFix report followed by the latest HJT log. (looking at the log-if you have time, how do I get rid of bogus trusted Internet zones? when I remove them via the Security tab of the Internet Options panel, it doesn't take.)

Thank you again!
-----------------

*SDFix: Version 1.192 *
Run by ACER USER on Sat 06/14/2008 at 14:31
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
*Checking Services *:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Rebooting

*Checking Files *: 
Trojan Files Found:
C:\WINDOWS\pebgkxwq.exe - Deleted
C:\WINDOWS\rnopbfgt.dll - Deleted
C:\WINDOWS\xkefqtgs.dll - Deleted

Removing Temp Files
*ADS Check *:

*Final Check *:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 14:42:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

*Remaining Services *:

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Program Files\\eMule\\EMULE.EXE"="C:\\Program Files\\eMule\\EMULE.EXE:*:Enabled:eMule"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
*Remaining Files *:

File Backups: - C:\SDFix\backups\backups.zip
*Files with Hidden Attributes *:
Mon 5 Jul 2004 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Mon 5 Jul 2004 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Mon 5 Jul 2004 1,024 ...HR --- "C:\WINDOWS\system32\ntiembed.dll"
Wed 17 Aug 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 6 Aug 2005 24,576 ...H. --- "C:\Documents and Settings\ACER USER\My Documents\~WRL0001.tmp"
Sun 11 Nov 2007 25,088 ...H. --- "C:\Documents and Settings\ACER USER\My Documents\~WRL3623.tmp"
Sun 16 Mar 2008 24,064 ...H. --- "C:\Documents and Settings\ACER USER\My Documents\~WRL1945.tmp"
Sun 16 Mar 2008 24,064 ...H. --- "C:\Documents and Settings\ACER USER\My Documents\~WRL0141.tmp"
Sun 16 Mar 2008 24,064 ...H. --- "C:\Documents and Settings\ACER USER\My Documents\~WRL0983.tmp"
Sun 16 Mar 2008 24,576 ...H. --- "C:\Documents and Settings\ACER USER\My Documents\~WRL2670.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3A.tmp"
Thu 14 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Nov 2007 20,992 ...H. --- "C:\Documents and Settings\ACER USER\Application Data\Microsoft\Word\~WRL1772.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\ACER USER\Application Data\U3\temp\Launchpad Removal.exe"
Thu 5 Jun 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Thu 5 Jun 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Thu 5 Jun 2008 8 A..H. --- "C:\Documents and Settings\ACER USER\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 5 Jun 2008 8 A..H. --- "C:\Documents and Settings\ACER USER\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
*Finished!*

------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:14, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\downloads\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\QtZgAcer.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [apiuv.exe] C:\WINDOWS\apiuv.exe
O4 - HKLM\..\Run: [e0Xf] C:\WINDOWS\iovkidek.exe
O4 - HKLM\..\Run: [Akknvwf] C:\Program Files\Fxkbmh\Lbeaysy.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1213095264416
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://share.adoramapix.com/components/aurigma/ImageUploader4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.adoramapix.com/components/ImageUploader3.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 13571 bytes


----------



## Cookiegal (Aug 27, 2003)

You should never run ComboFix on your own as it's a very powerful tool and you could seriously damage your system.

Since you have run it, I would like to see the logs from each of the scans you did so please post them.


----------



## mahwah66 (Jun 10, 2008)

Sorry, I didn't know or think about what damage I could do with ComboFix (was following the first step in a similar thread before this one received a reply). I looked for the logs and realized I ran it four times (there's desperation for you). Below are the first and last log files:
------------------

