# Trojan Vundo and Win32 and others - unable to fix



## Evawegner (Jan 10, 2009)

Hi, I'm very grateful for any assistance offered. 
The story so far:
I have Windows XP Media Centre ver 2002, SP3.
Antivirus: Trend Micro PC-Cillin, up to date.

A week ago PC-Cillin quarantined TROJ_WIMAD.AT. Two days ago the log shows "Ignored Success" with respect to TROJ_GENERIC.DAT (several files). 
I noticed a lot of pop-ups, which were all blocked by PC-Cillin, all pointing to sites with words like "clicks" etc. 
Yesterday quarantined TROJ_VUNDO.LAF.
I had deleted all quarantined files and rescanned the computer. PC-Cillin again quarantined this time TROJ_VUNDO.LAC, which I also deleted. 
The computer still did not run well. On startup there was an error message which said: "VIPOGIJE.dll is missing" and another one I can't remember. 
Since system did not run well and pop ups were still coming, I ran PC-Cillin scan again - clear. 
Then I tried Symantec Vundo fix, in safe mode with explorer.exe and winlogon.exe suspended, which did not find any infected files to fix. THis was done with system restore turned off and all temp files deleted.
So I downloaded Spyware doctor (paid for) and scanned. This detected the Vundo again and a number of other "cookies" etc, which it removed. System still not running well, so I ran the Spydoctor software in safemode with networking, as recommended by the vendor help. This was clear. 
Downloaded Spy Hunter and this found:
-Zlob.Trojan
-Wild Tangent
-Hotbar
-Neospace
These were not fixed, as I was not prepared to pay for yet another software. At the same time Pc-cillin spontaneously quarantinned file nubobevu.dll.
I ran Kaspersky scanner and got these infections results:
-Export.Java.Byte.Verify
-Trojan.Win32.Monde.aidi infecting system32\temomelo.dll
-Trojan.Win32.agent.bfdi infecting system32\wemipipo.dll and system32\zuwokuwu.dll
Ran VundoFix from www.atribune.org (got it from some forum) - no infected files. 
In the meantime Pc-cillin did a pre-scheduled daily scan which was clear.
I also noticed that: PC-cillin setting were changed (I didn't do that), Windows automatic update was disabled (I'm at present not able to restart this, although not tried all that hard yet), and home page now changed to MSN.

Please help if you are able. I would be most grateful. It appears that every scanner I do detects different spyware. I'm happy to pay for more software, but not another useless one.

Many thanks,
Eva

HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:57 PM, on 10/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\LimeWirePro\LimeWire.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5fcd68f5-62e4-4da4-852c-e5cb6d2ae188} - C:\WINDOWS\system32\nesavina.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bobuyekani] Rundll32.exe "C:\WINDOWS\system32\ziwinuro.dll",s
O4 - HKLM\..\Run: [CPMeb532e01] Rundll32.exe "c:\windows\system32\fidetiga.dll",a
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [bobuyekani] Rundll32.exe "C:\WINDOWS\system32\vipogije.dll",s
O4 - HKUS\S-1-5-19\..\Run: [bobuyekani] Rundll32.exe "C:\WINDOWS\system32\ziwinuro.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [bobuyekani] Rundll32.exe "C:\WINDOWS\system32\ziwinuro.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWirePro\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\vatotosa.dll c:\windows\system32\fidetiga.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fidetiga.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fidetiga.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 15080 bytes


----------



## km2357 (Aug 9, 2007)

Hello and welcome to Tech Support Guy.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

I will be back as soon as possible with your first instructions!


----------



## km2357 (Aug 9, 2007)

Step # 1 *Download CCleaner*

*Download CCleaner from here to clean temp files from your computer.* 

Double click on the ccsetup.exe file to start the installation of the program. 
Select your language and click *OK*, then *next*. 
Read the license agreement and click *I Agree*. 
Click *next* to use the default install location. 
Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box. 
Click *Install* then *finish* to complete installation.

Step # 2 *Retrieve the Installed Programs List from CCleaner*

Open CCleaner if it's not already running. 
In the Left Pane, click *Tools* 
Verify that *Uninstall* is highlighted in color, or click on it. 
In the lower Right, click *Save to Text File*. 
Pull down the arrow at the top of the Save dialog and choose *Desktop* as the location. 
You can leave the filename as *install.txt* 
Click *Save* 
Exit CCleaner by clicking on the *X* button in the upper right of the CCleaner window.

Step # 3: *Download and Run ComboFix*

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

** IMPORTANT !!! Save ComboFix.exe to your Desktop*

When finished, it shall produce a log for you. Please include the *CCleaner Install List*,*C:\ComboFix.txt* and a fresh *HiJackThis Log* in your next reply.

Use multiple posts if you can't fit everything into one post.


----------



## Evawegner (Jan 10, 2009)

Dear km2357,
 I'm having major difficulties accessing your website. For some reason it takes up to 10 minutes to load a page each time, and when I click on something on it, e.g. search or to reply to your post, it takes the same amount of time again. As you can imagine, it's incredibly frustrating.
I don't think this is due to the Trojan, because I don't seem to have the same problem on other websites, including looking at other forums. 
The last thing I want to do is to waste your time. I know you guys are volunteers, your time valuable and there are 100s of people waiting for your assistance. 
What should I do? Is there some "process" I can turn off to make this quicker? Should I perservere and just wait the 10 minutes each time to read your post and then to again to reply or should I try my luck in another forum, which loads immediately. 
If you advise that I should stick with it, I'll get on it immediately and will follow the first set of instructions.
Thank you so much and thanks for your advice.
Eva


----------



## Evawegner (Jan 10, 2009)

Dear 2357,
I would like to take you up on your kind offer of help. While the web pages are loading and taking their time, I'll just do something else. Maybe cook dinner? 

I have a question, I have turned off my system restore 2 days ago and kept it off. Should I turn it back on?
Also, now that the Combofix has finished, I've turned back on the Antivirus (Pc-cillin), Antispyware (Spyware Doctor) and the firewall. Was that the right thing to do? Or should I keep them off.

I really appreciate your help and thank you for your time and patience. 
Eva

Please find below the requested logs.
*CCleaner*
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe SVG Viewer
Adobe® Photoshop® Album Starter Edition 3.0
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
ANNO 1503
Apple Mobile Device Support
Apple Software Update
Azureus Vuze
Big Fish Games Client
Bonjour
Canon MP Navigator 2.2
Canon MP830
Canon Utilities Easy-PhotoPrint
CCleaner (remove only)
CD-LabelPrint
Chessmaster 10th Edition
Chuzzle Deluxe (remove only)
Classic PhoneTools
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Cossacks - European Wars
Creative MediaSource
Dell Media Experience
Dell Support Center (Support Software)
DellSupport
Digital Line Detect
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
D-Link DSL-302G USB Driver
Easy-WebPrint
ESPNMotion
GemMaster Mystic
GlobFX Player 1.0.9
GlobFX Web Player
Google Earth
Google SketchUp 6
Google Toolbar for Internet Explorer
GoToMeeting/GoToWebinar 3.0.0.198
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Intel Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
iPodRip
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Jewel Quest
Jewel Quest
Jewel Quest 2
LimeWire PRO 4.14.8
Line Speed Meter
Mandelbrott Fractal ScreenSaver v 1.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Combat Flight Simulator 3.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Works 7.0
MobileMe Control Panel
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Music Works Personal
My Way Search Assistant
NetChiro
NetWaiting
Nokia Connectivity Cable Driver
Nokia PC Suite
NoteWorthy Composer
NVIDIA Drivers
OpenOffice.org Installer 1.0
OptusNet DSL
Paint Shop Pro 6 Digital Camera Support
Paint Shop Pro 6.0 (CD-ROM)
PC Connectivity Solution
Pharaoh
PowerDVD 5.5
Presto! PageManager 7.15.14
QuickTime
RealPlayer Basic
ScanSoft OmniPage SE 4.0
SimCity 4 Deluxe
Skype 3.8
Sonic Advanced Decoder
Sonic Audio module
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster Live! 24-bit
Spyware Doctor 6.0
The Great Art Race
Trend Micro Internet Security Pro
VideoLAN VLC media player 0.8.6i
Viewpoint Media Player (Remove Only)
WebCyberCoach 3.2 Dell
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
XPlay 2 Free Trial
XviD 1.1 final uninstall
Yahoo! Toolbar

*ComboFix*
ComboFix 09-01-11.01 - Eva & Michelangelo 2009-01-12 18:54:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1398 [GMT 11:00]
Running from: c:\documents and settings\Eva & Michelangelo\Desktop\ComboFix.exe
AV: *On-access scanning disabled* (Updated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: *disabled*
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\abivizuw.ini
c:\windows\system32\ajanutuj.ini
c:\windows\system32\alevuyut.ini
c:\windows\system32\bahegope.dll
c:\windows\system32\detukimi.dll
c:\windows\system32\elorinih.ini
c:\windows\system32\fidetiga.dll
c:\windows\system32\itafakuf.ini
c:\windows\system32\iyowasin.ini
c:\windows\system32\logibeja.dll
c:\windows\system32\magarino.dll
c:\windows\system32\mfcans32.DLL
c:\windows\system32\mfcuia32.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\nugebini.dll
c:\windows\system32\olemomet.ini
c:\windows\system32\pojavoru.dll
c:\windows\system32\ravemuse.dll
c:\windows\system32\rdocurs.dll
c:\windows\system32\riyijuvu.dll
c:\windows\system32\roruhore.dll
c:\windows\system32\rurimita.dll
c:\windows\system32\serinoho.dll
c:\windows\system32\temomelo.dll
c:\windows\system32\tofayava.dll
c:\windows\system32\vatotosa.dll
c:\windows\system32\zeladugu.dll
c:\windows\system32\ziwinuro.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.
2009-01-10 18:54 . 2009-01-10 18:54 d-------- C:\VundoFix Backups
2009-01-10 10:30 . 2009-01-10 10:30 d-------- c:\program files\Enigma Software Group
2009-01-10 00:17 . 2009-01-12 18:48 d-------- c:\program files\Spyware Doctor
2009-01-10 00:17 . 2009-01-10 00:20 d-------- c:\program files\Common Files\PC Tools
2009-01-10 00:17 . 2009-01-10 00:17 d-------- c:\documents and settings\Eva & Michelangelo\Application Data\PC Tools
2009-01-10 00:17 . 2009-01-10 00:17 d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-10 00:17 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-10 00:17 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-10 00:17 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-10 00:17 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-10 00:17 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-09 16:51 . 2009-01-09 16:51 16,384 --a------ c:\windows\DCEBoot.exe
2008-12-18 18:26 . 2008-12-18 18:26 410,984 --a------ c:\windows\system32\deploytk.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 07:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-12 07:04 --------- d-----w c:\documents and settings\Eva & Michelangelo\Application Data\skypePM
2009-01-10 22:23 --------- d-----w c:\documents and settings\Eva & Michelangelo\Application Data\Skype
2009-01-10 10:16 --------- d-----w c:\program files\Trend Micro
2009-01-09 22:23 --------- d-----w c:\program files\DIGStream
2009-01-07 13:50 --------- d-----w c:\documents and settings\Eva & Michelangelo\Application Data\U3
2008-12-18 07:26 --------- d-----w c:\program files\Java
2008-11-21 23:07 --------- d-----w c:\program files\iTunes
2008-11-21 23:07 --------- d-----w c:\program files\iPod
2008-11-21 23:07 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 23:07 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 23:06 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-11-21 23:05 --------- d-----w c:\program files\Bonjour
2008-11-21 23:03 --------- d-----w c:\program files\QuickTime
2008-11-21 08:58 --------- d-----w c:\documents and settings\Eva & Michelangelo\Application Data\Canon
2008-06-02 00:33 56,912 ----a-w c:\documents and settings\Eva & Michelangelo\g2mdlhlpx.exe
2006-11-29 12:05 251 ----a-w c:\program files\wt3d.ini
1999-08-12 20:00 4,820 ----a-w c:\program files\CAMUNWISE.INI
1601-01-01 00:12 65,797 --sha-w c:\windows\system32\dasabisi.dll
1601-01-01 00:12 29,696 --sha-w c:\windows\system32\wemipipo.dll
1601-01-01 00:12 73,728 --sha-w c:\windows\system32\zuwokuwu.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-05-30 21718312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-19 26112]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Desktop Service Centre"="c:\program files\OptusNet DSL Internet\DSC.exe" [2004-09-06 2125956]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Line Speed Meter"="c:\program files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe" [2006-11-04 2990080]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"Mediafour Mac Volume Notifications"="c:\program files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-18 61440]
"Mediafour XPlay Tray Notification Icon"="c:\program files\Mediafour\XPlay\XPTRYICN.EXE" [2004-09-28 94208]
"MDDiskProtect.exe"="c:\program files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-16 106496]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]
c:\documents and settings\Eva & Michelangelo\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWirePro\LimeWire.exe [2007-08-17 147456]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-19 24576]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\vatotosa.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmProxy.exe"=
"c:\\WINDOWS\\system32\\MsPMSPSv.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\IAANTMon.exe"=
"c:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe"=
"c:\\Program Files\\LimeWirePro\\LimeWire.exe"=
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [2005-07-21 24320]
R1 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [2006-09-14 213888]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-10 160792]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-12-16 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~3\TmPfw.exe [2008-01-18 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-01-18 648456]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-01-18 52240]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-12-16 36368]
S3 glauiad;D-Link DSL-302G Modem;c:\windows\system32\drivers\glauiad.sys [2006-01-28 29603]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-10 356920]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1270944f-87ca-11db-8eda-000f3da421f6}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{5fcd68f5-62e4-4da4-852c-e5cb6d2ae188} - c:\windows\system32\nesavina.dll
ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)
HKCU-Run-bobuyekani - c:\windows\system32\vipogije.dll

.
------- Supplementary Scan -------
.
uStart Page = 
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: interdivisionservices.gc.adventist.org
c:\windows\Downloaded Program Files\OggX.ocx - O16 -: {1E53EA77-34F2-474E-9046-B2B0C86F1821}
hxxp://www.eska.pl/streamplayers/OggX.ocx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 18:58:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1060)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
c:\program files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
.
**************************************************************************
.
Completion time: 2009-01-12 19:03:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 08:03:03
Pre-Run: 737,957,646,336 bytes free
Post-Run: 739,394,805,760 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
258 --- E O F --- 2008-12-11 12:04:04


----------



## Evawegner (Jan 10, 2009)

*HijackThis*
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:26 PM, on 12/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWirePro\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 13586 bytes


----------



## km2357 (Aug 9, 2007)

Hi Eva. 

No need to move to another forum, we can work together on it right here. 

Are you still experiencing the 10 minute load time still when trying to access this forum? The website itself may have been very slow/had heavy bandwidth when you accessed it. If it still happens, you can either just wait it out or use another computer to visit the site and transfer logs and programs back and forth via a USB/Flash Drive. I would only do the USB option if the wait is really long or you get timed out before you can read/post anything.

Yes, turn your System Restore back on.

You can go ahead and turn on your Anti-Virus (Trend Micro) and Firewall. You can also turn on Spyware Doctor, but I would disable its Anti-Virus component, as you only need one (Pc-cillin) running on your computer.

*IMPORTANT* I notice there are signs of one or more *P2P (Person to Person) File Sharing Programs* on your computer.

*Azureus Vuze

LimeWire PRO 4.14.8*

I'd like you to read the *Guidelines for P2P Programs* where we explain why it's not a good idea to have them.

Also available *here*.

My recommendation is you go to *Control Panel > Add/Remove Programs* and uninstall the programs listed above (in red).

Step # 1: *Run CFScript*


Please open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:


```
KILLALL::

File::

c:\windows\system32\dasabisi.dll
c:\windows\system32\wemipipo.dll
c:\windows\system32\zuwokuwu.dll
c:\windows\system32\vatotosa.dll

Folder::

C:\VundoFix Backups
c:\program files\Enigma Software Group
c:\Program Files\Azureus
c:\Program Files\LimeWirePro

Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=-
"c:\\Program Files\\LimeWirePro\\LimeWire.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{1270944f-87ca-11db-8eda-000f3da421f6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
```

 Save this as *CFScript.txt* and change the "*Save as type*" to "*All Files*" and place it on your desktop.