ComboFix 08-06-10.5 - ACER USER 2008-06-11 22:59:53.1 - *FAT32*x86 DSREPAIR
Running from: C:\downloads\ComboFix.exe
*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\ACER USER\Desktop\Error Cleaner.url
C:\Documents and Settings\ACER USER\Desktop\Privacy Protector.url
C:\Documents and Settings\ACER USER\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\ACER USER\Favorites\Error Cleaner.url
C:\Documents and Settings\ACER USER\Favorites\Privacy Protector.url
C:\Documents and Settings\ACER USER\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\cookies.ini
C:\WINDOWS\kvsdpfeaxpf.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rtsplgob.dll
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\ftoemhku.ini
C:\WINDOWS\system32\jowitluj.ini
C:\WINDOWS\system32\JRCJRqru.ini
C:\WINDOWS\system32\JRCJRqru.ini2
C:\WINDOWS\system32\ljJBsRHB.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qmoffujt.dll
C:\WINDOWS\system32\tjuffomq.ini
C:\WINDOWS\system32\ukhmeotf.dll
C:\WINDOWS\system32\urqRJCRJ.dll
.
((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.
2008-06-10 22:09 . 2008-06-10 22:09 d-------- C:\Program Files\RegCure
2008-06-10 22:00 . 2008-06-10 22:00 93,056 --a------ C:\WINDOWS\system32\jultiwoj.dll
2008-06-10 14:02 . 2008-06-10 14:02 d-------- C:\kav
2008-06-10 06:08 . 2008-06-09 21:28 253,952 --a------ C:\WINDOWS\rnopbfgt.dll
2008-06-10 06:08 . 2008-06-09 21:28 225,280 --a------ C:\WINDOWS\xkefqtgs.dll
2008-06-10 06:08 . 2008-06-09 21:28 163,840 --a------ C:\WINDOWS\pebgkxwq.exe
2008-06-10 06:08 . 2008-06-09 21:28 139,264 --a------ C:\WINDOWS\esrt.exe
2008-06-05 22:43 . 2008-06-05 22:43 47,180 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-06-05 22:41 . 2008-06-05 22:41 d--h----- C:\Documents and Settings\ACER USER\Application Data\GTek
2008-06-05 22:36 . 2008-06-05 22:36 d-------- C:\Program Files\Linksys EasyLink Advisor
2008-06-05 22:36 . 2008-06-05 22:37 d-ah----- C:\Documents and Settings\All Users\Application Data\GTek
2008-06-05 22:34 . 2008-06-05 22:34 d-------- C:\Linksys WRT54G (E)
2008-06-04 12:14 . 2008-06-04 12:14 d-------- C:\actionscriptstuff
2008-06-03 11:05 . 2008-06-03 11:05 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-03 09:41 . 2008-06-03 09:41 d-------- C:\Program Files\Bonjour
2008-06-03 09:32 . 2008-06-03 09:32 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 21:57 . 2008-06-01 21:57 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-01 21:56 . 2008-06-01 21:56 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-23 11:44 . 2008-05-23 11:44 1,192 --a------ C:\net_save.dna
2008-05-23 11:43 . 2008-05-23 11:43 d-------- C:\Program Files\support.com
2008-05-23 11:43 . 2008-05-23 11:43 d-------- C:\Program Files\Common Files\SupportSoft
2008-05-20 14:29 . 2008-05-20 14:29 d-------- C:\Program Files\Starship Creator
2008-05-17 01:12 . 2008-05-17 01:12 1,409 --a------ C:\WINDOWS\system32\tmp1DB9D.FOT
2008-05-14 12:21 . 2008-05-14 12:21 1,409 --a------ C:\WINDOWS\system32\tmp1A59E.FOT
2008-05-14 11:08 . 2008-05-14 11:08 d-------- C:\Program Files\IcoFX 1.6
2008-05-14 11:08 . 2008-05-14 11:08 d-------- C:\Documents and Settings\ACER USER\Application Data\IcoFX
2008-05-13 11:13 . 2008-05-13 11:13 1,409 --a------ C:\WINDOWS\system32\tmpF5BA0.FOT
2008-05-13 11:13 . 2008-05-13 11:13 1,409 --a------ C:\WINDOWS\system32\tmp33AA0.FOT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 00:45 89,600 ----a-w C:\WINDOWS\system32\atl71.dll
2008-05-31 01:35 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 01:35 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 01:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 01:35 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-13 04:47 --------- d-----w C:\Program Files\Speed Video Converter
2008-04-13 04:41 --------- d-----w C:\Program Files\Speed Video Splitter
2008-04-02 15:29 94,320 ----a-w C:\Documents and Settings\ACER USER\Application Data\GDIPFONTCACHEV1.DAT
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2003-01-21 07:00 13,942,408 ----a-r C:\WINDOWS\system32\config\systemprofile\MpSetup.exe
2003-01-21 07:00 13,942,408 ----a-r C:\Documents and Settings\Default User\MpSetup.exe
2003-01-21 07:00 13,942,408 ----a-r C:\Documents and Settings\ACER USER\MpSetup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0939FF27-A717-4F67-96B5-555F9510F17F}"= "C:\WINDOWS\rtsplgob.dll" [ ]
[HKEY_CLASSES_ROOT\clsid\{0939ff27-a717-4f67-96b5-555f9510f17f}]
[HKEY_CLASSES_ROOT\rtsplgob.1]
[HKEY_CLASSES_ROOT\TypeLib\{84AEEED9-D8B2-494D-99D3-6DE8BD940ADC}]
[HKEY_CLASSES_ROOT\rtsplgob]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56: VIRUS ALERT! 15360]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 01:34: VIRUS ALERT! 67160]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 12:19: VIRUS ALERT! 68856]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16: VIRUS ALERT! 454784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57: VIRUS ALERT! 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57: VIRUS ALERT! 532480]
"PCMService"="C:\Program Files\Aspire Arcade\PCMService.exe" [2004-03-25 18:41: VIRUS ALERT! 81920]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 01:32: VIRUS ALERT! 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 12:00: VIRUS ALERT! 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-03-31 12:00: VIRUS ALERT! 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-03-31 12:00: VIRUS ALERT! 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:10: VIRUS ALERT! 339968]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-07-05 18:52: VIRUS ALERT! 315392]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24: VIRUS ALERT! 286720]
"apiuv.exe"="C:\WINDOWS\apiuv.exe" [ ]
"e0Xf"="C:\WINDOWS\iovkidek.exe" [ ]
"Akknvwf"="C:\Program Files\Fxkbmh\Lbeaysy.exe" [ ]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 18:33: VIRUS ALERT! 1880064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59: VIRUS ALERT! 115816]
"NoteBurner"="C:\Program Files\NoteBurner\VTBurnerGUI.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00: VIRUS ALERT! 267064]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 17:42: VIRUS ALERT! 185896]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38: VIRUS ALERT! 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25: VIRUS ALERT! 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56: VIRUS ALERT! 15360]
C:\Documents and Settings\ACER USER\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-08 11:27:06 110592]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-12 04:59:09 118784]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
"NoDispCPL"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)
"NoSetFolders"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xkefqtgs"= {AC858574-3F5C-4736-BA9D-0B2C4594843F} - C:\WINDOWS\xkefqtgs.dll [2008-06-09 21:28: VIRUS ALERT! 225280]
"rnopbfgt"= {705D4667-8154-4B4E-B7A7-6867F63A0930} - C:\WINDOWS\rnopbfgt.dll [2008-06-09 21:28: VIRUS ALERT! 253952]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\eMule\\EMULE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"4672:UDP"= 4672:UDP:eMule
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57: VIRUS ALERT!]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38: VIRUS ALERT!]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-04 02:07: VIRUS ALERT!]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 16:12: VIRUS ALERT!]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-08-11 16:56: VIRUS ALERT!]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 02:09:38 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-12 03:08:36 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 23:09:30
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSVCHST.EXE
C:\ACER\EMANAGER\ANBMSERV.EXE
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\SoftwareDistribution\Download\88dd3723266703a72c4d03c1c055e665\update\update.exe
.
**************************************************************************
.
Completion time: 2008-06-11 23:18:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-12 03:18:16
Pre-Run: 848,560,128 bytes free
Post-Run: 750,387,200 bytes free
222 --- E O F --- 2008-06-03 07:00:49
----------------