Note: This CFScript is for use on evawegner's computer *only*! Do not use it on your computer.

 Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe.*
 ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. 
 When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh HiJackThis Log taken after Step 1 has been completed.


----------



## Evawegner (Jan 10, 2009)

Thanks, the webpage now loads in seconds! It's a miracle!  maybe it was the malware after all...

Azureus and Limewire are now removed. I'm sure I'm not the most popular person here at present.

Some issues with the last fix:
1. When I started the Combofix it asked if I wanted to update it. I said no. Pretty sure I turned off the automatic update on install. Next time should I update?

2. When combofix launched it asked me to disable to antivirus and anti-spy again, which I did. I also turned off the Firewall for the duration of the scan, as previously it asked to do so (on the install). I will assume that I need to turn all three off every time I start Combofox, right?

3. When the computer rebooted (while Combofix was saying: don't run any programs until Combofix has finished) there was a message: XPlay2 Free trial Installing and it seems to have installed itself, before I had a chance to click cancel. :down: It is now waiting for me to reboot the computer. I don't know what this software is. Did it download because my anti-spam and firewall were down? Should I look for it and get rid of it somehow, or leave it alone? I'm pretty sure that next time i reboot it will finilise that installation.

*Combofix log:*
ComboFix 09-01-11.01 - Eva & Michelangelo 2009-01-12 21:30:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1388 [GMT 11:00]
Running from: c:\documents and settings\Eva & Michelangelo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eva & Michelangelo\Desktop\CFScript.txt
AV: *On-access scanning disabled* (Updated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: *disabled*
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
FILE ::
c:\windows\system32\dasabisi.dll
c:\windows\system32\vatotosa.dll
c:\windows\system32\wemipipo.dll
c:\windows\system32\zuwokuwu.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Enigma Software Group
c:\program files\Enigma Software Group\SpyHunter\AXList.txt
c:\program files\Enigma Software Group\SpyHunter\key.dat
c:\program files\Enigma Software Group\SpyHunter\scan.log
c:\program files\Enigma Software Group\SpyHunter\spyhunter.log
c:\program files\Enigma Software Group\SpyHunter\SpyHunterInstance.lock
c:\program files\LimeWirePro
c:\program files\LimeWirePro\hs_err_pid1336.log
c:\program files\LimeWirePro\hs_err_pid1540.log
c:\program files\LimeWirePro\hs_err_pid1732.log
c:\program files\LimeWirePro\hs_err_pid1748.log
c:\program files\LimeWirePro\hs_err_pid1752.log
c:\program files\LimeWirePro\hs_err_pid1772.log
c:\program files\LimeWirePro\hs_err_pid1776.log
c:\program files\LimeWirePro\hs_err_pid1852.log
c:\program files\LimeWirePro\hs_err_pid1856.log
c:\program files\LimeWirePro\hs_err_pid1860.log
c:\program files\LimeWirePro\hs_err_pid1868.log
c:\program files\LimeWirePro\hs_err_pid1872.log
c:\program files\LimeWirePro\hs_err_pid1880.log
c:\program files\LimeWirePro\hs_err_pid1884.log
c:\program files\LimeWirePro\hs_err_pid1896.log
c:\program files\LimeWirePro\hs_err_pid1932.log
c:\program files\LimeWirePro\hs_err_pid1944.log
c:\program files\LimeWirePro\hs_err_pid1972.log
c:\program files\LimeWirePro\hs_err_pid2288.log
c:\program files\LimeWirePro\hs_err_pid2564.log
c:\program files\LimeWirePro\hs_err_pid3060.log
c:\program files\LimeWirePro\hs_err_pid3292.log
c:\program files\LimeWirePro\hs_err_pid3596.log
c:\program files\LimeWirePro\hs_err_pid3716.log
c:\program files\LimeWirePro\hs_err_pid3720.log
c:\program files\LimeWirePro\hs_err_pid3744.log
c:\program files\LimeWirePro\hs_err_pid3768.log
c:\program files\LimeWirePro\hs_err_pid3780.log
c:\program files\LimeWirePro\hs_err_pid3856.log
c:\program files\LimeWirePro\hs_err_pid3916.log
c:\program files\LimeWirePro\hs_err_pid5584.log
c:\program files\LimeWirePro\hs_err_pid704.log
c:\program files\LimeWirePro\hs_err_pid780.log
C:\VundoFix Backups
c:\windows\system32\dasabisi.dll
c:\windows\system32\wemipipo.dll
c:\windows\system32\zuwokuwu.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.
2009-01-10 00:17 . 2009-01-12 21:27 d-------- c:\program files\Spyware Doctor
2009-01-10 00:17 . 2009-01-10 00:20 d-------- c:\program files\Common Files\PC Tools
2009-01-10 00:17 . 2009-01-10 00:17 d-------- c:\documents and settings\Eva & Michelangelo\Application Data\PC Tools
2009-01-10 00:17 . 2009-01-10 00:17 d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-10 00:17 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-10 00:17 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-10 00:17 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-10 00:17 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-10 00:17 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-09 16:51 . 2009-01-09 16:51 16,384 --a------ c:\windows\DCEBoot.exe
2008-12-18 18:26 . 2008-12-18 18:26 410,984 --a------ c:\windows\system32\deploytk.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 10:27 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-12 08:07 --------- d-----w c:\documents and settings\Eva & Michelangelo\Application Data\Skype
2009-01-12 07:04 --------- d-----w c:\documents and settings\Eva & Michelangelo\Application Data\skypePM
2009-01-10 10:16 --------- d-----w c:\program files\Trend Micro
2009-01-09 22:23 --------- d-----w c:\program files\DIGStream
2009-01-07 13:50 --------- d-----w c:\documents and settings\Eva & Michelangelo\Application Data\U3
2008-12-18 07:26 --------- d-----w c:\program files\Java
2008-11-21 23:07 --------- d-----w c:\program files\iTunes
2008-11-21 23:07 --------- d-----w c:\program files\iPod
2008-11-21 23:07 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 23:07 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 23:06 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-11-21 23:05 --------- d-----w c:\program files\Bonjour
2008-11-21 23:03 --------- d-----w c:\program files\QuickTime
2008-11-21 08:58 --------- d-----w c:\documents and settings\Eva & Michelangelo\Application Data\Canon
2008-06-02 00:33 56,912 ----a-w c:\documents and settings\Eva & Michelangelo\g2mdlhlpx.exe
2006-11-29 12:05 251 ----a-w c:\program files\wt3d.ini
1999-08-12 20:00 4,820 ----a-w c:\program files\CAMUNWISE.INI
.
((((((((((((((((((((((((((((( [email protected]_19.02.09.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-14 11:13:30 32,256 ----a-r c:\windows\Installer\{6039880D-59BC-4F18-B435-11E39148E5C5}\IconB07A5B7E10.exe
+ 2009-01-12 10:34:35 32,256 ----a-r c:\windows\Installer\{6039880D-59BC-4F18-B435-11E39148E5C5}\IconB07A5B7E10.exe
- 2007-07-14 11:13:30 55,296 ----a-r c:\windows\Installer\{6039880D-59BC-4F18-B435-11E39148E5C5}\IconB07A5B7E6.exe
+ 2009-01-12 10:34:36 55,296 ----a-r c:\windows\Installer\{6039880D-59BC-4F18-B435-11E39148E5C5}\IconB07A5B7E6.exe
- 2007-07-14 11:13:30 29,184 ----a-r c:\windows\Installer\{6039880D-59BC-4F18-B435-11E39148E5C5}\IconB07A5B7E9.exe
+ 2009-01-12 10:34:36 29,184 ----a-r c:\windows\Installer\{6039880D-59BC-4F18-B435-11E39148E5C5}\IconB07A5B7E9.exe
- 2007-07-14 11:13:30 22,486 ----a-r c:\windows\Installer\{6039880D-59BC-4F18-B435-11E39148E5C5}\XPlayProductIcon.exe
+ 2009-01-12 10:34:35 22,486 ----a-r c:\windows\Installer\{6039880D-59BC-4F18-B435-11E39148E5C5}\XPlayProductIcon.exe
- 2007-07-14 11:13:30 25,214 ----a-r c:\windows\Installer\{6039880D-59BC-4F18-B435-11E39148E5C5}\XPlaySupportIcon.exe
+ 2009-01-12 10:34:36 25,214 ----a-r c:\windows\Installer\{6039880D-59BC-4F18-B435-11E39148E5C5}\XPlaySupportIcon.exe
- 2009-01-12 07:09:20 77,824 ----a-w c:\windows\system32\kdfapi.dll
+ 2009-01-12 08:09:09 77,824 ----a-w c:\windows\system32\kdfapi.dll
- 2009-01-12 07:09:20 53,248 ----a-w c:\windows\system32\Kdfhok.dll
+ 2009-01-12 08:09:09 53,248 ----a-w c:\windows\system32\Kdfhok.dll
- 2009-01-12 07:09:19 726,568 ----a-w c:\windows\system32\kdfmgr.exe
+ 2009-01-12 08:09:09 726,568 ----a-w c:\windows\system32\kdfmgr.exe
- 2009-01-12 07:09:20 192,512 ----a-w c:\windows\system32\kdfvmgr.exe
+ 2009-01-12 08:09:09 192,512 ----a-w c:\windows\system32\kdfvmgr.exe
+ 2009-01-12 10:33:48 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-19 26112]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Desktop Service Centre"="c:\program files\OptusNet DSL Internet\DSC.exe" [2004-09-06 2125956]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Line Speed Meter"="c:\program files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe" [2006-11-04 2990080]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"Mediafour Mac Volume Notifications"="c:\program files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-18 61440]
"Mediafour XPlay Tray Notification Icon"="c:\program files\Mediafour\XPlay\XPTRYICN.EXE" [2004-09-28 94208]
"MDDiskProtect.exe"="c:\program files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-16 106496]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-19 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmProxy.exe"=
"c:\\WINDOWS\\system32\\MsPMSPSv.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\IAANTMon.exe"=
"c:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe"=
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [2005-07-21 24320]
R1 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [2006-09-14 213888]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-10 160792]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-12-16 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~3\TmPfw.exe [2008-01-18 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-01-18 648456]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-01-18 52240]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-12-16 36368]
S3 glauiad;D-Link DSL-302G Modem;c:\windows\system32\drivers\glauiad.sys [2006-01-28 29603]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-10 356920]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1270944f-87ca-11db-8eda-000f3da421f6}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e431afc-91a8-11dd-91e0-0013720cfff6}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -
ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)

.
------- Supplementary Scan -------
.
uStart Page = 
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: interdivisionservices.gc.adventist.org
c:\windows\Downloaded Program Files\OggX.ocx - O16 -: {1E53EA77-34F2-474E-9046-B2B0C86F1821}
hxxp://www.eska.pl/streamplayers/OggX.ocx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 21:34:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1060)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msiexec.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
c:\program files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
.
**************************************************************************
.
Completion time: 2009-01-12 21:38:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 10:37:57
ComboFix2.txt 2009-01-12 08:03:10
Pre-Run: 739,363,696,640 bytes free
Post-Run: 739,374,473,216 bytes free
283 --- E O F --- 2008-12-11 12:04:04


----------



## Evawegner (Jan 10, 2009)

*Hijack This log:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:04 PM, on 12/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 13162 bytes


----------



## km2357 (Aug 9, 2007)

Good to hear that this page is loading a lot faster now. 



> 1. When I started the Combofix it asked if I wanted to update it. I said no. Pretty sure I turned off the automatic update on install. Next time should I update?


We shouldn't need to use ComboFix again, but if we do and asks you if you want to update, click yes. 



> 2. When combofix launched it asked me to disable to antivirus and anti-spy again, which I did. I also turned off the Firewall for the duration of the scan, as previously it asked to do so (on the install). I will assume that I need to turn all three off every time I start Combofox, right?


It's helpful to turn all three off when running ComboFix (so they don't block ComboFix from doing its job), but ComboFix will still run with them on.



> 3. When the computer rebooted (while Combofix was saying: don't run any programs until Combofix has finished) there was a message: XPlay2 Free trial Installing and it seems to have installed itself, before I had a chance to click cancel. It is now waiting for me to reboot the computer. I don't know what this software is. Did it download because my anti-spam and firewall were down? Should I look for it and get rid of it somehow, or leave it alone? I'm pretty sure that next time i reboot it will finilise that installation.


Do you have an iPod? It appears that XPlay2 refers to this. It appears to be harmless, if you don't want it, you can go to Add/Remove Programs once its installed and uninstall it.

Step # 1: *Add/Remove Programs*

*Go to* Start-Settings-Control Panel, click on Add Remove *Programs*. *If any of the following* *programs* *are listed there*, click on the program *to* highlight it, and click on *remove*. Then close the Control Panel.

*My Way Search Assistant*

Reboot your Computer.

Step # 2 *Remove old versions of Java*

Older Java versions have vulnerabilities and need to be removed.

*Go to* Start-Settings-Control Panel, click on Add Remove *Programs*. *If any of the following* *programs* *are listed there*, click on the program *to* highlight it, and click on *remove*. Then close the Control Panel.

*Java 2 Runtime Environment, SE v1.4.2_03

J2SE Runtime Environment 5.0 Update 3

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 9

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

Java(TM) SE Runtime Environment 6 Update 1

Java(TM) 6 Update 2

Java(TM) 6 Update 3

Java(TM) 6 Update 5

Java(TM) 6 Update 7*

Reboot your Computer.

Step # 3 *Run CCleaner*

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!


Before first use, select *Options > Advanced* and UNCHECK *Only delete files in Windows Temp folder older than 48 hours* 
Then select the items you wish to clean up.

In the *Windows* Tab:

Clean all entries in the *Internet Explorer* section except *Cookies* 
Clean all the entries in the *Windows Explorer* section 
Clean all entries in the *System* section 
Clean all entries in the *Advanced* section 
Clean *any others* that you choose

In the Applications Tab:

Clean all except *cookies* in the *Firefox/Mozilla* section if you use it 
Clean all in the *Opera* section if you use it 
Clean *Sun Java* in the *Internet Section* 
Clean *any others* that you choose

Click the *Run Cleaner* button. 
A pop up box will appear advising this process will permanently delete files from your system. 
Click *OK* and it will scan and clean your system. 
Click *exit* when done. 
If it asks you to reboot at the end, click *NO*

Step # 4 *Download and Run Malwarebytes' Anti-Malware*

Please download *Malwarebytes' Anti-Malware* to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
Be sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click *Finish*.
If an update is found, it will download and install the latest version.
Before running a scan, click the *Update* tab, next click *Check for Updates* to download any updates, if available.
Next click the *Scanner* tab and select *Perform Quick Scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
When completed, a log will open in Notepad. Please save it to a convenient location. 
You can also access the log by doing the following:

Click on the *Malwarebytes' Anti-Malware* icon to launch the program.
Click on the *Logs* tab.
Click on the log at the bottom of those listed to highlight it.
Click *Open*.

In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh HiJackThis Log


----------



## Evawegner (Jan 10, 2009)

Dear km2357,
I'm about to run the CCleaner. I assume that the "clean" wil delete only unused or orphaned files? It's a bit scary to see familiar names of files in Word tab for example, but these are not .doc only .lnk. Presumably the actual document files will still work or are no longer there?
Thanks,
Eva


----------



## Evawegner (Jan 10, 2009)

How cleansing! 

Please find attached the requested logs. Thanks.

*Malwarebyes log:*
Malwarebytes' Anti-Malware 1.32
Database version: 1647
Windows 5.1.2600 Service Pack 3
13/01/2009 10:45:35 PM
mbam-log-2009-01-13 (22-45-35).txt
Scan type: Quick Scan
Objects scanned: 60164
Time elapsed: 7 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\nobiwuna.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gesiwoha.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fupilito.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vunoyedi.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\harunano.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

*HijackThis log:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:44 PM, on 13/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Documents and Settings\Eva & Michelangelo\Desktop\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 13079 bytes


----------



## km2357 (Aug 9, 2007)

> I'm about to run the CCleaner. I assume that the "clean" wil delete only unused or orphaned files? It's a bit scary to see familiar names of files in Word tab for example, but these are not .doc only .lnk. Presumably the actual document files will still work or are no longer there?


CCleaner gets rid of your junk/temp/unused files, files that you do not need on your computer, files that are taking up space. And yes the Word Doc files should still be there, it only deleted the shortcut/links to them, not the actual .doc files themselves. So no worries there. 

Step # 1 *Update Adobe Acrobat Reader*

There is a newer version of *Adobe Acrobat Reader* available. (See Note below)


First, go to *Add/Remove Programs* and uninstall all previous versions.
Please go to this link *Adobe Acrobat Reader Download Link* 
On the right Untick *Adobe Phototshop Album Starter Edition* if you do not wish to include this in the installation. 
Click the *Continue* button 
Click *Run*, and click *Run* again 
Next click the *Install Now* button and follow the on screen prompts

Note: Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

If you decide to install Foxit 3.0 instead of Adobe, do the following during Foxit's Setup/Installation process:

*Uncheck* the following boxes:

*I accept the License Terms and want to install Foxit Toolbar*

*Make Ask.com my default search*

*Create desktop, quick launch and start menu icon to eBay*

Step # 2: *Run Kaspersky Online Scan *

Please go to *Kaspersky website* and perform an online antivirus scan.


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the *Save* button:
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.

In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?


----------



## Evawegner (Jan 10, 2009)

Good evening! (Well, here it is evening )

I thought I would start with the issues:
1. Not really an issue any more, just to let you know, in case it is important: On the first reboot of the computer after the "big clean" a window popped up, asking which program should open file "Eva" (no extension). I closed the window and have never seen it again (rebooted the computer at least twice since without it popping up again). Also, Trendmicro Pc-Cillin was no longer in the system tray in the right bottom corner, and had to be started manually, but it is now there and runs automatically on start-up.

2. I have notifications about windows updates waiting to be installed. I guess that's good news, as the automatic updates were previously disabled by the malware. The question is, should I install them now or should I wait for our clean-up to be completed first?

3. Adobe: I have removed the Photoshop Album Starter, as I didn't recall using it even once. On the other hand, I'm not able to install the Reader ver9. I had removed ver8.* and then downloaded the new version. I had notification that the Adobe Download Manager downloaded 100% and installed it, but it is nowhere to be found on the computer. I looked in the Add/Remove programs and in the Program Files, etc. Not there. I had rebooted, in hope that this may complete the installation, without success. I also registered it, just in case that was required. No joy. It's just not there. Space is not a problem, I have 1 terabyte on the hard drive, mostly unused. Is there something stopping it from installing?

4. The computer is quite slow again, when starting some programs. It takes ages for it to react when I press buttons, eg when going to Add/Remove programs, it takes several minutes to "populate" (much longer than even yesterday). Also when trying other programs, eg the internet explorer icon, it takes approx 3 minutes for the explorer window to appear and open, but once it does, it loads the internet pages quite quickly. So it seems that executing the program is slow, but once it does, it runs ok.

5. Probably completely irrelevant, but the google icon keeps changing! Never seen that before. It is usually a boring blue, and then suddenly it goes all colourful. This happens to the shortcut icon on the desktop, the little one on the taskbar and also within the explorer on the address bar, when I'm in google.com. And then it goes back to blue. What the?

As always, thank you  and here come the logs:

*Kaspersky*
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, January 15, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 14, 2009 08:05:09
Records in database: 1618218
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\
Scan statistics:
Files scanned: 174528
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:04:11

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\temomelo.dll.vir Infected: Trojan.Win32.Monder.aidi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wemipipo.dll.vir Infected: Trojan.Win32.Agent.bfdf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zuwokuwu.dll.vir Infected: Trojan.Win32.Agent.bfdf 1
The selected area was scanned.

*HijackThis*
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:57 AM, on 15/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 12617 bytes


----------



## Evawegner (Jan 10, 2009)

Solved the Adobe mysterty. I've rearranged the folders on my desktop, (which by now are quite numerous)- lo and behold the Adobe Reader Installation Folder was hiding under one of them! It is now safely installed and appears to be working! One less problem to resolve!


----------



## km2357 (Aug 9, 2007)

Kaspersky only found stuff in the Qoobox folder, which is where ComboFix keeps its quarantined files. I'll have you remove those within the next few posts.



> 2. I have notifications about windows updates waiting to be installed. I guess that's good news, as the automatic updates were previously disabled by the malware. The question is, should I install them now or should I wait for our clean-up to be completed first?


You can go ahead and install them now.



> 4. The computer is quite slow again, when starting some programs. It takes ages for it to react when I press buttons, eg when going to Add/Remove programs, it takes several minutes to "populate" (much longer than even yesterday). Also when trying other programs, eg the internet explorer icon, it takes approx 3 minutes for the explorer window to appear and open, but once it does, it loads the internet pages quite quickly. So it seems that executing the program is slow, but once it does, it runs ok.


Try the tips at the following website to see if they help:

http://www.malwareremoval.com/tutorials/runningslowly.php



> 5. Probably completely irrelevant, but the google icon keeps changing! Never seen that before. It is usually a boring blue, and then suddenly it goes all colourful. This happens to the shortcut icon on the desktop, the little one on the taskbar and also within the explorer on the address bar, when I'm in google.com. And then it goes back to blue. What the?


Google has been changing their icon lately. Take a look at the following website, are these the icon(s) that've been changing?

http://searchengineland.com/google-brings-back-color-to-favorite-icon-16078

If so, then nothing to worry about.


----------



## Evawegner (Jan 10, 2009)

Windows updates: downloaded, no problems.

Speed: Had a look at the link. Thanks. I was planning on doing the defrag when we're done with this clean-up. I will wait until then.

Google: you're right. The new freaky icon is their new favicon. With all the trojan stuff going on, every little change and weird stuff is now freaking me out. Must get my "chill" back .

Spyware Doctor has just picked up, quarantined and cleaned the following:
Trojan.Generic in HKEY_USERS
Application.NirCmd in HKEY_LOCAL_MACHINE 
?important ?same stuff as before ?something new ?not picked up by Kaspersky

:up: Looking forward to the next installment. Tx!


----------



## Evawegner (Jan 10, 2009)

Now PC-Cillin did its own scan and found a number of Vundo files in C\system volume information\_restore (as well as the expected ones in Qoobox). It didn't quarantine these (said it needs help to deal with them). I left it alone, cause I don't want to muck up the sequence of what we're trying to do here. I'm just letting you know, in case it matters. Please advise if you actually want to know about all that! Tx.


----------



## km2357 (Aug 9, 2007)

> Spyware Doctor has just picked up, quarantined and cleaned the following:
> Trojan.Generic in HKEY_USERS
> Application.NirCmd in HKEY_LOCAL_MACHINE


This is ok, NirCmd is a tool used by many of the anti-spyware/malware tools out there. Its completely safe in itself, its just that it can be used by the bad guys as well as the good. Hence why Spyware Doctor picked it up.



> Now PC-Cillin did its own scan and found a number of Vundo files in C\system volume information\_restore (as well as the expected ones in Qoobox). It didn't quarantine these (said it needs help to deal with them). I left it alone, cause I don't want to muck up the sequence of what we're trying to do here.


What PC-Cillin found in system volume information is in the System Restore. In this post, I'll have you remove the old infected System Restore points and set a new, clean one.

If there are no other malware-related problems, then you are good to go. 

To remove ComboFix, do the following:

Go to Start > Run - type in *ComboFix /u* & click OK

Empty your Recycle Bin.

Please take the time to read my _All Clean Post._

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point


Go to Start > All Programs > Accessories > System Tools > System Restore 
Select *Create a restore point*, and Ok it. 
Next, go to Start > Run and type in *cleanmgr*
Make sure the *C:\* drive is selected and click *OK*. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click *OK*.
Select the *More options* tab 
Choose the option to clean up system restore and OK it. 
This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.

*Make your Internet Explorer more secure* This can be done by following these simple instructions:
From within Internet Explorer click on the *Tools* menu and then click on *Options*. 
Click once on the *Security* tab 
Click once on the *Internet* icon so it becomes highlighted. 
Click once on the *Custom Level* button. 
Change the *Download signed ActiveX controls* to *Prompt* 
Change the *Download unsigned ActiveX controls* to *Disable* 
Change the *Initialize and script ActiveX controls not marked as safe* to *Disable* 
Change the *Installation of desktop items* to *Prompt* 
Change the *Launching programs and files in an IFRAME* to *Prompt* 
Change the *Navigate sub frames across different domains* to *Prompt*

When all these settings have been made, click on the *OK* button. 
If it asks you if you want to save the settings, press the *Yes* button. 
Next press the *Apply* button and then the *OK* to exit the Internet Properties page.
*Set correct settings for files that should be hidden in Windows XP* 

Click *Start* > *My Computer* > *Tools* menu (at top of page) > *Folder Options* > *View* tab. 
Under "Hidden files and folders" if necessary select *Do not show hidden files and folders*. 
If unchecked please check*Hide protected operating system files (Recommended)* 
If necessary check "Display content of system folders" 
If necessary Uncheck *Hide file extensions for known file types*. 
Click *OK*

*Use An Antivirus Software and Keep It Updated* - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you *update your antivirus software* at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
*Visit Microsoft's Update Site Frequently* It is important that you visit *Microsoft Updates* regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
*Install SpywareBlaster* SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here: 
*Computer Safety on line Anti Malware* 
*Use the hosts file:* Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download *mvps hosts file* Make sure you read the instructions on how to install the hosts file. There is a good tutorial *HERE* If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps: 
Click the start button on the task bar at the bottom of your screen
Click run
In the dialog box, type services.msc
hit enter, then locate dns client
Highlight it, then doubleclick it.
On the dropdown box, change the setting from automatic to manual.
Click ok..

*Use an alternative instant messenger program*.*Trillian* and *Miranda IM* These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) 
*Please read Tony Klein's excellent article:* *How I got Infected in the First Place* 
*Please read* *Understanding Spyware, Browser Hijackers, and Dialers* 
 *Please read* *Simple and easy ways to keep your computer safe and secure on the Internet* 
*If you are using Internet Explorer, please consider using an alternate browser:* *Mozilla's Firefox* or
*Opera*.
If you decide to use either FireFox or Opera, it is *very* important that you keep them up to date and check frequently for updates of the browser of your choice.
*Update all these programs regularly* Make sure you update all the programs I have listed regularly. Without regular updates you *WILL NOT* be protected when new malicious programs are released. 
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is *Time To Fight Back*.
 Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Good luck!

Please reply one last time so that I know you have read my post.


----------



## Evawegner (Jan 10, 2009)

Thank you so much! The computer seems to behave well and all the scans are coming back clean! I hope all good things come your way in return for your kindness and help. I wish I could return the favour!

I have a few final questions, if I may:
1. The NirCmd appears to be sitting in the HKEY_LOCAL_MACHINE/SOFTWARE/swearware. Is that a legitimate program because the word swearware is worrying me a little. Will it hurt to remove it, if it is used by a legit program?

2. Should I uninstall HijackThis, CCleaner and Malwarebytes from my computer?

3. If CCleaner is to stay, should I run it periodically?

4. I have the Spyware Doc, but you recommend the Spyware Blaster. Is that in addition to the Spyware Doctor or instead of it? I.e. any point having more than one? Would you recommend that I uninstall the Doctor and install the Blaster?

5. I had always heard good things about Pc-Cillin, that's why I changed to it from Norton. Is it a good idea to change again to something else that was recommended by the link in your last post, like Kaspresky or nod 32? 

Thanks again! Have a great day
Eva


----------



## Evawegner (Jan 10, 2009)

Aaaa!
Spyware Doctor has just told me that I have an infection with 
Trojan-PWS.QQPass.XW!
Do I have another enormous problem, or will it just clean it?
I did turn off my AV to run a Kaspersky scan this evening.


----------



## km2357 (Aug 9, 2007)

> 1. The NirCmd appears to be sitting in the HKEY_LOCAL_MACHINE/SOFTWARE/swearware. Is that a legitimate program because the word swearware is worrying me a little. Will it hurt to remove it, if it is used by a legit program?


It's a legitimate part of a program we used, it'll be removed when we uninstall/remove that program. No need to worry about it. 



> 2. Should I uninstall HijackThis, CCleaner and Malwarebytes from my computer?


I would go ahead and keep all three installed. Keep HiJackThis in case you ever need to use it again here on this forum or another security-related forum. And I would scan your computer with MalwareBytes' at least once every 2 weeks. Be sure to update it before running a scan.



> 3. If CCleaner is to stay, should I run it periodically?


As with MalwareBytes', I'd run it every 2 weeks or so.



> 4. I have the Spyware Doc, but you recommend the Spyware Blaster. Is that in addition to the Spyware Doctor or instead of it? I.e. any point having more than one? Would you recommend that I uninstall the Doctor and install the Blaster?


It's in addition to Spyware Doctor. Spyware Blaster doesn't remove anything like Spyware Doc does. What it does do is block malicious cookies, websites, and ActiveX from infecting your computer. It's a good layer of protection for your computer. 



> 5. I had always heard good things about Pc-Cillin, that's why I changed to it from Norton. Is it a good idea to change again to something else that was recommended by the link in your last post, like Kaspresky or nod 32?


You can keep using PC-Cillin.



> Aaaa!
> Spyware Doctor has just told me that I have an infection with
> Trojan-PWS.QQPass.XW!
> Do I have another enormous problem, or will it just clean it?


It should clean it. Where did Spyware Doctor say the Trojan-PWS.QQPass.XW came from?


----------



## Evawegner (Jan 10, 2009)

It's in 
C\WINDOWS\SYSTEM32\kafmgr.exe

It took Spyware Doc two attempts before it no longer detected it on the third scan. Does this mean it's gone? 

Would it work and is it ever a good idea to restore the system to the time before the infection? 

How did I get it? I didn't browse the internet when Kaspersky was running and the AV was turned off. 

Do you think it stole any passwords etc? My "keystroke protection" kept crashing and I got about 30 notifications that Spyware Doc blocked the access to files, before I turned off the internet connection.

Thanks
Eva


----------



## km2357 (Aug 9, 2007)

Was the file *kafmgr.exe* or *kdfmgr.exe*?

If it is kdfmgr.exe, then it looks like it could be a false positive by Spyware Doctor.

See here for further details.

You should only use System Restore when absolutely needed, you may end up restoring old infections that were cleared up when you go back via a System Restore.

As to how you got it, it may have been on your computer and Spyware Doctor may not have recognized it until now. Did you recently update Spyware Doctor?

To be on the safe side, in case this isn't a false positive, I would go ahead and change all your online passwords from a clean computer.


----------



## Evawegner (Jan 10, 2009)

Thanks, 
it was kdfmgr.exe, you're right. Since i have Trend Micro and at the same time I had trouble with crashing "keyboard encryption" that probably explains things. 

The Spyware Doctor updates itself automatically, so it probably did an update in the meantime. 

I now get a message on startup, which I can't close, which says "Application error: pctsTray.exe. The instruction at 0x129b371b reference memory at 0x0000000. The memory could not be read. Click OK to terminate the program." Clicking OK just reloads that error message.
Not sure what that is, but since I deleted the .exe file, perhaps it's the keyboard encryptor, which can no longer start up? 

Re changing passwords: I thought we cleaned the registry of all stored passwords when we last ran CCleaner? I had not stored any passwords since then. If so, then any Trojan should have nothing to steal. But just in case I'm wrong i'll do it.


----------



## Evawegner (Jan 10, 2009)

More info, as things are really gettng crazy now.