ComboFix 08-06-10.5 - ACER USER 2008-06-12 23:20:45.4 - *FAT32*x86 DSREPAIR
Running from: C:\downloads\ComboFix.exe
*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\ACER USER\Desktop\Error Cleaner.url
C:\Documents and Settings\ACER USER\Desktop\Privacy Protector.url
C:\Documents and Settings\ACER USER\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\ACER USER\Favorites\Error Cleaner.url
C:\Documents and Settings\ACER USER\Favorites\Privacy Protector.url
C:\Documents and Settings\ACER USER\Favorites\Spyware&Malware Protection.url
.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.
2008-06-12 00:46 . 2008-06-12 00:46 d--hs---- C:\FOUND.000
2008-06-11 23:14 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 23:12 . 2008-06-12 14:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-11 23:12 . 2008-06-11 23:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 22:09 . 2008-06-10 22:09 d-------- C:\Program Files\RegCure
2008-06-10 14:02 . 2008-06-10 14:02 d-------- C:\kav
2008-06-10 06:08 . 2008-06-09 21:28 253,952 --a------ C:\WINDOWS\rnopbfgt.dll
2008-06-10 06:08 . 2008-06-09 21:28 225,280 --a------ C:\WINDOWS\xkefqtgs.dll
2008-06-10 06:08 . 2008-06-09 21:28 163,840 --a------ C:\WINDOWS\pebgkxwq.exe
2008-06-10 06:08 . 2008-06-09 21:28 139,264 --a------ C:\WINDOWS\esrt.exe
2008-06-05 22:43 . 2008-06-05 22:43 47,180 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-06-05 22:41 . 2008-06-05 22:41 d--h----- C:\Documents and Settings\ACER USER\Application Data\GTek
2008-06-05 22:36 . 2008-06-05 22:36 d-------- C:\Program Files\Linksys EasyLink Advisor
2008-06-05 22:36 . 2008-06-05 22:37 d-ah----- C:\Documents and Settings\All Users\Application Data\GTek
2008-06-05 22:34 . 2008-06-05 22:34 d-------- C:\Linksys WRT54G (E)
2008-06-04 12:14 . 2008-06-04 12:14 d-------- C:\actionscriptstuff
2008-06-03 11:05 . 2008-06-03 11:05 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-03 09:41 . 2008-06-03 09:41 d-------- C:\Program Files\Bonjour
2008-06-03 09:32 . 2008-06-03 09:32 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 21:57 . 2008-06-01 21:57 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-01 21:56 . 2008-06-01 21:56 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-23 11:44 . 2008-05-23 11:44 1,192 --a------ C:\net_save.dna
2008-05-23 11:43 . 2008-05-23 11:43 d-------- C:\Program Files\support.com
2008-05-23 11:43 . 2008-05-23 11:43 d-------- C:\Program Files\Common Files\SupportSoft
2008-05-20 14:29 . 2008-05-20 14:29 d-------- C:\Program Files\Starship Creator
2008-05-17 01:12 . 2008-05-17 01:12 1,409 --a------ C:\WINDOWS\system32\tmp1DB9D.FOT
2008-05-14 12:21 . 2008-05-14 12:21 1,409 --a------ C:\WINDOWS\system32\tmp1A59E.FOT
2008-05-14 11:08 . 2008-05-14 11:08 d-------- C:\Program Files\IcoFX 1.6
2008-05-14 11:08 . 2008-05-14 11:08 d-------- C:\Documents and Settings\ACER USER\Application Data\IcoFX
2008-05-13 11:13 . 2008-05-13 11:13 1,409 --a------ C:\WINDOWS\system32\tmpF5BA0.FOT
2008-05-13 11:13 . 2008-05-13 11:13 1,409 --a------ C:\WINDOWS\system32\tmp33AA0.FOT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 00:45 89,600 ----a-w C:\WINDOWS\system32\atl71.dll
2008-05-31 01:35 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 01:35 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 01:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 01:35 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 02:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-14 11:01 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 04:47 --------- d-----w C:\Program Files\Speed Video Converter
2008-04-13 04:41 --------- d-----w C:\Program Files\Speed Video Splitter
2008-04-02 15:29 94,320 ----a-w C:\Documents and Settings\ACER USER\Application Data\GDIPFONTCACHEV1.DAT
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2003-01-21 07:00 13,942,408 ----a-r C:\WINDOWS\system32\config\systemprofile\MpSetup.exe
2003-01-21 07:00 13,942,408 ----a-r C:\Documents and Settings\Default User\MpSetup.exe
2003-01-21 07:00 13,942,408 ----a-r C:\Documents and Settings\ACER USER\MpSetup.exe
.
((((((((((((((((((((((((((((( snapshot_2008-06-12_11.35.59.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-12 15:28:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-12 19:14:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0939FF27-A717-4F67-96B5-555F9510F17F}"= "C:\WINDOWS\rtsplgob.dll" [ ]
[HKEY_CLASSES_ROOT\clsid\{0939ff27-a717-4f67-96b5-555f9510f17f}]
[HKEY_CLASSES_ROOT\rtsplgob.1]
[HKEY_CLASSES_ROOT\TypeLib\{84AEEED9-D8B2-494D-99D3-6DE8BD940ADC}]
[HKEY_CLASSES_ROOT\rtsplgob]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 01:34 67160]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 12:19 68856]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57 532480]
"PCMService"="C:\Program Files\Aspire Arcade\PCMService.exe" [2004-03-25 18:41 81920]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 01:32 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 12:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-03-31 12:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-03-31 12:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:10 339968]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-07-05 18:52 315392]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"apiuv.exe"="C:\WINDOWS\apiuv.exe" [ ]
"e0Xf"="C:\WINDOWS\iovkidek.exe" [ ]
"Akknvwf"="C:\Program Files\Fxkbmh\Lbeaysy.exe" [ ]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 18:33 1880064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"NoteBurner"="C:\Program Files\NoteBurner\VTBurnerGUI.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00 267064]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 17:42 185896]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]
C:\Documents and Settings\ACER USER\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-08 11:27:06 110592]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-12 04:59:09 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xkefqtgs"= {AC858574-3F5C-4736-BA9D-0B2C4594843F} - C:\WINDOWS\xkefqtgs.dll [2008-06-09 21:28 225280]
"rnopbfgt"= {705D4667-8154-4B4E-B7A7-6867F63A0930} - C:\WINDOWS\rnopbfgt.dll [2008-06-09 21:28 253952]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\eMule\\EMULE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"4672:UDP"= 4672:UDP:eMule
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-04 02:07]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 16:12]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-08-11 16:56]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 02:09:38 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-12 19:19:26 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 23:24:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-12 23:25:06
ComboFix-quarantined-files.txt 2008-06-13 03:25:04
ComboFix4.txt 2008-06-12 03:18:26
ComboFix3.txt 2008-06-12 15:36:12
ComboFix2.txt 2008-06-12 19:03:08
Pre-Run: 547,225,600 bytes free
Post-Run: 536,002,560 bytes free
183 --- E O F --- 2008-06-12 04:23:17


----------



## Cookiegal (Aug 27, 2003)

*Follow these steps to uninstall Combofix and then download the latest version please.*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.