Spyware Doc didn't "clean it up" after all. I was repeatedly getting the warning about this Trojan and a message that: "The keystroke encryption feature encountered an unknown error and was closed. Restart Internet Explorer to reload this feature." I've noticed that the little Keystroke encryption icon is no longer on the system tray.

I ran a file search on my laptop (which also has Trand Micro on it, but runs on Vista) and it found the same file in system applications with the following descriptors:
File description: Local ISSL R5 manager
Company: Bluegem security
File version: 5.1.8.7
Date Created: 16/02/2008
Size: 702KB
Last modified: 17 jan 2009
Folder: kdefense (C:\Users\Eva\AppData\LocalLow)

Since Bluegem is one of the associates of trendmicro, I told spyware doc to remove it from the "permanent block" list in hope that it is legitimate and things would then work well. Not so. This is when it all fell apart. I immediately got a notification that the Firewall is off (turned itself off) and when I went to Pc-Cillin control panel, all the controls for the firewall disappeared altogether! (On the positive side, I no longer get the notifications on startup of application error.) But the computer runs really really slow, applications crash or hang up. All this worries me a lot. I think one of two things happened. A legitimate file has been damaged by Spyware Doc and causes all these errors, or maybe a legitimate file has been infected by a trojan (seems more likely, given all the associated problems, firewall, errors, slow+++ etc). I have sent a log to TrenMicro tech support and asked them these questions. PS: All this was done with the computer off-line.

I know you said I shouldn't system restore, but we created a system restore point just after the clean up was finished and before the new "infection" popped up. Would it not be worth a try?

By the was, below is the reply I got from Trend Micro. I have not done any of that as yet. I am worried about turning off system restore, as they suggest, because I know that there is that one clean system restor point on there and I don't want to lose it.

What is your suggestion? Unless I am very much mistaken, I would prefer to try the system restore point first, and then see if it really was clean.

Reply from Trend Micro (I asked them if the file was legit, but they did not answer that question).

Thanks again!
Eva

_Dear Eva,

This is Bruce from Trend Micro Consumer Support.

I have reviewed your case and I understand that you are having an issue with program
performance.

Keystroke Encryption (kdfmgr.exe)

Please follow the instructions to uninstall and reinstall the Personal Firewall.

Important: We recommend that you print out this document before proceeding as you will be
asked to restart your computer during the procedure.

1. Click Start > My Computer.

2. Double-click Local Disk (C.

3. Go to the C:\Program Files\Trend Micro\Internet Security folder.

4. Double-click the TISSuprt.exe file. Its icon appears as a red and white lifesaver:

5. Click the [E] Uninstall tab.

6. Under Install and Uninstall, click 3. Uninstall Firewall.

7. Click Uninstall when the confirmation message appears.

8. Click Yes when it asks you to restart your computer.

Install the Personal Firewall:

1. Click Start > My Computer.

2. Double-click Local Disk (C.

3. Go to the C:\Program Files\Trend Micro\Internet Security folder.

4. Double-click the TISSuprt.exe file. Its icon appears as a red and white lifesaver:

5. Click the [E] Uninstall tab.

6. Under Install and Uninstall, click 3. Install Firewall.

7. Click Install when the confirmation message appears.

8. Click Yes when it asks you to restart your computer.

9. Check if the error message still appears.

Then proceed to the instructions below.

A. EMPTY THE TEMPORARY INTERNET FILES FOLDER AND THE COOKIES FOLDER

To do that, open the Internet Explorer by clicking on:

START > ALL PROGRAMS > INTERNET EXPLORER

Once the Internet Explorer window is open click on TOOLS on the menu bar and then click on
INTERNET OPTIONS. 
When you are already on the Internet Options window, on the Internet Options, go the GENERAL
tab, click on the DELETE FILES button, put a CHECKMARK on the box next to "Delete all
offline content" and then click on OK. Now, click on the DELETE COOKIES button click on
OK. Then close the Internet Options.

B. EMPTY THE RESTORE FOLDER (Not applicable for Windows 98 and 2000)

With regard to your concern, the virus is saved on what is called the "SYSTEM
RESTORE" folder of Windows. This is a feature of Windows where it back-ups all the
files on your computer including viruses. The only way to delete the virus on the system
restore folder is to purge it.

To do that, please follow the steps below:

On your DESKTOP, RIGHT-CLICK on the MY COMPUTER icon and choose PROPERTIES. Go to the SYSTEM
RESTORE tab, PUT A CHECKMARK on the box that says "TURN-OFF RESTORE". Click APPLY,
then CLOSE and then RESTART your computer. That should delete the virus from the System
Restore folder.

NOTE: It is advisable that you should disable or turn-off the system restore feature of
Windows so that it won't make back-ups on viruses. And it only slows down your computer.
If it is disabled / turned-off, your computer will run much faster.

C. RUN THE WINDOWS DISK CLEAN-UP

To run Disk Cleanup, follow these steps:

1. Choose Start --> All Programs --> Accessories --> System Tools --> Disk
Cleanup.

* If you have multiple hard drives on your system, you're asked to choose which hard
drive to analyze. The Select Drive dialog box appears. Go to Step 2.
* If you have only one hard drive, Disk Cleanup begins running. Eventually, a dialog box
appears that asks you to select the drive you want to clean up. Go to Step 3.

2. Choose a hard drive and click OK.
The Disk Cleanup tool starts looking through the contents of the hard drive you
selected, calculating how much space it can reclaim. After a time - the exact amount of time
depends on how much data is on your hard drive - you see a dialog box from which you can
pick what you want to clean.

3. Scroll through the Files to Delete list, highlighting items to find out more about them
(cursory explanations appear in the Description area) and selecting the check box of each
item you want to delete.
Pay attention to the disk space at the right side of the dialog box (under the
Files to Delete list) - it tells you how much of your disk drive is each item occupies.
I suggest that you select them all anyway they are all TEMPORARY files meaning they
are all JUNK files.

4. When you're satisfied with your choices, click OK.
5. Disk Cleanup asks if you want to proceed; you must click Yes to continue.
When you do, the deletions commence. Depending on what you asked Disk Cleanup to
do, the actual cleanup can take a few minutes to complete.

D. Using the Trend Micro System Cleaner 
__http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-125991&id=EN-125991_

_If issue persists, please provide us log for analysis.

How to generate Trend Micro HiJackThis logs for malware analysis
__http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1037994&id=EN-1037994_

_Have a great day!

Bruce Lim
Consumer Support Team
Trendlabs HQ, Trend Micro Incorporated

_


----------



## km2357 (Aug 9, 2007)

It sounds like when you removed/quarantined/deleted the kdfmgr.exe file it caused the Trend Micro "keyboard encryption" and the firewall itself to mess up.



> I now get a message on startup, which I can't close, which says "Application error: pctsTray.exe. The instruction at 0x129b371b reference memory at 0x0000000. The memory could not be read. Click OK to terminate the program." Clicking OK just reloads that error message.
> Not sure what that is, but since I deleted the .exe file, perhaps it's the keyboard encryptor, which can no longer start up?


This file is the startup tray for Spyware Doctor. See here. It should be ok now, since you said you no longer get that error on startup.



> Re changing passwords: I thought we cleaned the registry of all stored passwords when we last ran CCleaner? I had not stored any passwords since then. If so, then any Trojan should have nothing to steal. But just in case I'm wrong i'll do it.


CCleaner doesn't clean the registry unless you tell it to and my instructions didn't tell you to clean the registry. Since the file was a False Positive to begin with, your passwords should be ok.



> I know you said I shouldn't system restore, but we created a system restore point just after the clean up was finished and before the new "infection" popped up. Would it not be worth a try?


Let's go ahead and try it. Restore your computer using that restore point and let me know how your computer is doing once that is completed and post a fresh HiJackThis Log as well.

If you're still having the same problems after the system restore, we can try Trend Micro's suggestion.


----------



## Evawegner (Jan 10, 2009)

I assumed that all the passwords were deleted, because when I ran the CCleaner and ckecked to clean all entries in the System and Advanced section, as per the instructions in post #10, I had a warning message that "all stored passwords will be deleted" or something to that effect. This didn't worry me at the time, becaue I always click "no" when windows asks if it should remember passwords for the websites I visit.

System restored to Friday 16 jan, to the point created as per the instructions in post #19. It said sucessfully restored and then everything hung-up. The system tray did not "populate", no keys responded at all, so I had to hard reboot by pressing the computer on-off button.

Subsequently: 
* no error messages (so far), 
* Pc-Cillin still takes a very long time to load, still not loaded after approx 7-8 min, when finally loaded firewall is still off (message says it turned off and I need to restart the computer to load it) and the firewall controls are not there (disappeared for the selection menu in control panel of PC-Cillin)
* Spyware Doc starts a quick scan on startup (even though I told it not to before) and then hangs up and cannot be turned off
* the keyboard encryption icon is still not present on the system tray
* programs still hang up and keys take several minutes to respond
*finally, the whole thing just hung-up

Had to hard reboot a number of times, just to get the HijackThis to work.

So, things still very unwell. Is it time to throw it out of the window and buy a Mac? 

*Hijack this log:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:02 PM, on 18/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 12467 bytes


----------



## km2357 (Aug 9, 2007)

Your latest HJT log looks good. I would like for you to run MalwareBytes' again to see if anything came back when you restored, but that can wait till we fix the problems with Spyware Doctor and Trend Micro.

1. Uninstall and reinstall Spyware Doctor.

2. Follow Trend Micro's instructions for uninstalling and reinstalling their firewall. Ignore the part about removing/turning off System Restore. You want to keep that on, so you have something to fall back to.

Let me know how everything goes.


----------



## Evawegner (Jan 10, 2009)

Is there a better program than spyware doctor which I could install instead? I don't like the way it crashed things etc.


----------



## Evawegner (Jan 10, 2009)

Trying to reinstalling the firewall as we speak. I won't turn off the system restore, but should I follow the rest of the instructions from Trend Micro are delete the temporary files, run the disk cleaner and then run the Trend Micro system cleaner? (instructions A, C and D form them)

I will do the MalwareBytes scan as soon as the firewall is sorted. Like everything else on that computer lately, it's taking many many minutes to do this.


----------



## Evawegner (Jan 10, 2009)

Reinstallation of the firewall did not work. First of all, things kept crashing during the procedure and i had to hard reboot the computer. when it finally completed the job, the firewall was "operational" for about 2 minutes, before I got a message that it had again turned itself off and the firewall controls disappeared. All this happened while the spyware doctor is not yet reinstalled (didn't want to go online until the firewall issue was sorted) so I can't blame that. 

Actually, I can't even go online as I am not able to open the network connections to turn the internet connection back on. 

I am really concerned that this trojan warning was not a false positive result. When I managed to get to the windows task manager, the CPU is runnuing at 100% while I'm not doing anything on the computer. The processes taking all the CPU capacity are "system" and "system idle process", fluctuating, but at approx 50% each. 

As I am not able to connect to the internet at present, I'll try to run the Malwarebytes scan without an update.


----------



## Evawegner (Jan 10, 2009)

Ok, so in normal start up mode the computer is currently unusable. No programs work, clicking icons on desktop or the start button produces no results at all and I am not even able to turn the damn thing off. Nothing happens when I click on the turn off or restart buttons. I need to shutdown by pressing the computer on-off button and I have done so repeatedly this evening. I hope this doesn't damage the motherboard or the CPU.

Finally, I have booted up in safe mode with networking and was able to update Malwarebytes. I did a full scan and the results are attached. In the meantime I had also cleaned up the temp files from the internet explorer, as I figured it won't hurt, but it also didn't help. Sorry for all these updates, but each time I was hoping to just attach the MalewareBytes log, when the issues kept arising.

*Malwarebytes log (in safe mode)*
Malwarebytes' Anti-Malware 1.33
Database version: 1666
Windows 5.1.2600 Service Pack 3
20/01/2009 12:01:50 AM
mbam-log-2009-01-20 (00-01-50).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 223148
Time elapsed: 57 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## km2357 (Aug 9, 2007)

With all the crashes happening and the computer being unusable in Normal Mode, I think the best option would be to just reformat your computer and reinstall Windows, start fresh so to speak.

I'll ask some of my fellow malware-fighters to see if they have any other ideas.

Be back ASAP.


----------



## Evawegner (Jan 10, 2009)

What about trying to follow the instructions of Trend Micro and pehaps also trying to reinstall all of PC-Cillin?


----------



## km2357 (Aug 9, 2007)

You can try that, but you would have to do it in Safe Mode, since you said your computer is basically inoperable in Normal Mode.


----------



## Evawegner (Jan 10, 2009)

What is the reason for the CPU running at 100%? Because this is what is hanging up all the other processes. Could it be non-malware related?


----------



## km2357 (Aug 9, 2007)

Evawegner said:


> Is there a better program than spyware doctor which I could install instead? I don't like the way it crashed things etc.


Have you uninstalled Spyware Doctor? If not, please try and do so.

I've asked about the CPU running at 100%. I don't think its malware-related as both your HJT and MalwareBytes' Log came back clean.

And the kdfmgr.exe file is a false positive by Spyware Doctor.

From http://uk.trendmicro.com/imperia/md/content/uk/products/readme/tispro_readme.txt

7.14 Transaction Protector 1.0
=====================================================================

a. If you have enabled the Keystroke Encryption (*kdfmgr.exe*)
feature, opening Internet Explorer might make the Windows
User Access Control system ask for your credentials again.
Neglecting to provide your credentials in this case will
trigger an error message.

Emphasis mine.


----------



## Evawegner (Jan 10, 2009)

I've been reading online, and the CPU doesn't actually run at 100%. I was not aware that the 50% "idle processes" actually means that it runs at 50% and 50% is idle (just to make it add up to 100%). 

When I opened the "system processes", the ones that were taking up some time were sprtsvc.exe and sprtcmd.exe, which are files from the Dell Support Cente. People suggest removing that. Unfortunately, I can't remove it in safe mode (won't let me) and i can't open the Control Panel in normal mode. Is there any other way of removing the program?

I will try re-download the keystroke encryption file and maybe reinstall it, if the old one is damaged. It can't get any worse!

Spyware doc has been removed previously. Today I did the system clean a suggested by Trend Micro. This was unrewarding, as CCleaner has previously taken care of most of that. I couldn't find the Trend Micro System Cleaner via the link provided or on their website. 

I have tried again to system restore to Firday 16th and again this was not helpful.

Is it possible that changing some of the settings as you suggested in post #19 could have done this, rather than spyware doc?

I have now started to back up all my files in case I need to format the thing. This will probably take several days. Do you think reinstalling windows without actually formatting the drive would work? It will be such a mammoth job to format and then restore the computer! 

Is there anyone else around we could ask for ideas?


----------



## Evawegner (Jan 10, 2009)

An update: and look, I'm smiling! 
I have let the computer idle for about an hour without pressing any buttons and suddenly it came to life. I was able to run control panel and have uninstalled the Dell Support Centre and some other programs which were not used for many months, as well as some old games (nothing that has anything to do with the system).

I have also been able to access the PC Cillin main console and the internet, so I managed to remove and reinstall the Transaction Protector (which is the program running on that damaged kdfmgr.exe file).

The firewall is still inoperational and Pc-cillin still misbehaves badly, so I contacted the support again asking what is the best way to uninstall and reinstall it safely. Hopefully I will have an answer within 24 hours. They asked for a HijackTHis log, which I attach, FYI just in case.

If successful, perhaps that will be the end of my woes? 

I will NOT reinstall Spyware Doctor again. Can you suggest a safe alternative?

Thanks!
Eva

*HijackThis:*
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:38 AM, on 21/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 11317 bytes


----------



## km2357 (Aug 9, 2007)

Good to hear that your computer came back to life. :up:

How is it running in Normal Mode now? Good? Or is it still slow/have long load times?

Uninstalling and reinstalling Pc-cillin should help fix it, if not then I can give you some options for a Anti-Virus and Firewall (both free) to replace it.

As for Spyware Doctor's replacement, MalwareBytes' Anti-Malware is a good choice for a scanner. Its very fast and being constantly updated, often 2-3 times a day. The version you have doesn't have a real-time protection component to it. If you want that real-time protection and automatic updates (you have to manually update with the free version), you just pay a one time fee  and purchase the program. 