----------



## mahwah66 (Jun 10, 2008)

New combofix and HJT logs below.
--------
ComboFix 08-06-19.2 - ACER USER 2008-06-20 0:38:00.5 - *FAT32*x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.439 [GMT -4:00]
Running from: C:\Documents and Settings\ACER USER\Desktop\ComboFix.exe
Command switches used :: C:\downloads\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.
2008-06-17 13:00 . 2008-06-17 13:00 d-------- C:\WINDOWS\LastGood
2008-06-14 14:27 . 2008-06-14 14:27 d-------- C:\WINDOWS\ERUNT
2008-06-12 00:46 . 2008-06-12 00:46 d--hs---- C:\FOUND.000
2008-06-11 23:14 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 23:12 . 2008-06-14 14:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-11 23:12 . 2008-06-11 23:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 22:09 . 2008-06-10 22:09 d-------- C:\Program Files\RegCure
2008-06-10 14:02 . 2008-06-10 14:02 d-------- C:\kav
2008-06-10 06:08 . 2008-06-09 21:28 139,264 --a------ C:\WINDOWS\esrt.exe
2008-06-05 22:43 . 2008-06-05 22:43 47,180 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-06-05 22:41 . 2008-06-05 22:41 d--h----- C:\Documents and Settings\ACER USER\Application Data\GTek
2008-06-05 22:36 . 2008-06-05 22:36 d-------- C:\Program Files\Linksys EasyLink Advisor
2008-06-05 22:36 . 2008-06-05 22:37 d-ah----- C:\Documents and Settings\All Users\Application Data\GTek
2008-06-05 22:34 . 2008-06-05 22:34 d-------- C:\Linksys WRT54G (E)
2008-06-04 12:14 . 2008-06-04 12:14 d-------- C:\actionscriptstuff
2008-06-03 11:05 . 2008-06-03 11:05 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-03 09:41 . 2008-06-03 09:41 d-------- C:\Program Files\Bonjour
2008-06-03 09:32 . 2008-06-03 09:32 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 21:57 . 2008-06-01 21:57 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-01 21:56 . 2008-06-01 21:56 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-23 11:44 . 2008-05-23 11:44 1,192 --a------ C:\net_save.dna
2008-05-23 11:43 . 2008-05-23 11:43 d-------- C:\Program Files\support.com
2008-05-23 11:43 . 2008-05-23 11:43 d-------- C:\Program Files\Common Files\SupportSoft
2008-05-20 14:29 . 2008-05-20 14:29 d-------- C:\Program Files\Starship Creator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 00:45 89,600 ----a-w C:\WINDOWS\system32\atl71.dll
2008-05-31 01:35 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 01:35 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 01:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 01:35 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-14 15:08 --------- d-----w C:\Program Files\IcoFX 1.6
2008-05-14 15:08 --------- d-----w C:\Documents and Settings\ACER USER\Application Data\IcoFX
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 02:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-02 15:29 94,320 ----a-w C:\Documents and Settings\ACER USER\Application Data\GDIPFONTCACHEV1.DAT
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2003-01-21 07:00 13,942,408 ----a-r C:\WINDOWS\system32\config\systemprofile\MpSetup.exe
2003-01-21 07:00 13,942,408 ----a-r C:\Documents and Settings\Default User\MpSetup.exe
2003-01-21 07:00 13,942,408 ----a-r C:\Documents and Settings\ACER USER\MpSetup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 01:34 67160]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 12:19 68856]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57 532480]
"PCMService"="C:\Program Files\Aspire Arcade\PCMService.exe" [2004-03-25 18:41 81920]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 01:32 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 12:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 12:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 12:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:10 339968]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-07-05 18:52 315392]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"apiuv.exe"="C:\WINDOWS\apiuv.exe" [ ]
"e0Xf"="C:\WINDOWS\iovkidek.exe" [ ]
"Akknvwf"="C:\Program Files\Fxkbmh\Lbeaysy.exe" [ ]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 18:33 1880064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"NoteBurner"="C:\Program Files\NoteBurner\VTBurnerGUI.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00 267064]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 17:42 185896]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]
C:\Documents and Settings\ACER USER\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-08 11:27:06 110592]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-12 04:59:09 118784]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\eMule\\EMULE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"4672:UDP"= 4672:UDP:eMule
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-04 02:07]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 16:12]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-08-11 16:56]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 02:09:38 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-19 10:50:36 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 00:39:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-20 0:40:17
ComboFix2.txt 2008-06-13 03:25:08
ComboFix-quarantined-files.txt 2008-06-20 04:40:16
Pre-Run: 559,202,304 bytes free
Post-Run: 600,735,744 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
156 --- E O F --- 2008-06-12 04:23:17
------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:44, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\downloads\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\QtZgAcer.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [apiuv.exe] C:\WINDOWS\apiuv.exe
O4 - HKLM\..\Run: [e0Xf] C:\WINDOWS\iovkidek.exe
O4 - HKLM\..\Run: [Akknvwf] C:\Program Files\Fxkbmh\Lbeaysy.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1213095264416
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://share.adoramapix.com/components/aurigma/ImageUploader4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.adoramapix.com/components/ImageUploader3.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 13817 bytes


----------



## Cookiegal (Aug 27, 2003)

Right click *HERE* and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: Right click *DelDomains.inf* and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Dont forget to re-apply IESpyad and Spybot immunization if you have those programs.

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\esrt.exe

Folder::
C:\Program Files\Fxkbmh

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"apiuv.exe"=-
"e0Xf"=- 
"Akknvwf"=-
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Also, do you recognize this file that was created on May 23, 2008?

C:\*net_save.dna*

Finally, please do this:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## mahwah66 (Jun 10, 2008)

ComboFix log below, followed by HijackThis log 
(Uninstall list in next post)
-----
ComboFix 08-06-19.2 - ACER USER 2008-06-23 7:14:20.6 - *FAT32*x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.424 [GMT -4:00]
Running from: C:\Documents and Settings\ACER USER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ACER USER\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\esrt.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\esrt.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.
2008-06-17 13:00 . 2008-06-17 13:00 d-------- C:\WINDOWS\LastGood
2008-06-14 14:27 . 2008-06-14 14:27 d-------- C:\WINDOWS\ERUNT
2008-06-12 00:46 . 2008-06-12 00:46 d--hs---- C:\FOUND.000
2008-06-11 23:14 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 23:12 . 2008-06-14 14:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-11 23:12 . 2008-06-11 23:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 22:09 . 2008-06-10 22:09 d-------- C:\Program Files\RegCure
2008-06-10 14:02 . 2008-06-10 14:02 d-------- C:\kav
2008-06-05 22:43 . 2008-06-05 22:43 47,180 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-06-05 22:41 . 2008-06-05 22:41 d--h----- C:\Documents and Settings\ACER USER\Application Data\GTek
2008-06-05 22:36 . 2008-06-05 22:36 d-------- C:\Program Files\Linksys EasyLink Advisor
2008-06-05 22:36 . 2008-06-05 22:37 d-ah----- C:\Documents and Settings\All Users\Application Data\GTek
2008-06-05 22:34 . 2008-06-05 22:34 d-------- C:\Linksys WRT54G (E)
2008-06-04 12:14 . 2008-06-04 12:14 d-------- C:\actionscriptstuff
2008-06-03 11:05 . 2008-06-03 11:05 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-03 09:41 . 2008-06-03 09:41 d-------- C:\Program Files\Bonjour
2008-06-03 09:32 . 2008-06-03 09:32 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 21:57 . 2008-06-01 21:57 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-01 21:56 . 2008-06-01 21:56 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-23 11:44 . 2008-05-23 11:44 1,192 --a------ C:\net_save.dna
2008-05-23 11:43 . 2008-05-23 11:43 d-------- C:\Program Files\support.com
2008-05-23 11:43 . 2008-05-23 11:43 d-------- C:\Program Files\Common Files\SupportSoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 00:45 89,600 ----a-w C:\WINDOWS\system32\atl71.dll
2008-05-31 01:35 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 01:35 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 01:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 01:35 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-20 18:29 --------- d-----w C:\Program Files\Starship Creator
2008-05-14 15:08 --------- d-----w C:\Program Files\IcoFX 1.6
2008-05-14 15:08 --------- d-----w C:\Documents and Settings\ACER USER\Application Data\IcoFX
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 02:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-02 15:29 94,320 ----a-w C:\Documents and Settings\ACER USER\Application Data\GDIPFONTCACHEV1.DAT
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2003-01-21 07:00 13,942,408 ----a-r C:\WINDOWS\system32\config\systemprofile\MpSetup.exe
2003-01-21 07:00 13,942,408 ----a-r C:\Documents and Settings\Default User\MpSetup.exe
2003-01-21 07:00 13,942,408 ----a-r C:\Documents and Settings\ACER USER\MpSetup.exe
.
((((((((((((((((((((((((((((( [email protected]_ 0.40.07.38 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 01:34 67160]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 12:19 68856]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57 532480]
"PCMService"="C:\Program Files\Aspire Arcade\PCMService.exe" [2004-03-25 18:41 81920]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 01:32 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 12:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 12:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 12:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:10 339968]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-07-05 18:52 315392]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 18:33 1880064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"NoteBurner"="C:\Program Files\NoteBurner\VTBurnerGUI.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00 267064]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 17:42 185896]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]
C:\Documents and Settings\ACER USER\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-08 11:27:06 110592]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-12 04:59:09 118784]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\eMule\\EMULE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"4672:UDP"= 4672:UDP:eMule
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-04 02:07]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 16:12]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-08-11 16:56]
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 02:09:38 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-19 10:50:36 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 07:18:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-23 7:18:31
ComboFix3.txt 2008-06-13 03:25:08
ComboFix-quarantined-files.txt 2008-06-23 11:18:30
ComboFix2.txt 2008-06-20 04:40:20
Pre-Run: 522,010,624 bytes free
Post-Run: 528,302,080 bytes free
156 --- E O F --- 2008-06-12 04:23:17