Or you can keep MalwareBytes' as just a malware scanner/removal tool and download WinPatrol (free, it has a Plus version which you have to pay for) and use that as real-time protection:

As a robust security monitor, *WinPatrol* will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You can download it from this website:
WinPatrol
The developer is a well-known man in the MalWare Removal business. If you really like WinPatrol think about upgrading to the PLUS version. It will give you additional features and you will only have to pay once, for your whole malware-free life.


----------



## Evawegner (Jan 10, 2009)

Thanks, I think WinPatrol sounds like a good one. I will look into it.



> How is it running in Normal Mode now? Good? Or is it still slow/have long load times?


All of the stuff which I described in the previous post was done in Normal Mode! After the computer was left alone to "idle" for about an hour. Whatever processes were taking up all that CPU time had run their course and then I was able to work a normal.

I now have the instructions from Trend Micro to reinstall the Pc-Cillin and I will be working on that tonight.

At present I just booted up the computer in normal mode. It is still very slow but I'd let it idle and it took only about 15 minutes this time to finally wake up. So removing the Dell Support may have helped. I will now work on taking off the Pc-Cillin. Here's hoping that it fixes the slowness! I'll keep you updated.


----------



## km2357 (Aug 9, 2007)

OK, let me know how it goes with PC-Cillin. 

Another possible cause of slowness is a low amount of RAM. How much RAM do you have installed on/in your computer?


----------



## Evawegner (Jan 10, 2009)

I do hope you're not finding the new installments of my saga annoying. 


```
Another possible cause of slowness is a low amount of RAM. How much RAM do you have installed on/in your computer?
```
3.20GHz CPU, 2GB RAM

By the way, have we finished with the malware cleanup? Was there much more to do, before we were rudely interrupted by the computer going belly up? I have restored it several times to the Friday 16th (the point created in post #19) but I have not been back to change the internet explorer settings back.

I'm almost convinced that the extreme slowness of the computer is due to the malfunctioning Pc-Cillin, because as soon as I uninstalled it, things became lightning fast! Faster than EVER!

The reinstallation did not work. I still get the firewall turning itself off and the firewall controls disappearing. But the speed is not too bad and the Keystroke protection now works. I have emailed Trend Micro back for further help.

If it becomes a problem which cannot be solved, then I will take you up on the offer of antivirus and firewall options. I don't mind if it is free or whether i have to pay, as long as it's the best thing recommended.


----------



## Evawegner (Jan 10, 2009)

I've just ran a HijackThis for Trend Micro support. For the first time, there was an error that the system denied access to Hosts file. (See attached JPECG). Does this mean anything?

Attached is the *HijackThis log:*
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:36 PM, on 21/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 11706 bytes


----------



## Evawegner (Jan 10, 2009)

Sorry, here's the JPEG


----------



## km2357 (Aug 9, 2007)

> I do hope you're not finding the new installments of my saga annoying.


Not finding them annoying at all.



> By the way, have we finished with the malware cleanup? Was there much more to do, before we were rudely interrupted by the computer going belly up? I have restored it several times to the Friday 16th (the point created in post #19) but I have not been back to change the internet explorer settings back.


When I posted Post #19, we were done with the malware cleanup.  Since you restored the computer to then, you can go ahead do the instructions listed after *Make your Internet Explorer more secure* in Post #19.



> I'm almost convinced that the extreme slowness of the computer is due to the malfunctioning Pc-Cillin, because as soon as I uninstalled it, things became lightning fast! Faster than EVER!
> 
> The reinstallation did not work. I still get the firewall turning itself off and the firewall controls disappearing. But the speed is not too bad and the Keystroke protection now works. I have emailed Trend Micro back for further help.
> 
> If it becomes a problem which cannot be solved, then I will take you up on the offer of antivirus and firewall options. I don't mind if it is free or whether i have to pay, as long as it's the best thing recommended.


Good to hear that you've figured out what was most likely causing the slowdown. If Trend Micro's further instructions on it are no help, here are some Anti-Virus and Firewalls to choose from.

Be sure to fully uninstall Trend Micro's AV and Firewall before installing any of the ones below.

AV:

*1)**Antivir PersonalEdition Classic* 
*2)**avast! 4 Home Edition*

Download and install only one!

Firewall:


*Jetico Personal Firewall* 
*Soft perfect* 
*Sunbelt Kerio Firewall*

Please download and install only one!

Once the firewall is installed, check to see that the Windows Firewall is disabled. To do so follow these steps:

1. Click *Start*, click *Run*, type *Firewall.cpl*, and then click *OK*.
2. On the *General* tab, check to see if *Off (not recommended)* is checkmarked/ticked, if it is not, then checkmark/tick the box and click *OK*



> I've just ran a HijackThis for Trend Micro support. For the first time, there was an error that the system denied access to Hosts file. (See attached JPECG). Does this mean anything?


Did you recently change/add anything to your Hosts file? Before the computer went belly up, did you do the following (from Post #19):

[*]*Use the hosts file:* Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download *mvps hosts file* Make sure you read the instructions on how to install the hosts file. There is a good tutorial *HERE* If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps: 

Click the start button on the task bar at the bottom of your screen
Click run
In the dialog box, type services.msc
hit enter, then locate dns client
Highlight it, then doubleclick it.
On the dropdown box, change the setting from automatic to manual.
Click ok..

If not, go ahead and do that now.


----------



## km2357 (Aug 9, 2007)

Evawegner? How are things coming along?


----------



## Evawegner (Jan 10, 2009)

Sorry km2357,
I had to detach myself from the computer for a couple of days, because of other things beyond my control. I am now back at the keyboard, trying to work it all out. 

Update:
1. Firewall: PC-Cillin firewall still not working, despite multiple uninstalls and re-installs. Trend Micro support asked me to uninstall the Malwarebytes, just in case, which i did. I can always reinstall it later. 
It appears that there is something "blocking" the Firewall from within the system and making it crash all the time, but they seem to have trouble figuring it out. It is always a different person responding to my emails, so I have to repeat myself a lot. Sigh....

The windows firewall is not disabled, but PC Cillin is supposed to turn that off by itself, as it did in the past, during installation. It doesn't do that at present. 

2. Hosts access denied: The strange message from HijackThis does not appear when PC-Cillin is deactivated, so perhaps that was the problem. Strangely, this error message only appeared after the PCCillin was reinstalled, never before (ie it appears since the partially unsuccessful reinstall of PC Cillin). Could this mean anything sinister? 

To answer your question of whether I had changed anything to the host file - no, i hadn't gotten around to doing it. I will try now. 

3. I have again followed your instructions form post #19 re internet security.

4. Alternative AV and Firewall: I'm a bit worried about installing more antimalware before PC-Cillin is sorted out. Whatever is making the current firewall malfunction, may affect the new software, and adding more variables to the equation may just confuse everything and everyone. 

Do you have any other suggestions/ideas? 
Is there anything else that I need to do/steps to follow regarding the clean up of the trojan?

Thanks again. I'm off to play with the hosts file now.
Cheers,
Eva


----------



## km2357 (Aug 9, 2007)

> 2. Hosts access denied: The strange message from HijackThis does not appear when PC-Cillin is deactivated, so perhaps that was the problem. Strangely, this error message only appeared after the PCCillin was reinstalled, never before (ie it appears since the partially unsuccessful reinstall of PC Cillin). Could this mean anything sinister?


No, it doesn't appear to be anything sinister. It sounds like the unsuccessful reinstallation of PCCillin caused the hosts file to mess up.



> 4. Alternative AV and Firewall: I'm a bit worried about installing more antimalware before PC-Cillin is sorted out. Whatever is making the current firewall malfunction, may affect the new software, and adding more variables to the equation may just confuse everything and everyone.
> 
> Do you have any other suggestions/ideas?
> Is there anything else that I need to do/steps to follow regarding the clean up of the trojan?


I don't think there is any trojan/more trojans on your computer. I can have you run one more program to look deep into your computer to see if anything malicious may be hiding.

What I think has happened was when Spyware Doctor quarantined the kdfmgr.exe file, that caused Trend Micro to break and uninstalling/reinstalling it has not fixed it.

If Trend Micro doesn't come up with any solution(s) within the next few days, I would go ahead and replace Trend Micro with a one of the AV's and Firewall's I linked to you earlier. Download the setup files of the AV and Firewall you want to use then disconnect from the Internet. Uninstall Trend Micro and then install the new AV and Firewall. Finally, reconnect to the Internet to download updates for the new AV and Firewall.

Step # 1 *Download and Run RSIT*


Download *random's system information tool (RSIT)* by *random/random* from *here* and save it to your desktop.
Double click on *RSIT.exe* to run *RSIT*.
Click *Continue* at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both *log.txt* (<<will be maximized) and *info.txt* (<<will be minimized)


----------



## Evawegner (Jan 10, 2009)

Happy Australia Day! 

Ok, so I had a flash of brilliance last night and I'd upgraded to and then installed the new Pc-Cillin 2009 (I used to have 2008). I had a free offer to do this from Trend Micro some months ago and just never got around to doing it. The new version must be using new files which had over-written the old corrupted ones. Everything works! And the computer is now very fast. Most happy!

Regardless, just in case, I had run the RSIT and the logs are attached in the following posts.

Just so that I understand correctly, I should have all of the following programs on the computer at the same time and they won't conflict(?):
1. Antivirus (PCCillin or other)
2. Firewall (PCCillin or other)
3. Antimalware (WinPatrol or MalwareBytes) AND
4. SpywareBlaster
All of these should be activated at the same time?

I have now downloaded and installed the mvps HOSTS file. The browser is now a little slower but not significantly. (I did change the DNS client properties to manual.) 
I would like to add the IP addresses of my commonly accessed websites, to speed things up a little. 
1. How do I find the IP address of a website, for example www.smh.com.au? 
2. And when I find it, do I write it in the hosts file before or after the list of the blocked adware?
3. Should I update the adware lists periodically to the hosts file? I guess there must be a new version of the mvps file every now and then. When I download this new version, I would have to re-write all my "shortcut" addresses again, like to the smh.com.au, right?

Thanks again!

Eva


----------



## Evawegner (Jan 10, 2009)

*INFO.TXT*

info.txt logfile of random's system information tool 1.05 2009-01-26 13:08:54
======Uninstall list======
-->"C:\Program Files\Creative\Sound Blaster Live! 24-bit\Program\Ctzapxx.EXE" /X /U /S 
-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{329899E1-CBBA-49BC-9FFE-199E94316727}\setup.exe" -l0x9 -removeonly
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Elements-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements\Uninst.dll"
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe SVG Viewer-->C:\WINDOWS\IsUninst.exe -f"C:\WINDOWS\System32\Adobe\SVG Viewer\Uninst.isu"
ANNO 1503-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBBB1DEF-8878-4CB8-BC0D-1196B30E7527}\Setup.exe" 
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Big Fish Games Client-->C:\Program Files\bfgclient\Uninstall.exe
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Canon MP Navigator 2.2-->"C:\Program Files\Canon\MP Navigator 2.2\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 2.2\uninst.ini
Canon MP830-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{0D25F7CC-B99C-44ee-9945-B14532B2BB7B}\DelDrv.exe" /U:{0D25F7CC-B99C-44ee-9945-B14532B2BB7B} /L0x0009
Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
CCleaner (remove only)-->"C:\Documents and Settings\Eva & Michelangelo\Desktop\CCleaner\uninst.exe"
CD-LabelPrint-->"C:\Program Files\Canon\CD-LabelPrint\Uninstal.exe" Canon.CDLabelPrint.Application
Classic PhoneTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\setup.exe" -l0x9 ControlPanel
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Cossacks - European Wars-->C:\WINDOWS\uncsetup.exe
Creative MediaSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove
Dell Media Experience-->MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
D-Link DSL-302G USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACCEC3BD-FFCA-4146-8587-17650B86165B}\Setup.exe" 
Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
ebgcInfra-->MsiExec.exe /X{39B1BD87-561E-4762-AED9-7C5213B06C24}
ebgcRes-->MsiExec.exe /X{D968C4E0-022A-461D-A69E-19A4E7A55000}
ebgcSDK-->MsiExec.exe /X{13AD768A-9E04-499D-AE80-967A65DCCBA5}
ESPNMotion-->C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
GemMaster Mystic-->"C:\Program Files\GemMaster\uninstallgemmaster.exe"
GlobFX Player 1.0.9-->"C:\Program Files\GlobFX Technologies\Player 1.0\Uninstall.exe"
GlobFX Web Player-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\inf\gbxplaya.inf,DefaultUninstall
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google SketchUp 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel Matrix Storage Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Intel(R) PROSet for Wired Connections-->MsiExec.exe /I{4CEA6811-DFAD-4892-828D-49941FE3B779}
iPodRip-->MsiExec.exe /I{B1B3A995-2FA8-46F1-9C3F-B3913CD0C3D4}
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Jewel Quest 2-->C:\Program Files\Jewel Quest 2\UnInstall_23840.exe
Jewel Quest-->"C:\Program Files\Jewel Quest\ReflexiveArcade\unins000.exe"
Jewel Quest-->C:\PROGRA~1\GAMEHO~1\JEWELQ~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\JEWELQ~1\INSTALL.LOG
Mandelbrott Fractal ScreenSaver v 1.0-->"C:\Program Files\Mandelbrott Fractal ScreenSaver\unins000.exe"
MCU-->MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Flight Simulator 2004 A Century of Flight-->"C:\Program Files\Microsoft Games\Flight Simulator 9\UNINSTAL.EXE" /runtemp /addremove
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MobileMe Control Panel-->MsiExec.exe /I{924EB80F-C2BB-4B9F-8412-88BBA937393F}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Music Works Personal-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Middle Earth Software Systems\Music Works Personal\Uninst.isu"
NetChiro-->C:\Documents and Settings\Eva & Michelangelo\My Documents\X-files\Elite Chiropractic\Network Logic\dcms\uninst.exe
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Nokia Connectivity Cable Driver-->MsiExec.exe /X{0FF1922C-B6C4-40BB-AF30-BEF75A482444}
Nokia PC Suite-->MsiExec.exe /I{1B58C9D2-1925-413F-B29A-C4E7596C43F5}
NoteWorthy Composer-->C:\PROGRA~1\NOTEWO~1\Uninstal.exe
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
OptusNet DSL-->C:\Program Files\OptusNet DSL Internet\Uninstall.exe
Paint Shop Pro 6 Digital Camera Support-->C:\PROGRA~1\PAINTS~1\CAMUnwise.exe C:\PROGRA~1\PAINTS~1\CamSupp.log
Paint Shop Pro 6.0 (CD-ROM)-->C:\PROGRA~1\PAINTS~1\Unwise.exe C:\PROGRA~1\PAINTS~1\INSTALL.LOG
PC Connectivity Solution-->MsiExec.exe /I{D8E4A66D-DB68-481F-ABA8-AC622566D4CB}
PowerDVD 5.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Presto! PageManager 7.15.14-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}\PMSetup.exe" -l0x9 anything -removeonly
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
ScanSoft OmniPage SE 4.0-->MsiExec.exe /I{C1E693A4-B1D5-4DCD-B68D-2087835B7184}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
SimCity 4 Deluxe-->C:\Program Files\Maxis\SimCity 4 Deluxe\EAUninstall.exe
Skype 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic Advanced Decoder-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{46C73DE4-E96D-4F7C-8371-F28052183B12}\setup.exe" -l0x9 
Sonic Audio module-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic MyDVD LE-->MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sound Blaster Live! 24-bit-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB481CC-F57C-4397-81A0-DADD22257047}\setup.exe" -l0x9 
The Great Art Race-->"C:\Program Files\Ascaron Entertainment\The Great Art Race\unins000.exe"
Trend Micro Internet Security Pro-->C:\Program Files\Trend Micro\Internet Security\remove.exe
Trend Micro Internet Security Pro-->MsiExec.exe /X{40E12A55-C504-4223-AFAC-7672DBF1ACDE}
Update for Windows Media Player 10 (KB910393)-->"C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB926251)-->"C:\WINDOWS\$NtUninstallKB926251$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VideoLAN VLC media player 0.8.6i-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player (Remove Only)-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe -u
WebCyberCoach 3.2 Dell-->"C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_6B630EE2E66584353C6CD8683D447072872F34D8\pccswpddriver.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]-->C:\WINDOWS\$NtUninstallEmeraldQFE2$\spuninst\spuninst.exe
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246-->"C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766-->"C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XviD 1.1 final uninstall-->"C:\Program Files\XviD\unins000.exe"
======Security center information======
AV: (disabled)
AV: Trend Micro Internet Security Pro
FW: (disabled)
FW: Trend Micro Personal Firewall
System event log
Computer Name: SOCRATES
Event Code: 7035
Message: The Fast User Switching Compatibility service was successfully sent a start control.
Record Number: 216648
Source Name: Service Control Manager
Time Written: 20090118004616.000000+660
Event Type: information
User: NT AUTHORITY\SYSTEM
Computer Name: SOCRATES
Event Code: 7036
Message: The Terminal Services service entered the running state.
Record Number: 216647
Source Name: Service Control Manager
Time Written: 20090118004616.000000+660
Event Type: information
User: 
Computer Name: SOCRATES
Event Code: 26
Message: Application popup: Application Error: pctsTray.exe - Application Error : The instruction at "0x129b371b" referenced memory at "0x00000000". The memory could not be "read".
Click on OK to terminate the program
Record Number: 216646
Source Name: Application Popup
Time Written: 20090118004548.000000+660
Event Type: information
User: 
Computer Name: SOCRATES
Event Code: 26
Message: Application popup: Application Error: pctsTray.exe - Application Error : The instruction at "0x129b371b" referenced memory at "0x00000000". The memory could not be "read".
Click on OK to terminate the program
Record Number: 216645
Source Name: Application Popup
Time Written: 20090118004548.000000+660
Event Type: information
User: 
Computer Name: SOCRATES
Event Code: 26
Message: Application popup: Application Error: pctsTray.exe - Application Error : The instruction at "0x129b371b" referenced memory at "0x00000000". The memory could not be "read".
Click on OK to terminate the program
Record Number: 216644
Source Name: Application Popup
Time Written: 20090118004547.000000+660
Event Type: information
User: 
Application event log
Computer Name: SOCRATES
Event Code: 1800
Message: The Windows Security Center Service has started.
Record Number: 7015
Source Name: SecurityCenter
Time Written: 20080518164134.000000+600
Event Type: information
User: 
Computer Name: SOCRATES
Event Code: 0
Message: 
Record Number: 7014
Source Name: SfCtlCom
Time Written: 20080518164128.000000+600
Event Type: information
User: 
Computer Name: SOCRATES
Event Code: 105
Message: The service was started.
Record Number: 7013
Source Name: WMDM PMSP Service
Time Written: 20080518164126.000000+600
Event Type: information
User: 
Computer Name: SOCRATES
Event Code: 1
Message: 
Record Number: 7012
Source Name: sprtsvc_dellsupportcenter
Time Written: 20080518164124.000000+600
Event Type: information
User: 
Computer Name: SOCRATES
Event Code: 105
Message: The service was started.
Record Number: 7011
Source Name: Creative Service for CDROM Access
Time Written: 20080518164119.000000+600
Event Type: information
User: 
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0404
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
-----------------EOF-----------------