-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58 AM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\downloads\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\QtZgAcer.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1213095264416
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://share.adoramapix.com/components/aurigma/ImageUploader4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.adoramapix.com/components/ImageUploader3.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 12942 bytes


----------



## mahwah66 (Jun 10, 2008)

Uninstall list from HJT:

Acer eManager
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 Plugin
Adobe Flash Player ActiveX
Adobe Flash Video Encoder
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Illustrator CS
Adobe Linguistics CS3
Adobe MPEG Encoder
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Premiere 6.5
Adobe Reader 7.0
Adobe Setup
Adobe Setup
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Advanced RealMedia Export Plug-in for Premiere 6.0
AltoMP3 Gold 5.06
Amor SWF to Video Converter 2.5.4
Anvil Studio
AOL Instant Messenger
AOL Toolbar 2.0
AppCore
Apple Mobile Device Support
Apple Software Update
Aspire Arcade 3.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AV
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window MC 5 for ZoomBrowser EX
Canon i560
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon ZoomBrowser EX
ccCommon
CCleaner (remove only)
CD-DA X-Tractor v0.24
Comcast High-Speed Internet Install Wizard
Conexant AC-Link Audio
Core FTP Lite 1.3
DivX Codec
Drivers Install For Linksys Easylink Advisor
Easy CD Ripper 2.37
eMule
ExtractNow
GearDrvs
Google Earth
Google Toolbar for Internet Explorer
Herman Miller Ethospace Scout
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IcoFX 1.6
Indeo® Software
Installer VISE 3.5
iPod for Windows 2005-09-06
iTunes
Java(TM) 6 Update 5
Label Creator 4000 Special Edition 1.0.6
Language Reader 1.0
Launch Manager
Lernout & Hauspie TruVoice American English TTS Engine
Linksys EasyLink Advisor 1.6 (0032)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Director MX
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia Shockwave Player
MacromediaDreamweaver MX 2004
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.14)
Norton 360
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 Help
Norton Confidential Browser Component
Norton Confidential Web Authentification Component
Norton Confidential Web Protection Component
NTI Backup NOW! 3
NTI CD & DVD-Maker Gold 
PDF Settings
PlayLinc
PowerProducer
PrimoPDF
QuickTime
RealPlayer
RegCure 1.5.0.1
Rhapsody Player Engine
ScreenTime for Director 2.0.9c
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Skype™ 3.2
SoftV92 Data Fax Modem with SmartCP
SPBBC 32bit
SuppSoft
Symantec pcAnywhere
Symantec Technical Support Controls
SymNet
Synaptics Pointing Device Driver
TC Native Essentials 2.02
Texas Instruments PCIxx21/x515 drivers.
TextAloud
TopStyle Lite (Version 3.0)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
VideoLAN VLC media player 0.8.1
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Virtools 3D Life Player
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*RegCure 1.5.0.1
Viewpoint Manager (Remove Only)
Viewpoint Media Player*

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply.*

Click *Close* to exit the program.

Please run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.*


----------



## mahwah66 (Jun 10, 2008)

SUPERAntiSpyware log first, then Kaspersky scan. HiJackThis log will be in next post.
--------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/26/2008 at 09:32 PM
Application Version : 4.15.1000
Core Rules Database Version : 3491
Trace Rules Database Version: 1482
Scan type : Complete Scan
Total Scan Time : 01:58:27
Memory items scanned : 576
Memory threats detected : 0
Registry items scanned : 5680
Registry threats detected : 2
File items scanned : 142416
File threats detected : 221
Adware.Tracking Cookie
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][3].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][3].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected].advertserve[1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected]activemedia[1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][3].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][3].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\acer [email protected]
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\acer [email protected]
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][3].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\acer [email protected]
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\acer [email protected]
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\acer [email protected]
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][3].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][3].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\acer [email protected]
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][10].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][1].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][2].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][3].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][11].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][4].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][5].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][6].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][8].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][9].txt
C:\Documents and Settings\ACER USER\Cookies\[email protected][7].txt
.statcounter.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
ad1.emediate.dk [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
ad1.emediate.dk [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.earthlink.122.2o7.net [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
sales.liveperson.net [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
sales.liveperson.net [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.www.googleadservices.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
.www.googleadservices.com [ C:\Documents and Settings\ACER USER\Application Data\Mozilla\Firefox\Profiles\h3qildvm.default\cookies.txt ]
Adware.IST/ISTBar (Slotch Bar)
HKU\S-1-5-21-2703944788-3410288154-1532958531-1005\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 27, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, June 27, 2008 02:54:31
Records in database: 886684
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 147407
Threat name: 12
Infected objects: 11
Suspicious objects: 2
Duration of the scan: 02:23:12

File name / Threat name / Threats count
C:\Documents and Settings\ACER USER\Application Data\Qualcomm\Eudora\Outlook Express.fol\Deleted Items.fol\Deleted Items.mbx Infected: Trojan-Spy.HTML.Paylap.m 1
C:\Program Files\eMule\Incoming\audioretoucher key Share Accelerator.zip Infected: not-a-virus:AdWare.Win32.Shopper.k 1
C:\Program Files\eMule\Incoming\Macromedia Flash version 8.0 MX ( ADOBE) serial0 keygen0.exe Infected: Trojan-Downloader.Win32.Small.wyi 1
C:\QooBox\Quarantine\C\WINDOWS\esrt.exe.vir Infected: Trojan.Win32.Vapsup.goe 1
D:\marymail\core03.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
D:\marymail\core03.dbx Infected: Email-Worm.Win32.Klez.h 1
D:\marymail\Inbox.dbx Infected: Trojan-Spy.HTML.Citifraud.bm 1
D:\marymail\Inbox.dbx Infected: Trojan-Spy.HTML.Citifraud.ai 1
D:\marymail\Inbox.dbx Infected: Trojan-Spy.HTML.Paylap.sx 1
D:\marymail\moneybills.dbx Infected: Email-Worm.Win32.Bofra.b 2
D:\marymail\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.uq 1
D:\marymail\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
The selected area was scanned.


----------



## mahwah66 (Jun 10, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14 AM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\ACER USER\Local Settings\Temp\jkos-ACER USER\binaries\ScanningProcess.exe
C:\downloads\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\QtZgAcer.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1213095264416
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://share.adoramapix.com/components/aurigma/ImageUploader4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.adoramapix.com/components/ImageUploader3.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 12719 bytes


----------



## Cookiegal (Aug 27, 2003)

Well we can see now where you got the infection from and I hope a lesson was learned here.

Delete these files:

C:\Program Files\eMule\Incoming\*audioretoucher key Share Accelerator.zip*

C:\Program Files\eMule\Incoming\Macromedia Flash version 8.0 MX ( ADOBE) serial0 keygen0.exe

Empty your deleted items in Eudora.

Are these backups of e-mails on your D driver?
D:\marymail\core03.dbx
D:\marymail\Inbox.dbx
D:\marymail\moneybills.dbx
D:\marymail\Deleted Items.dbx

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab*

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 6*.
Scroll down to where it says * Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications* (the fifth one in the list).
Click the "*Download*" button to the right. A new page will open.
Select your platform and check the box that says: *I agree to the Java SE Runtime Environment 6 License Agreement*.
Click *Continue*.
Click on the link under *Windows Offline Installation* (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
Go to *Start* - *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.

Please post a new HijackThis log after doing all of the above.


----------



## mahwah66 (Jun 10, 2008)

Lesson learned. Is it possible those keygen-type programs can corrupt the applications they target or files produced by those applications as well?
Latest HJT log below. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\downloads\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\QtZgAcer.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1213095264416
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://share.adoramapix.com/components/aurigma/ImageUploader4.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.adoramapix.com/components/ImageUploader3.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 11563 bytes


----------



## Cookiegal (Aug 27, 2003)

Yes indeed. You never know what you're getting when you go the illegal route.

Download GMER from: http://gmer.net/index.php

Save it somewhere on your hard drive and unzip it to desktop.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## mahwah66 (Jun 10, 2008)

Thank you for helping me, especially considering the source of my problems. I've also just noticed some problems with a Flash .swf file I published after my computer was infected. The file uses xml to communicate with a database to load content dynamically, and some of this content is now showing up with this string appended:
*<script src=http://www.adwste.mobi/b.js>*
When we looked at the database, that value was literally in there. My flash file only reads values from the database, but given the timing, I'm concerned it could have something to do with my local machine issues, something unseen in the Flash publishing process? The only input the Flash movie takes is search strings, but the database manager has taken steps to discard suspect characters and words.

I did a Google search on that script reference, and it seems to come up all over the place, attached to all different kinds of web sites. Is this a known problem?

Thanks again. gmer scan below:
------------

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-30 22:36:03
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----
SSDT 872431B0 ZwConnectPort
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAAE76F20]
---- User code sections - GMER 1.0.14 ----
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device Fastfat.sys (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\SMBHC \Device\SmbHc SMBCLASS.SYS (SMBus Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.14 ----


----------



## mahwah66 (Jun 10, 2008)

Another issue - my laptop speakers have not been working lately, not sure if this has to do with infection, scans & cleanup. My device manager seems to think everything is OK and driver is updated, and I've gone through the standard help sound troubleshooter. I know I shouldn't continue downloading things at this time, but I tried to use Driver Detective to help me out. This program gave me this error:
*1603: Error installing Microsoft(R) .NET Framework.*
So this lead me to scanning my machine with Regcure, which turned up 1269 errors (35 COM/ActiveX entries, 5 shared DLLs, 2 application paths, 1 help file info, 34 Windows Startup items, 611 file/path references, 56 program shortcuts, 522 empty registry keys, and 3 file associations.) At this point I stopped - I did not tell the program to fix the errors. My desktop is full of tools downloaded in the past few weeks and I do fear misusing things. Should I delete/uninstall any of these? (I have SUPERAntiSpyware and Norton 360 running). Thanks.


----------



## Cookiegal (Aug 27, 2003)

You were supposed to uninstall RegCure. Disregard its findings please.

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## mahwah66 (Jun 10, 2008)

I did uninstall RegCure, and then downloaded it again (not remembering the name) after searching on that error code. It is now uninstalled again.

My device manager says Microsoft Kernel Wave Audio Mixer is missing or corrupted.

Below are the clippings from Application and System categories of my Event Viewer. (I did try to clear some space on my C drive)

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 7/2/2008
Time: 1:41 PM
User: N/A
Computer: PITATA
Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 37 re.exe 7
0020: 2e 30 2e 36 30 30 30 2e .0.6000.
0028: 31 36 36 37 34 20 69 6e 16674 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000 
*****
Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 7/2/2008
Time: 11:42 AM
User: N/A
Computer: PITATA
Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 37 re.exe 7
0020: 2e 30 2e 36 30 30 30 2e .0.6000.
0028: 31 36 36 37 34 20 69 6e 16674 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000 
*****
Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 7/1/2008
Time: 1:19 PM
User: N/A
Computer: PITATA
Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 37 re.exe 7
0020: 2e 30 2e 36 30 30 30 2e .0.6000.
0028: 31 36 36 37 34 20 69 6e 16674 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000 
*****
Event Type: Error
Event Source: MsiInstaller
Event Category: None
Event ID: 11601
Date: 7/1/2008
Time: 10:59 AM
User: PITATA\ACER USER
Computer: PITATA
Description:
Product: Microsoft .NET Framework 2.0 -- Disk full: Out of disk space -- Volume: 'C:'; required space: 244,668 KB; available space: 103,120 KB. Free some disk space and retry.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 37 31 33 31 36 34 36 {7131646
0008: 44 2d 43 44 33 43 2d 34 D-CD3C-4
0010: 30 46 34 2d 39 37 42 39 0F4-97B9
0018: 2d 43 44 39 45 34 45 36 -CD9E4E6
0020: 32 36 32 45 46 7d 262EF} 
*****
Event Type: Error
Event Source: MsiInstaller
Event Category: None
Event ID: 11601
Date: 7/1/2008
Time: 10:57 AM
User: PITATA\ACER USER
Computer: PITATA
Description:
Product: Microsoft .NET Framework 2.0 -- Disk full: Out of disk space -- Volume: 'C:'; required space: 244,668 KB; available space: 131,824 KB. Free some disk space and retry.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 37 31 33 31 36 34 36 {7131646
0008: 44 2d 43 44 33 43 2d 34 D-CD3C-4
0010: 30 46 34 2d 39 37 42 39 0F4-97B9
0018: 2d 43 44 39 45 34 45 36 -CD9E4E6
0020: 32 36 32 45 46 7d 262EF} 
*****
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 6/30/2008
Time: 11:27 PM
User: N/A
Computer: PITATA
Description:
Faulting application iexplore.exe, version 7.0.6000.16674, faulting module unknown, version 0.0.0.0, fault address 0x07d73f68.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 37 2e 30 2e 36 30 e 7.0.60
0028: 30 30 2e 31 36 36 37 34 00.16674
0030: 20 69 6e 20 75 6e 6b 6e in unkn
0038: 6f 77 6e 20 30 2e 30 2e own 0.0.
0040: 30 2e 30 20 61 74 20 6f 0.0 at o
0048: 66 66 73 65 74 20 30 37 ffset 07
0050: 64 37 33 66 36 38 0d 0a d73f68..
******************************************
Event Type: Error
Event Source: SideBySide
Event Category: None
Event ID: 59
Date: 7/2/2008
Time: 1:39 PM
User: N/A
Computer: PITATA
Description:
Generate Activation Context failed for C:\Program Files\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.DirectX.dll. Reference error message: The operation completed successfully.
.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*****
Event Type: Error
Event Source: SideBySide
Event Category: None
Event ID: 32
Date: 7/2/2008
Time: 1:39 PM
User: N/A
Computer: PITATA
Description:
Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*****
Event Type: Error
Event Source: Cdrom
Event Category: None
Event ID: 7
Date: 7/2/2008
Time: 7:13 AM
User: N/A
Computer: PITATA
Description:
The device, \Device\CdRom0, has a bad block.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b8 00 ..h...¸.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ......À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 20 66 12 00 00 00 00 . f.....
0028: 54 ff 71 00 00 00 00 00 Tÿq.....
0030: ff ff ff ff 01 00 00 00 ÿÿÿÿ....
0038: 40 00 00 c4 02 00 00 00 @..Ä....
0040: 00 20 0a 12 48 02 00 40 . [email protected]
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 00 00 00 a0 b1 20 87 .... ± 
0058: 00 00 00 00 60 39 1d 87 ....`9.
0060: 00 00 00 00 c4 4c 02 00 ....ÄL..
0068: 28 00 00 02 4c c4 00 00 (...LÄ..
0070: 02 00 00 00 00 00 00 00 ........
0078: 70 00 03 00 00 00 00 12 p.......
0080: 00 00 00 00 11 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........
*****
Event Type: Error
Event Source: SideBySide
Event Category: None
Event ID: 59
Date: 7/1/2008
Time: 9:53 PM
User: N/A
Computer: PITATA
Description:
Generate Activation Context failed for C:\WINDOWS\system32\TAPI32.dll. Reference error message: Error Message is unavailable
.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*****
Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Date: 7/1/2008
Time: 9:26 AM
User: N/A
Computer: PITATA
Description:
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*****
Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 17
Date: 7/1/2008
Time: 9:26 AM
User: N/A
Computer: PITATA
Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*****
Event Type: Error
Event Source: Cdrom
Event Category: None
Event ID: 7
Date: 6/30/2008
Time: 1:55 PM
User: N/A
Computer: PITATA
Description:
The device, \Device\CdRom0, has a bad block.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b8 00 ..h...¸.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ......À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 20 66 12 00 00 00 00 . f.....
0028: 99 3a 59 00 00 00 00 00 :Y.....
0030: ff ff ff ff 01 00 00 00 ÿÿÿÿ....
0038: 40 00 00 c4 02 00 00 00 @..Ä....
0040: 00 20 0a 12 48 02 00 40 . [email protected]
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 00 00 00 08 92 2c 87 .....,
0058: 00 00 00 00 60 b9 1f 87 ....`¹.
0060: 00 00 00 00 c4 4c 02 00 ....ÄL..
0068: 28 00 00 02 4c c4 00 00 (...LÄ..
0070: 02 00 00 00 00 00 00 00 ........
0078: 70 00 03 00 00 00 00 12 p.......
0080: 00 00 00 00 11 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........