----------



## Evawegner (Jan 10, 2009)

*LOG.TXT part 1*
Logfile of random's system information tool 1.05 (written by random/random)
Run by Eva & Michelangelo at 2009-01-26 13:08:37
Microsoft Windows XP Professional Service Pack 3
System drive C: has 717 GB (75%) free of 954 GB
Total RAM: 2046 MB (71% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:44 PM, on 26/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OE.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Documents and Settings\Eva & Michelangelo\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Eva & Michelangelo.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optuszoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 12823 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43C6D902-A1C5-45c9-91F6-FD9E90337E18}]
TSToolbarBHO - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll [2008-08-13 140624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 118844]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}]
EWPBrowseObject Class - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-06-09 34304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-18 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2006-11-17 2133056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-14 737776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-18 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-18 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2006-11-17 2133056]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2006-06-09 552960]
{CCAC5586-44D7-4c43-B64A-F042461A97D2} - Trend Micro Toolbar - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll [2008-08-13 140624]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-07-09 7110656]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-06-17 139264]
"CTSysVol"=C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe [2003-09-17 57344]
"P17Helper"=Rundll32 P17.dll []
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-02-23 53248]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2006-01-19 26112]
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-01-27 86016]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-16 81920]
"Desktop Service Centre"=C:\Program Files\OptusNet DSL Internet\DSC.exe [2004-09-06 2125956]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [2005-07-12 1117184]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2005-05-31 122941]
"Line Speed Meter"=C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize []
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [2006-11-08 222208]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-09-28 185896]
"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [2006-10-11 75304]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe /P DellSupportCenter []
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-11-07 111936]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-18 136600]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"UfSeAgnt.exe"=C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [2009-01-26 970808]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-20 68856]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe /P DellSupportCenter []
"OE"=C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [2009-01-26 497008]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-08-11 241704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Trend Micro\Internet Security\TmProxy.exe"="C:\Program Files\Trend Micro\Internet Security\TmProxy.exe:*:Enabled:TmProxy"
"C:\WINDOWS\system32\MsPMSPSv.exe"="C:\WINDOWS\system32\MsPMSPSv.exe:*:Enabled:MsPMSPSv"
"C:\Program Files\iPod\bin\iPodService.exe"="C:\Program Files\iPod\bin\iPodService.exe:*:Enabled:iPodService"
"C:\Program Files\Java\jre6\bin\jqs.exe"="C:\Program Files\Java\jre6\bin\jqs.exe:*:Enabled:jqs"
"C:\WINDOWS\ehome\ehrecvr.exe"="C:\WINDOWS\ehome\ehrecvr.exe:*:Enabled:ehRecvr"
"C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe"="C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe:*:Enabled:iaantmon"
"C:\Program Files\PC Connectivity Solution\ServiceLayer.exe"="C:\Program Files\PC Connectivity Solution\ServiceLayer.exe:*:Enabled:ServiceLayer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1270944f-87ca-11db-8eda-000f3da421f6}]
shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e431afc-91a8-11dd-91e0-0013720cfff6}]
shell\AutoRun\command - J:\LaunchU3.exe -a


----------



## Evawegner (Jan 10, 2009)

*LOG.TXT part 2*

======List of files/folders created in the last 2 months======
2009-01-26 13:08:37 ----D---- C:\rsit
2009-01-26 00:46:21 ----A---- C:\WINDOWS\system32\kdfvmgr.exe
2009-01-26 00:46:21 ----A---- C:\WINDOWS\system32\Kdfhok.dll
2009-01-26 00:46:21 ----A---- C:\WINDOWS\system32\kdfapi.dll
2009-01-26 00:46:20 ----D---- C:\WINDOWS\kdefense
2009-01-26 00:46:20 ----A---- C:\WINDOWS\system32\kdfmgr.exe
2009-01-26 00:46:20 ----A---- C:\WINDOWS\system32\kdfinj.dll
2009-01-26 00:25:34 ----RA---- C:\WINDOWS\system32\exitwx.exe
2009-01-25 22:44:28 ----D---- C:\WINDOWS\LocalSSL
2009-01-20 22:35:41 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\PC Tools
2009-01-20 22:35:41 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-01-20 22:35:27 ----D---- C:\Program Files\Ascaron Entertainment
2009-01-20 22:35:16 ----D---- C:\Program Files\Mandelbrott Fractal ScreenSaver
2009-01-20 22:35:15 ----D---- C:\Program Files\Jewel Quest
2009-01-19 22:27:40 ----A---- C:\WINDOWS\ntbtlog.txt
2009-01-19 21:49:43 ----SHD---- C:\Config.Msi
2009-01-15 19:43:46 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-15 19:39:58 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-14 21:22:51 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-01-14 21:22:50 ----D---- C:\Program Files\NOS
2009-01-13 22:36:32 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\Malwarebytes
2009-01-13 22:36:25 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-13 22:28:06 ----SHD---- C:\RECYCLER
2009-01-13 19:12:28 ----D---- C:\WINDOWS\system32\appmgmt
2009-01-12 21:38:04 ----A---- C:\ComboFix.txt
2009-01-12 21:32:35 ----D---- C:\WINDOWS\temp
2009-01-12 18:53:38 ----A---- C:\Boot.bak
2009-01-12 18:53:36 ----RASHD---- C:\cmdcons
2009-01-12 18:51:35 ----D---- C:\WINDOWS\ERDNT
2009-01-10 18:54:24 ----A---- C:\VundoFix.txt
2009-01-10 10:59:14 ----SHD---- C:\WINDOWS\CSC
2009-01-10 00:17:40 ----D---- C:\Program Files\Spyware Doctor
2009-01-09 16:51:25 ----A---- C:\WINDOWS\DCEBoot.exe
2008-12-18 18:26:23 ----A---- C:\WINDOWS\system32\deploytk.dll
======List of files/folders modified in the last 2 months======
2009-01-26 13:08:39 ----D---- C:\WINDOWS\Prefetch
2009-01-26 13:00:50 ----D---- C:\WINDOWS\system32\drivers
2009-01-26 13:00:50 ----D---- C:\WINDOWS\system32
2009-01-26 13:00:31 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-01-26 13:00:29 ----D---- C:\WINDOWS
2009-01-26 12:58:43 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-26 12:58:41 ----D---- C:\WINDOWS\Registration
2009-01-26 03:40:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-26 00:50:55 ----D---- C:\Documents and Settings\All Users\Application Data\Trend Micro
2009-01-26 00:27:55 ----HD---- C:\WINDOWS\inf
2009-01-26 00:27:49 ----D---- C:\Program Files\Trend Micro
2009-01-26 00:26:15 ----SHD---- C:\WINDOWS\Installer
2009-01-21 19:17:52 ----RD---- C:\Program Files
2009-01-21 00:39:00 ----A---- C:\WINDOWS\win.ini
2009-01-21 00:37:47 ----A---- C:\WINDOWS\SIERRA.INI
2009-01-21 00:37:02 ----SD---- C:\Documents and Settings\Eva & Michelangelo\Application Data\Microsoft
2009-01-21 00:35:50 ----D---- C:\Program Files\Yahoo! Games
2009-01-21 00:35:43 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-21 00:22:21 ----D---- C:\Documents and Settings\All Users\Application Data\GTek
2009-01-21 00:18:49 ----D---- C:\Documents and Settings\All Users\Application Data\SupportSoft
2009-01-21 00:18:47 ----D---- C:\Program Files\Dell Support Center
2009-01-21 00:18:47 ----D---- C:\Program Files\Common Files
2009-01-20 23:30:03 ----D---- C:\Program Files\Paint Shop Pro 6
2009-01-20 23:23:58 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-20 22:52:27 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-20 22:36:44 ----D---- C:\WINDOWS\system32\config
2009-01-20 22:36:23 ----D---- C:\WINDOWS\system32\wbem
2009-01-20 22:30:21 ----D---- C:\Program Files\Microsoft Games
2009-01-18 20:19:25 ----D---- C:\WINDOWS\system32\Restore
2009-01-16 09:37:59 ----SHD---- C:\System Volume Information
2009-01-15 19:43:49 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-01-15 19:43:29 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-15 19:40:02 ----D---- C:\WINDOWS\Debug
2009-01-15 19:34:10 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-15 01:42:35 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-01-15 01:42:03 ----D---- C:\Program Files\Common Files\Adobe
2009-01-15 01:41:45 ----D---- C:\Program Files\Adobe
2009-01-14 21:17:17 ----D---- C:\WINDOWS\Downloaded Installations
2009-01-13 22:28:06 ----D---- C:\WINDOWS\Minidump
2009-01-13 22:02:00 ----D---- C:\WINDOWS\WinSxS
2009-01-13 22:00:46 ----D---- C:\Program Files\Yahoo!
2009-01-13 21:57:30 ----D---- C:\Program Files\Java
2009-01-12 21:34:31 ----N---- C:\WINDOWS\system.ini
2009-01-12 21:31:54 ----D---- C:\WINDOWS\AppPatch
2009-01-12 19:07:52 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\Skype
2009-01-12 18:53:38 ----RASH---- C:\boot.ini
2009-01-12 18:04:02 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\skypePM
2009-01-10 09:23:12 ----D---- C:\Program Files\DIGStream
2009-01-10 00:48:32 ----ASH---- C:\WINDOWS\system32\yagehusi.dll
2009-01-10 00:48:32 ----ASH---- C:\WINDOWS\system32\nodivivo.dll
2009-01-10 00:18:56 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-08 00:50:14 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\U3
2009-01-07 21:50:07 ----ASH---- C:\WINDOWS\system32\kesezila.dll
2009-01-07 21:50:06 ----ASH---- C:\WINDOWS\system32\rubepusa.dll
2009-01-04 16:22:07 ----ASH---- C:\WINDOWS\system32\boyifada.dll
2009-01-04 16:22:06 ----ASH---- C:\WINDOWS\system32\ruteteku.dll
2009-01-04 04:21:59 ----ASH---- C:\WINDOWS\system32\sipasone.dll
2009-01-04 04:21:59 ----ASH---- C:\WINDOWS\system32\jiditate.dll
2009-01-04 04:21:59 ----ASH---- C:\WINDOWS\system32\deresebo.dll
2009-01-03 16:21:37 ----ASH---- C:\WINDOWS\system32\rihinonu.dll
2009-01-03 16:21:36 ----ASH---- C:\WINDOWS\system32\yalisume.dll
2009-01-03 16:21:36 ----ASH---- C:\WINDOWS\system32\winufame.dll
2009-01-03 04:21:30 ----ASH---- C:\WINDOWS\system32\tomujanu.dll
2009-01-03 04:21:30 ----ASH---- C:\WINDOWS\system32\lakayepo.dll
2009-01-03 04:21:30 ----ASH---- C:\WINDOWS\system32\doriwofa.dll
2009-01-02 16:21:25 ----ASH---- C:\WINDOWS\system32\punajita.dll
2009-01-02 16:21:25 ----ASH---- C:\WINDOWS\system32\mewofawi.dll
2009-01-02 04:21:21 ----ASH---- C:\WINDOWS\system32\yeyikufa.dll
2009-01-02 04:21:21 ----ASH---- C:\WINDOWS\system32\sakadadu.dll
2009-01-01 16:21:16 ----ASH---- C:\WINDOWS\system32\wawilibe.dll
2009-01-01 16:21:16 ----ASH---- C:\WINDOWS\system32\hesonumi.dll
2009-01-01 04:21:13 ----ASH---- C:\WINDOWS\system32\zojogaho.dll
2009-01-01 04:21:13 ----ASH---- C:\WINDOWS\system32\fakugupu.dll
2008-12-31 16:21:08 ----ASH---- C:\WINDOWS\system32\hikemavi.dll
2008-12-18 18:26:14 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-18 18:26:14 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-18 18:26:14 ----A---- C:\WINDOWS\system32\java.exe
2008-12-13 17:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-11 00:33:43 ----D---- C:\Program Files\Internet Explorer
2008-12-03 22:03:18 ----D---- C:\WINDOWS\Help
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-13 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-13 23545]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2009-01-26 80400]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-01-19 8552]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R2 tmactmon;tmactmon; \??\C:\WINDOWS\system32\drivers\tmactmon.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmevtmgr;tmevtmgr; \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys []
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2008-11-27 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2008-11-27 205328]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2008-11-27 1195384]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-18 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-18 212224]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 neokdss;neokdss; C:\WINDOWS\system32\Drivers\neokdss.sys []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-07-09 3198304]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
R3 P17;Sound Blaster Live! 24-bit; C:\WINDOWS\system32\drivers\P17.sys [2004-06-09 840960]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2009-01-26 334352]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-18 680704]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-08-25 176128]
S3 glauiad;D-Link DSL-302G Modem; C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 29603]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-10-10 9216]
S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-10-10 12800]
S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-10-10 138240]
S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-10-10 12800]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-14 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-14 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-14 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-14 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-14 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-14 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-14 42240]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-13 44032]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 IAANTMon;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-06-17 86140]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-18 152984]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-07-09 127043]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service; C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
R2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2009-01-26 707128]
R2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2009-01-26 337160]
R2 TmPfw;Trend Micro Personal Firewall; C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [2009-01-26 492888]
R2 TmProxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2009-01-26 677128]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [2000-06-26 53520]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2006-11-06 210432]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------


----------



## km2357 (Aug 9, 2007)

Nice work on getting the computer back up to speed again.  :up:



> Just so that I understand correctly, I should have all of the following programs on the computer at the same time and they won't conflict(?):
> 1. Antivirus (PCCillin or other)
> 2. Firewall (PCCillin or other)
> 3. Antimalware (WinPatrol or MalwareBytes) AND
> ...