----------



## Cookiegal (Aug 27, 2003)

How much RAM do you have? To find out right-click My Computer and select Properties.

What is the size of the hard drive and how much is free? To check, click on My Computer and right-click your C drive and select "Properties".

What is the size of the paging file? To find that information, do this:

Click Start, and then click Control Panel. 
If in Category view, click on Click Performance and Maintenance and then click System (if in Classic view just click System). 
On the Advanced tab, under Performance, click Settings. 
On the Advanced tab, under Virtual memory, click Change. 
Don't change anything but let me know what it says the size of the initial file is.


----------



## mahwah66 (Jun 10, 2008)

1.00 GB of RAM
C local disk 26.8 GB with 307 MB free 
D local disk 27.0 GB with 477 MB free
Paging file 0 right now (I had set this to minimum size recommended on D drive, but every time I restart it appears on the C drive. I have to turn it off completely, then restart, then set it to D drive. I guess I had not changed the setting in a while)

My program files are @ 8 GB. I will be backing up and clearing more space today.


----------



## Cookiegal (Aug 27, 2003)

You are very low on resources.

Do you defrag and empty your temporary files and temporary Internet files regularly?

Go back to the paging file and select "System Managed Size" and click "Set" and OK.

See if there are old programs you're no longer using that you can uninstall to fee up some space.

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program. (Vista users right-click and slect "Run As Administrator").
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

Then let me know what those same numbers look like now.


----------



## mahwah66 (Jun 10, 2008)

I have Norton 360 set to cleanup files and optimize disks regularly, and I often right-click the drives and do "Disk Cleanup". ATF Cleaner cleared up about 35 MB, but I was able to move some big files to storage. The numbers now-
C drive: 5.18 GB free, with 1034 paging file
D drive: 1.62 GB free

Should I keep the paging file on the same drive with programs?
Thanks.


----------



## Cookiegal (Aug 27, 2003)

Please check the Event Viewer log again and post any errors from "application" and "system" that have occured over the last 24-36 hours (since you cleared out stuff to free up resources).


----------



## mahwah66 (Jun 10, 2008)

There are no application errors since my last post time, but I have not been using the computer much in the past two days. The tow system errors that show are below. In the meantime, I updated my Windows (XP Home) to service pack 3.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 7/6/2008
Time: 2:58 AM
User: NT AUTHORITY\SYSTEM
Computer: PITATA
Description:
The server {03E0E6C2-363B-11D3-B536-00902771A435} did not register with DCOM within the required timeout.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*****
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7011
Date: 7/6/2008
Time: 2:58 AM
User: N/A
Computer: PITATA
Description:
Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

Those are not serious but the second one may indicate that you didn't disconnect your camera correctly. Did you stop the device and then wait for the message that it was safe to remove it?


----------



## mahwah66 (Jun 10, 2008)

I probably disconnected an external hard drive at that time (I did "eject" it first, but I may have tried to access it after disconnecting?)My main concern now is that my laptop speakers are not working--I don't know if this has anything to do with my initial problem or steps taken to clear it up. I have now lost any reference to a *Microsoft Kernel Wave Audio Mixer* or any other error in the Device Manager. I think I used to have a choice of default device for sound playback and recording in the Sounds & Audio Devices control panel which I no longer have. There is only one now- Conexant AMC Audio (Windows says device is working properly, and driver updated...but programs like Driver Detective report a host of out of out-of-date drivers. )


----------



## Cookiegal (Aug 27, 2003)

Please do a search and let me know if you can locate this file:

*kmixer.sys*

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## mahwah66 (Jun 10, 2008)

A search yielded 8 kmixer.sys references on my computer at these locations:

C:\WINDOWS\$NtServicePackUninstall$ (3 copies, kmixer.sys, kmixer.sys.000 and kmixer.sys.001)
C:\WINDOWS\$NtUninstallKB920872$
C:\WINDOWS\system32\drivers
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$hf_mig$\KB920872\SP2QFE
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

The startuplist.txt file generated by HijackThis is in two parts, below and the next post. Thank you.

StartupList report, 7/7/2008, 12:32:07 PM
StartupList version: 1.52.2
Started from : C:\downloads\HiJackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16674)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\downloads\HiJackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\ACER USER\Start Menu\Programs\Startup]
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LaunchApp = Alaunch
SynTPLpr = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
SynTPEnh = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
PCMService = "C:\Program Files\Aspire Arcade\PCMService.exe"
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
MSPY2002 = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
PHIME2002ASync = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
PHIME2002A = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
LManager = "C:\Program Files\Launch Manager\QtZgAcer.EXE"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
VerizonServicepoint.exe = "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
NoteBurner = C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Symantec PIF AlertEng = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
WD Button Manager = WDBtnMgr.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
EasyLinkAdvisor = "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[AdobeUpdater]
= 
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll - {1E8A6170-7264-4D0F-BEAE-D42A53123C75}
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll - {22BF413B-C6D2-4d91-82A9-A0F997BA588C}
(no name) - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll - {3049C3E9-B461-4BC5-8870-4C09146192CA}
(no name) - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
AOL Toolbar Launcher - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
--------------------------------------------------
Enumerating Download Program Files:
[{0000000A-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
[Symantec Download Manager]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\symdlmgr.dll
CODEBASE = https://webdl.symantec.com/activex/symdlmgr.cab
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1213095264416
[Image Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader4.ocx
CODEBASE = http://share.adoramapix.com/components/aurigma/ImageUploader4.cab
[Java Plug-in 1.6.0_06]
InProcServer32 = C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.adoramapix.com/components/ImageUploader3.cab
[Java Plug-in 1.6.0_06]
InProcServer32 = C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[Virtools WebPlayer Class]
InProcServer32 = C:\Program Files\Virtools\3D Life Player\WebPlayer.ocx
CODEBASE = http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
--------------------------------------------------


----------



## mahwah66 (Jun 10, 2008)

Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\rsvpsp.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
61883 Unit Device: System32\DRIVERS\61883.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Notebook Manager Service: C:\Acer\eManager\anbmServ.exe (autostart)
Apple Mobile Device: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart)
AVC Device: System32\DRIVERS\avc.sys (manual start)
pcAnywhere Host Service: C:\Program Files\Symantec\pcAnywhere\awhost32.exe (manual start)
awlegacy: \SystemRoot\System32\Drivers\awlegacy.sys (system)
AW_HOST: system32\drivers\aw_host5.sys (system)
Broadcom 440x 10/100 Integrated Controller XP Driver: System32\DRIVERS\bcm4sbxp.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##: "C:\Program Files\Bonjour\mDNSResponder.exe" (autostart)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Conexant AMC Audio: system32\drivers\camcaud.sys (manual start)
CAMCHALA: system32\drivers\camchal.sys (manual start)
catchme: \??\C:\ComboFix\catchme.sys (manual start)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Symantec Lic NetConnect service: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
COM Host: "C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe" (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Dritek HotKey Keyboard Filter Driver: System32\Drivers\DKbFltr.sys (manual start)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Wired AutoConfig: %SystemRoot%\System32\svchost.exe -k dot3svc (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Extensible Authentication Protocol Service: %SystemRoot%\System32\svchost.exe -k eapsvcs (manual start)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
GoProto Protocol Driver for LELA: system32\DRIVERS\elagopro.sys (autostart)
UniDriver for LELA: system32\DRIVERS\elaunidr.sys (autostart)
EraserUtilRebootDrv: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
FLEXnet Licensing Service: "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)
PlayLinc Adapter: system32\DRIVERS\gan_adapter.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
Health Key and Certificate Management Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
HSFHWICH: System32\DRIVERS\HSFHWICH.sys (manual start)
HSF_DP: System32\DRIVERS\HSF_DP.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: %systemroot%\system32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Ldveprnbggs: C:\WINDOWS\system32\drivers\drmk.sys (disabled)
LiveUpdate: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" (manual start)
LiveUpdate Notice Service Ex: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
LiveUpdate Notice Service: "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll" (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
MREMPR5 NDIS Protocol Driver: \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS (manual start)
MRENDIS5 NDIS Protocol Driver: \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Microsoft DV Camera and VCR: System32\DRIVERS\msdv.sys (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Network Access Protection Agent: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080707.003\NAVENG.SYS (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080707.003\NAVEX15.SYS (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NSC Infrared Device Driver: System32\DRIVERS\nscirda.sys (manual start)
ntcdrdrv: system32\DRIVERS\ntcdrdrv.sys (system)
Upper Class Filter Driver: System32\DRIVERS\NTIDrvr.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SASDIFSV: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (system)
SASENUM: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (manual start)
SASKUTIL: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (system)
SBP-2 Transport/Protocol Bus Driver: System32\DRIVERS\sbp2port.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Smart Battery Driver: System32\DRIVERS\SMBBATT.sys (manual start)
Microsoft SM Bus Host Controller Driver: System32\DRIVERS\SMBHC.sys (system)
SndTDriverV32: system32\drivers\SndTDriverV32.sys (manual start)
Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SRTSP: System32\Drivers\SRTSP.SYS (manual start)
SRTSPL: System32\Drivers\SRTSPL.SYS (manual start)
SRTSPX: System32\Drivers\SRTSPX.SYS (system)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{B2403A27-012F-4AAA-977E-2B700246E0BC} (manual start)
Symantec Core LC: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" (manual start)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20080623.001\SymIDSCo.sys (manual start)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Synaptics TouchPad Driver: System32\DRIVERS\SynTP.sys (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tifm21: system32\drivers\tifm21.sys (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Intel(R) PRO/Wireless 2200 Adapter Driver: System32\DRIVERS\w22n51.sys (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WD SCSI Pass Thru driver: system32\DRIVERS\wdcsam.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
End of report, 42,987 bytes
Report generated in 0.200 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cookiegal (Aug 27, 2003)

In Device Manager, click on View and select "Show hidden Devices". Then click on the "Sound, video and game controllers and you should see the "Microsoft Kernel Wave Audio Mixer" listed there. Does it have a yellow exclamation mark beside it?


----------



## mahwah66 (Jun 10, 2008)

Microsoft Kernal Wave Audio Mixer is there without any exclamation mark/warning. When displaying properties for this and all other devices listed, the message states "This device is working properly."


----------



## Cookiegal (Aug 27, 2003)

I'm afraid I can't help with the sound problem. Please start a new thread for that in the hardware forum.

Are there any other problems?


----------



## mahwah66 (Jun 10, 2008)

Thanks, I figured the sound problem might be a different category. I am having CD/DVD performance issues, but I expect that is hardware-related as well.
Thank you so much for all of your help with this. The only thing I'd ask is which files & tools to keep, and which you recommend discarding:
ComboFix
SUPERAntiSpyware
ATF-Cleaner
Gmer
SDFfix
DelDomains.inf

again, thank you!!!


----------



## Cookiegal (Aug 27, 2003)

*Follow these steps to uninstall Combofix and some of the tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









You can drage and drop DelDomains.inf into the recycle bin.

To uninstall Gmer, double-click on this file and let it run C:\WINDOWS\*gmer_uninstall.cmd *.

As for SDFix and ATF Cleaner, if there is an option to remove them in Add/Remove Programs in the Control Panel then use that. If not just delete their folders.

You may want to keep SuperAntiSpyware and run it occasionally but if not, you can remove it via the Control Panel.

The following program will remove some of the tools we've used and their associated files and backups and then it will delete itself.

Please download *OTMoveIt2 by OldTimer*.

*Save* it to your *desktop*.
Make sure you have an Internet Connection.
Double-click *OTMoveIt.exe* to run it. (Vista users, please right-click on *OTMoveIt2.exe* and select "Run as an *Administrator*")
Click on the *CleanUp!* button
A list of tool components used in the cleanup of malware will be downloaded.
If your firewall or real-time protection attempts to block OTMoveIt2 to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application which will delete itself.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose *Yes.*

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.

***

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they arent required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php


----------