Yes, all should be activated at the same time. Regarding #3, you should have both MalwareBytes and WinPatrol. MalwareBytes as your anti-malware/spyware scanner and WinPatrol for its real time protection against malware and hijacks.

As for SpywareBlaster all you need to do is have it installed and make sure that you check for updates regularly (once every 2 weeks or so) and that you have click the *Enable Protection* line, so that you're protected.



> I would like to add the IP addresses of my commonly accessed websites, to speed things up a little.
> 1. How do I find the IP address of a website, for example www.smh.com.au?
> 2. And when I find it, do I write it in the hosts file before or after the list of the blocked adware?
> 3. Should I update the adware lists periodically to the hosts file? I guess there must be a new version of the mvps file every now and then. When I download this new version, I would have to re-write all my "shortcut" addresses again, like to the smh.com.au, right?


1. A good site for this is ARIN. Sometimes it takes a while for the page to load, keep trying till you get it. You should see a box that say lookup or whois on the right side of the page. Enter the web address into the box and click search (I believe that's correct, don't have the page in front of me, not loading at the moment.  ) and you'll get the page with the info you need.

2. Not sure, I would write it before the list of blocked adware, so the hosts doesn't think those websites need to be blocked.

3. Yes, you should definitely update mvps periodically. Always want to have the latest protection on hand. As for re-writing the shortcut addresses again, not sure about that. But in case you do, it be best to save them in a separate document. That way its a quick copy and paste job into the hosts file.

We need to take care of/move some files that showed up in the RSIT Log:

Step # 1 *Download and Run OTMoveIt3*

Please *download* *OTMoveIt3 by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt3.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
*Copy the lines in the codebox below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:files
C:\WINDOWS\system32\yagehusi.dll
C:\WINDOWS\system32\nodivivo.dll
C:\WINDOWS\system32\kesezila.dll
C:\WINDOWS\system32\rubepusa.dll
C:\WINDOWS\system32\boyifada.dll
C:\WINDOWS\system32\ruteteku.dll
C:\WINDOWS\system32\sipasone.dll
C:\WINDOWS\system32\jiditate.dll
C:\WINDOWS\system32\deresebo.dll
C:\WINDOWS\system32\rihinonu.dll
C:\WINDOWS\system32\yalisume.dll
C:\WINDOWS\system32\winufame.dll
C:\WINDOWS\system32\tomujanu.dll
C:\WINDOWS\system32\lakayepo.dll
C:\WINDOWS\system32\doriwofa.dll
C:\WINDOWS\system32\punajita.dll
C:\WINDOWS\system32\mewofawi.dll
C:\WINDOWS\system32\yeyikufa.dll
C:\WINDOWS\system32\sakadadu.dll
C:\WINDOWS\system32\wawilibe.dll
C:\WINDOWS\system32\hesonumi.dll
C:\WINDOWS\system32\zojogaho.dll
C:\WINDOWS\system32\fakugupu.dll
C:\WINDOWS\system32\hikemavi.dll
```

 Return to OTMoveIt3, right click in the *"Paste List of Files/Folders to Move"* window (under the light blue bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTMoveIt3*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.* In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

I'd also like you to redownload and rerun MalwareBytes' for me as well. Be sure to update it before doing the Quick Scan.

And I'd also like you to re-run RSIT as well. Only one log should show up this time.

In summary, I need to see the following in your next post:

1. OTMoveIT3 Log
2. MalwareBytes' Log
3. RSIT Log


----------



## Evawegner (Jan 10, 2009)

I attach all the logs as requested. Would you mind briefly telling me what all those files were and what was the purpose of "moving" them? I've noticed that they didn't actually move anywhere.

The RSIT scan was done for the files in the last 2 months. Should I have done it for 3 months?

Cheers,
Eva

*OTMoveIt3 log:*
Error: Unable to interpret <C:\WINDOWS\system32\yagehusi.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\nodivivo.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\kesezila.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\rubepusa.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\boyifada.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\ruteteku.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\sipasone.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\jiditate.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\deresebo.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\rihinonu.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\yalisume.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\winufame.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\tomujanu.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\lakayepo.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\doriwofa.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\punajita.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\mewofawi.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\yeyikufa.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\sakadadu.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\wawilibe.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\hesonumi.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\zojogaho.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\fakugupu.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\hikemavi.dll> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01262009_213204

*MalwareBytes log:*
Malwarebytes' Anti-Malware 1.33
Database version: 1695
Windows 5.1.2600 Service Pack 3
26/01/2009 9:52:53 PM
mbam-log-2009-01-26 (21-52-53).txt
Scan type: Quick Scan
Objects scanned: 71570
Time elapsed: 15 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## Evawegner (Jan 10, 2009)

*RSIT log part 1:*
Logfile of random's system information tool 1.05 (written by random/random)
Run by Eva & Michelangelo at 2009-01-26 21:54:23
Microsoft Windows XP Professional Service Pack 3
System drive C: has 717 GB (75%) free of 954 GB
Total RAM: 2046 MB (65% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:36 PM, on 26/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\kdfmgr.exe
C:\Documents and Settings\Eva & Michelangelo\Desktop\RSIT.exe
C:\Documents and Settings\Eva & Michelangelo\Desktop\Eva & Michelangelo.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optuszoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 12849 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43C6D902-A1C5-45c9-91F6-FD9E90337E18}]
TSToolbarBHO - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll [2008-08-13 140624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 118844]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}]
EWPBrowseObject Class - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-06-09 34304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-18 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2006-11-17 2133056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-14 737776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-18 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-18 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2006-11-17 2133056]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2006-06-09 552960]
{CCAC5586-44D7-4c43-B64A-F042461A97D2} - Trend Micro Toolbar - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll [2008-08-13 140624]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-07-09 7110656]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-06-17 139264]
"CTSysVol"=C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe [2003-09-17 57344]
"P17Helper"=Rundll32 P17.dll []
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-02-23 53248]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2006-01-19 26112]
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-01-27 86016]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-16 81920]
"Desktop Service Centre"=C:\Program Files\OptusNet DSL Internet\DSC.exe [2004-09-06 2125956]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [2005-07-12 1117184]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2005-05-31 122941]
"Line Speed Meter"=C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize []
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [2006-11-08 222208]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-09-28 185896]
"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [2006-10-11 75304]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe /P DellSupportCenter []
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-11-07 111936]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-18 136600]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"UfSeAgnt.exe"=C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [2009-01-26 970808]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-01-14 399504]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-20 68856]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe /P DellSupportCenter []
"OE"=C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [2009-01-26 497008]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-08-11 241704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Trend Micro\Internet Security\TmProxy.exe"="C:\Program Files\Trend Micro\Internet Security\TmProxy.exe:*:Enabled:TmProxy"
"C:\WINDOWS\system32\MsPMSPSv.exe"="C:\WINDOWS\system32\MsPMSPSv.exe:*:Enabled:MsPMSPSv"
"C:\Program Files\iPod\bin\iPodService.exe"="C:\Program Files\iPod\bin\iPodService.exe:*:Enabled:iPodService"
"C:\Program Files\Java\jre6\bin\jqs.exe"="C:\Program Files\Java\jre6\bin\jqs.exe:*:Enabled:jqs"
"C:\WINDOWS\ehome\ehrecvr.exe"="C:\WINDOWS\ehome\ehrecvr.exe:*:Enabled:ehRecvr"
"C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe"="C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe:*:Enabled:iaantmon"
"C:\Program Files\PC Connectivity Solution\ServiceLayer.exe"="C:\Program Files\PC Connectivity Solution\ServiceLayer.exe:*:Enabled:ServiceLayer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1270944f-87ca-11db-8eda-000f3da421f6}]
shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
shell\AutoRun\command - E:\setup.exe


----------



## Evawegner (Jan 10, 2009)

*RSIT log part 2:*

======List of files/folders created in the last 2 months======
2009-01-26 21:36:14 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-26 21:32:04 ----D---- C:\_OTMoveIt
2009-01-26 13:08:37 ----D---- C:\rsit
2009-01-26 00:46:21 ----A---- C:\WINDOWS\system32\kdfvmgr.exe
2009-01-26 00:46:21 ----A---- C:\WINDOWS\system32\Kdfhok.dll
2009-01-26 00:46:21 ----A---- C:\WINDOWS\system32\kdfapi.dll
2009-01-26 00:46:20 ----D---- C:\WINDOWS\kdefense
2009-01-26 00:46:20 ----A---- C:\WINDOWS\system32\kdfmgr.exe
2009-01-26 00:46:20 ----A---- C:\WINDOWS\system32\kdfinj.dll
2009-01-26 00:25:34 ----RA---- C:\WINDOWS\system32\exitwx.exe
2009-01-25 22:44:28 ----D---- C:\WINDOWS\LocalSSL
2009-01-20 22:35:41 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\PC Tools
2009-01-20 22:35:41 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-01-20 22:35:27 ----D---- C:\Program Files\Ascaron Entertainment
2009-01-20 22:35:16 ----D---- C:\Program Files\Mandelbrott Fractal ScreenSaver
2009-01-20 22:35:15 ----D---- C:\Program Files\Jewel Quest
2009-01-19 22:27:40 ----A---- C:\WINDOWS\ntbtlog.txt
2009-01-19 21:49:43 ----SHD---- C:\Config.Msi
2009-01-15 19:43:46 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-15 19:39:58 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-14 21:22:51 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-01-14 21:22:50 ----D---- C:\Program Files\NOS
2009-01-13 22:36:32 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\Malwarebytes
2009-01-13 22:36:25 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-13 22:28:06 ----SHD---- C:\RECYCLER
2009-01-13 19:12:28 ----D---- C:\WINDOWS\system32\appmgmt
2009-01-12 21:38:04 ----A---- C:\ComboFix.txt
2009-01-12 21:32:35 ----D---- C:\WINDOWS\temp
2009-01-12 18:53:38 ----A---- C:\Boot.bak
2009-01-12 18:53:36 ----RASHD---- C:\cmdcons
2009-01-12 18:51:35 ----D---- C:\WINDOWS\ERDNT
2009-01-10 18:54:24 ----A---- C:\VundoFix.txt
2009-01-10 10:59:14 ----SHD---- C:\WINDOWS\CSC
2009-01-10 00:17:40 ----D---- C:\Program Files\Spyware Doctor
2009-01-09 16:51:25 ----A---- C:\WINDOWS\DCEBoot.exe
2008-12-18 18:26:23 ----A---- C:\WINDOWS\system32\deploytk.dll
======List of files/folders modified in the last 2 months======
2009-01-26 21:36:18 ----D---- C:\WINDOWS\system32\drivers
2009-01-26 21:36:14 ----RD---- C:\Program Files
2009-01-26 21:27:29 ----D---- C:\WINDOWS\system32
2009-01-26 21:19:11 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-01-26 21:19:10 ----D---- C:\WINDOWS
2009-01-26 21:18:15 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-26 21:18:12 ----D---- C:\WINDOWS\Registration
2009-01-26 19:00:08 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-26 18:48:22 ----D---- C:\WINDOWS\Prefetch
2009-01-26 18:29:59 ----D---- C:\Program Files\Paint Shop Pro 6
2009-01-26 00:50:55 ----D---- C:\Documents and Settings\All Users\Application Data\Trend Micro
2009-01-26 00:27:55 ----HD---- C:\WINDOWS\inf
2009-01-26 00:27:49 ----D---- C:\Program Files\Trend Micro
2009-01-26 00:26:15 ----SHD---- C:\WINDOWS\Installer
2009-01-21 00:39:00 ----A---- C:\WINDOWS\win.ini
2009-01-21 00:37:47 ----A---- C:\WINDOWS\SIERRA.INI
2009-01-21 00:37:02 ----SD---- C:\Documents and Settings\Eva & Michelangelo\Application Data\Microsoft
2009-01-21 00:35:50 ----D---- C:\Program Files\Yahoo! Games
2009-01-21 00:35:43 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-21 00:22:21 ----D---- C:\Documents and Settings\All Users\Application Data\GTek
2009-01-21 00:18:49 ----D---- C:\Documents and Settings\All Users\Application Data\SupportSoft
2009-01-21 00:18:47 ----D---- C:\Program Files\Dell Support Center
2009-01-21 00:18:47 ----D---- C:\Program Files\Common Files
2009-01-20 23:23:58 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-20 22:52:27 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-20 22:36:44 ----D---- C:\WINDOWS\system32\config
2009-01-20 22:36:23 ----D---- C:\WINDOWS\system32\wbem
2009-01-20 22:30:21 ----D---- C:\Program Files\Microsoft Games
2009-01-18 20:19:25 ----D---- C:\WINDOWS\system32\Restore
2009-01-16 09:37:59 ----SHD---- C:\System Volume Information
2009-01-15 19:43:49 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-01-15 19:43:29 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-15 19:40:02 ----D---- C:\WINDOWS\Debug
2009-01-15 19:34:10 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-15 01:42:35 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-01-15 01:42:03 ----D---- C:\Program Files\Common Files\Adobe
2009-01-15 01:41:45 ----D---- C:\Program Files\Adobe
2009-01-14 21:17:17 ----D---- C:\WINDOWS\Downloaded Installations
2009-01-13 22:28:06 ----D---- C:\WINDOWS\Minidump
2009-01-13 22:02:00 ----D---- C:\WINDOWS\WinSxS
2009-01-13 22:00:46 ----D---- C:\Program Files\Yahoo!
2009-01-13 21:57:30 ----D---- C:\Program Files\Java
2009-01-12 21:34:31 ----N---- C:\WINDOWS\system.ini
2009-01-12 21:31:54 ----D---- C:\WINDOWS\AppPatch
2009-01-12 19:07:52 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\Skype
2009-01-12 18:53:38 ----RASH---- C:\boot.ini
2009-01-12 18:04:02 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\skypePM
2009-01-10 09:23:12 ----D---- C:\Program Files\DIGStream
2009-01-10 00:48:32 ----ASH---- C:\WINDOWS\system32\yagehusi.dll
2009-01-10 00:48:32 ----ASH---- C:\WINDOWS\system32\nodivivo.dll
2009-01-10 00:18:56 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-08 00:50:14 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\U3
2009-01-07 21:50:07 ----ASH---- C:\WINDOWS\system32\kesezila.dll
2009-01-07 21:50:06 ----ASH---- C:\WINDOWS\system32\rubepusa.dll
2009-01-04 16:22:07 ----ASH---- C:\WINDOWS\system32\boyifada.dll
2009-01-04 16:22:06 ----ASH---- C:\WINDOWS\system32\ruteteku.dll
2009-01-04 04:21:59 ----ASH---- C:\WINDOWS\system32\sipasone.dll
2009-01-04 04:21:59 ----ASH---- C:\WINDOWS\system32\jiditate.dll
2009-01-04 04:21:59 ----ASH---- C:\WINDOWS\system32\deresebo.dll
2009-01-03 16:21:37 ----ASH---- C:\WINDOWS\system32\rihinonu.dll
2009-01-03 16:21:36 ----ASH---- C:\WINDOWS\system32\yalisume.dll
2009-01-03 16:21:36 ----ASH---- C:\WINDOWS\system32\winufame.dll
2009-01-03 04:21:30 ----ASH---- C:\WINDOWS\system32\tomujanu.dll
2009-01-03 04:21:30 ----ASH---- C:\WINDOWS\system32\lakayepo.dll
2009-01-03 04:21:30 ----ASH---- C:\WINDOWS\system32\doriwofa.dll
2009-01-02 16:21:25 ----ASH---- C:\WINDOWS\system32\punajita.dll
2009-01-02 16:21:25 ----ASH---- C:\WINDOWS\system32\mewofawi.dll
2009-01-02 04:21:21 ----ASH---- C:\WINDOWS\system32\yeyikufa.dll
2009-01-02 04:21:21 ----ASH---- C:\WINDOWS\system32\sakadadu.dll
2009-01-01 16:21:16 ----ASH---- C:\WINDOWS\system32\wawilibe.dll
2009-01-01 16:21:16 ----ASH---- C:\WINDOWS\system32\hesonumi.dll
2009-01-01 04:21:13 ----ASH---- C:\WINDOWS\system32\zojogaho.dll
2009-01-01 04:21:13 ----ASH---- C:\WINDOWS\system32\fakugupu.dll
2008-12-31 16:21:08 ----ASH---- C:\WINDOWS\system32\hikemavi.dll
2008-12-18 18:26:14 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-18 18:26:14 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-18 18:26:14 ----A---- C:\WINDOWS\system32\java.exe
2008-12-13 17:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-11 00:33:43 ----D---- C:\Program Files\Internet Explorer
2008-12-03 22:03:18 ----D---- C:\WINDOWS\Help
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-13 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-13 23545]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2009-01-26 80400]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-01-19 8552]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R2 tmactmon;tmactmon; \??\C:\WINDOWS\system32\drivers\tmactmon.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmevtmgr;tmevtmgr; \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys []
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2008-11-27 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2008-11-27 205328]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2008-11-27 1195384]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-08-25 176128]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-18 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-18 212224]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 neokdss;neokdss; C:\WINDOWS\system32\Drivers\neokdss.sys []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-07-09 3198304]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
R3 P17;Sound Blaster Live! 24-bit; C:\WINDOWS\system32\drivers\P17.sys [2004-06-09 840960]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2009-01-26 334352]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-18 680704]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 glauiad;D-Link DSL-302G Modem; C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 29603]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-10-10 9216]
S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-10-10 12800]
S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-10-10 138240]
S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-10-10 12800]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-14 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-14 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-14 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-14 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-14 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-14 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-14 42240]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-13 44032]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 IAANTMon;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-06-17 86140]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-18 152984]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-07-09 127043]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service; C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
R2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2009-01-26 707128]
R2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2009-01-26 337160]
R2 TmPfw;Trend Micro Personal Firewall; C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [2009-01-26 492888]
R2 TmProxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2009-01-26 677128]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [2000-06-26 53520]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2006-11-06 210432]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------


----------



## km2357 (Aug 9, 2007)

> I attach all the logs as requested. Would you mind briefly telling me what all those files were and what was the purpose of "moving" them? I've noticed that they didn't actually move anywhere.


They look like malicious leftovers from when we cleaned your computer. And "moving" them with OTMoveIT3 makes it easier to delete them off of your computer. 

When you copied what was in the Code box in step # 1 to paste into OTMoveIT3, did you include the *:files* line at the top of the box?


----------



## Evawegner (Jan 10, 2009)

No, I didn't. I'll redo it as soon as I get home this afternoon and I will post all three logs again.


----------



## Evawegner (Jan 10, 2009)

Sorry about that! 

Each of the files received an error message which said something like this: "The application *.dll is not a valid image. Please check against installation diskette. ..." After I clicked OK on the error messages, this is the log below was produced. 

========== FILES ==========
LoadLibrary failed for C:\WINDOWS\system32\yagehusi.dll
C:\WINDOWS\system32\yagehusi.dll NOT unregistered.
C:\WINDOWS\system32\yagehusi.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\nodivivo.dll
C:\WINDOWS\system32\nodivivo.dll NOT unregistered.
C:\WINDOWS\system32\nodivivo.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\kesezila.dll
C:\WINDOWS\system32\kesezila.dll NOT unregistered.
C:\WINDOWS\system32\kesezila.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\rubepusa.dll
C:\WINDOWS\system32\rubepusa.dll NOT unregistered.
C:\WINDOWS\system32\rubepusa.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\boyifada.dll
C:\WINDOWS\system32\boyifada.dll NOT unregistered.
C:\WINDOWS\system32\boyifada.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\ruteteku.dll
C:\WINDOWS\system32\ruteteku.dll NOT unregistered.
C:\WINDOWS\system32\ruteteku.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\sipasone.dll
C:\WINDOWS\system32\sipasone.dll NOT unregistered.
C:\WINDOWS\system32\sipasone.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\jiditate.dll
C:\WINDOWS\system32\jiditate.dll NOT unregistered.
C:\WINDOWS\system32\jiditate.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\deresebo.dll
C:\WINDOWS\system32\deresebo.dll NOT unregistered.
C:\WINDOWS\system32\deresebo.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\rihinonu.dll
C:\WINDOWS\system32\rihinonu.dll NOT unregistered.
C:\WINDOWS\system32\rihinonu.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\yalisume.dll
C:\WINDOWS\system32\yalisume.dll NOT unregistered.
C:\WINDOWS\system32\yalisume.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\winufame.dll
C:\WINDOWS\system32\winufame.dll NOT unregistered.
C:\WINDOWS\system32\winufame.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\tomujanu.dll
C:\WINDOWS\system32\tomujanu.dll NOT unregistered.
C:\WINDOWS\system32\tomujanu.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\lakayepo.dll
C:\WINDOWS\system32\lakayepo.dll NOT unregistered.
C:\WINDOWS\system32\lakayepo.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\doriwofa.dll
C:\WINDOWS\system32\doriwofa.dll NOT unregistered.
C:\WINDOWS\system32\doriwofa.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\punajita.dll
C:\WINDOWS\system32\punajita.dll NOT unregistered.
C:\WINDOWS\system32\punajita.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\mewofawi.dll
C:\WINDOWS\system32\mewofawi.dll NOT unregistered.
C:\WINDOWS\system32\mewofawi.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\yeyikufa.dll
C:\WINDOWS\system32\yeyikufa.dll NOT unregistered.
C:\WINDOWS\system32\yeyikufa.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\sakadadu.dll
C:\WINDOWS\system32\sakadadu.dll NOT unregistered.
C:\WINDOWS\system32\sakadadu.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\wawilibe.dll
C:\WINDOWS\system32\wawilibe.dll NOT unregistered.
C:\WINDOWS\system32\wawilibe.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\hesonumi.dll
C:\WINDOWS\system32\hesonumi.dll NOT unregistered.
C:\WINDOWS\system32\hesonumi.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\zojogaho.dll
C:\WINDOWS\system32\zojogaho.dll NOT unregistered.
C:\WINDOWS\system32\zojogaho.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\fakugupu.dll
C:\WINDOWS\system32\fakugupu.dll NOT unregistered.
C:\WINDOWS\system32\fakugupu.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\hikemavi.dll
C:\WINDOWS\system32\hikemavi.dll NOT unregistered.
C:\WINDOWS\system32\hikemavi.dll moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01272009_180559


----------



## Evawegner (Jan 10, 2009)

*MalwareBytes log:*

Malwarebytes' Anti-Malware 1.33
Database version: 1698
Windows 5.1.2600 Service Pack 3
27/01/2009 6:29:16 PM
mbam-log-2009-01-27 (18-29-16).txt
Scan type: Quick Scan
Objects scanned: 72514
Time elapsed: 14 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## Evawegner (Jan 10, 2009)

*RSIT log part 1:*

Logfile of random's system information tool 1.05 (written by random/random)
Run by Eva & Michelangelo at 2009-01-27 18:31:20
Microsoft Windows XP Professional Service Pack 3
System drive C: has 717 GB (75%) free of 954 GB
Total RAM: 2046 MB (62% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:31 PM, on 27/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OE.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Eva & Michelangelo\Desktop\RSIT.exe
C:\Documents and Settings\Eva & Michelangelo\Desktop\Eva & Michelangelo.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optuszoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 12890 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43C6D902-A1C5-45c9-91F6-FD9E90337E18}]
TSToolbarBHO - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll [2008-08-13 140624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 118844]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}]
EWPBrowseObject Class - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-06-09 34304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-18 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2006-11-17 2133056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-14 737776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-18 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-18 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2006-11-17 2133056]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2006-06-09 552960]
{CCAC5586-44D7-4c43-B64A-F042461A97D2} - Trend Micro Toolbar - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll [2008-08-13 140624]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-07-09 7110656]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-06-17 139264]
"CTSysVol"=C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe [2003-09-17 57344]
"P17Helper"=Rundll32 P17.dll []
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-02-23 53248]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2006-01-19 26112]
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-01-27 86016]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-16 81920]
"Desktop Service Centre"=C:\Program Files\OptusNet DSL Internet\DSC.exe [2004-09-06 2125956]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [2005-07-12 1117184]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2005-05-31 122941]
"Line Speed Meter"=C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize []
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [2006-11-08 222208]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-09-28 185896]
"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [2006-10-11 75304]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe /P DellSupportCenter []
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-11-07 111936]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-18 136600]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"UfSeAgnt.exe"=C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [2009-01-26 970808]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-20 68856]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe /P DellSupportCenter []
"OE"=C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [2009-01-26 497008]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-08-11 241704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Trend Micro\Internet Security\TmProxy.exe"="C:\Program Files\Trend Micro\Internet Security\TmProxy.exe:*:Enabled:TmProxy"
"C:\WINDOWS\system32\MsPMSPSv.exe"="C:\WINDOWS\system32\MsPMSPSv.exe:*:Enabled:MsPMSPSv"
"C:\Program Files\iPod\bin\iPodService.exe"="C:\Program Files\iPod\bin\iPodService.exe:*:Enabled:iPodService"
"C:\Program Files\Java\jre6\bin\jqs.exe"="C:\Program Files\Java\jre6\bin\jqs.exe:*:Enabled:jqs"
"C:\WINDOWS\ehome\ehrecvr.exe"="C:\WINDOWS\ehome\ehrecvr.exe:*:Enabled:ehRecvr"
"C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe"="C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe:*:Enabled:iaantmon"
"C:\Program Files\PC Connectivity Solution\ServiceLayer.exe"="C:\Program Files\PC Connectivity Solution\ServiceLayer.exe:*:Enabled:ServiceLayer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1270944f-87ca-11db-8eda-000f3da421f6}]
shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
shell\AutoRun\command - E:\setup.exe


----------



## Evawegner (Jan 10, 2009)

*RSIT log part 2:*

======List of files/folders created in the last 2 months======
2009-01-26 21:36:14 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-26 21:32:04 ----D---- C:\_OTMoveIt
2009-01-26 13:08:37 ----D---- C:\rsit
2009-01-26 00:46:21 ----A---- C:\WINDOWS\system32\kdfvmgr.exe
2009-01-26 00:46:21 ----A---- C:\WINDOWS\system32\Kdfhok.dll
2009-01-26 00:46:21 ----A---- C:\WINDOWS\system32\kdfapi.dll
2009-01-26 00:46:20 ----D---- C:\WINDOWS\kdefense
2009-01-26 00:46:20 ----A---- C:\WINDOWS\system32\kdfmgr.exe
2009-01-26 00:46:20 ----A---- C:\WINDOWS\system32\kdfinj.dll
2009-01-26 00:25:34 ----RA---- C:\WINDOWS\system32\exitwx.exe
2009-01-25 22:44:28 ----D---- C:\WINDOWS\LocalSSL
2009-01-20 22:35:41 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\PC Tools
2009-01-20 22:35:41 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-01-20 22:35:27 ----D---- C:\Program Files\Ascaron Entertainment
2009-01-20 22:35:16 ----D---- C:\Program Files\Mandelbrott Fractal ScreenSaver
2009-01-20 22:35:15 ----D---- C:\Program Files\Jewel Quest
2009-01-19 22:27:40 ----A---- C:\WINDOWS\ntbtlog.txt
2009-01-19 21:49:43 ----SHD---- C:\Config.Msi
2009-01-15 19:43:46 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-15 19:39:58 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-14 21:22:51 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-01-14 21:22:50 ----D---- C:\Program Files\NOS
2009-01-13 22:36:32 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\Malwarebytes
2009-01-13 22:36:25 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-13 22:28:06 ----SHD---- C:\RECYCLER
2009-01-13 19:12:28 ----D---- C:\WINDOWS\system32\appmgmt
2009-01-12 21:38:04 ----A---- C:\ComboFix.txt
2009-01-12 21:32:35 ----D---- C:\WINDOWS\temp
2009-01-12 18:53:38 ----A---- C:\Boot.bak
2009-01-12 18:53:36 ----RASHD---- C:\cmdcons
2009-01-12 18:51:35 ----D---- C:\WINDOWS\ERDNT
2009-01-10 18:54:24 ----A---- C:\VundoFix.txt
2009-01-10 10:59:14 ----SHD---- C:\WINDOWS\CSC
2009-01-10 00:17:40 ----D---- C:\Program Files\Spyware Doctor
2009-01-09 16:51:25 ----A---- C:\WINDOWS\DCEBoot.exe
2008-12-18 18:26:23 ----A---- C:\WINDOWS\system32\deploytk.dll
======List of files/folders modified in the last 2 months======
2009-01-27 18:06:28 ----D---- C:\WINDOWS\system32
2009-01-27 18:04:16 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-01-27 18:04:15 ----D---- C:\WINDOWS
2009-01-27 18:03:38 ----D---- C:\WINDOWS\system32\drivers
2009-01-27 18:03:16 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-27 18:03:13 ----D---- C:\WINDOWS\Registration
2009-01-26 22:09:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-26 21:36:14 ----RD---- C:\Program Files
2009-01-26 18:48:22 ----D---- C:\WINDOWS\Prefetch
2009-01-26 18:29:59 ----D---- C:\Program Files\Paint Shop Pro 6
2009-01-26 00:50:55 ----D---- C:\Documents and Settings\All Users\Application Data\Trend Micro
2009-01-26 00:27:55 ----HD---- C:\WINDOWS\inf
2009-01-26 00:27:49 ----D---- C:\Program Files\Trend Micro
2009-01-26 00:26:15 ----SHD---- C:\WINDOWS\Installer
2009-01-21 00:39:00 ----A---- C:\WINDOWS\win.ini
2009-01-21 00:37:47 ----A---- C:\WINDOWS\SIERRA.INI
2009-01-21 00:37:02 ----SD---- C:\Documents and Settings\Eva & Michelangelo\Application Data\Microsoft
2009-01-21 00:35:50 ----D---- C:\Program Files\Yahoo! Games
2009-01-21 00:35:43 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-21 00:22:21 ----D---- C:\Documents and Settings\All Users\Application Data\GTek
2009-01-21 00:18:49 ----D---- C:\Documents and Settings\All Users\Application Data\SupportSoft
2009-01-21 00:18:47 ----D---- C:\Program Files\Dell Support Center
2009-01-21 00:18:47 ----D---- C:\Program Files\Common Files
2009-01-20 23:23:58 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-20 22:52:27 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-20 22:36:44 ----D---- C:\WINDOWS\system32\config
2009-01-20 22:36:23 ----D---- C:\WINDOWS\system32\wbem
2009-01-20 22:30:21 ----D---- C:\Program Files\Microsoft Games
2009-01-18 20:19:25 ----D---- C:\WINDOWS\system32\Restore
2009-01-16 09:37:59 ----SHD---- C:\System Volume Information
2009-01-15 19:43:49 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-01-15 19:43:29 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-15 19:40:02 ----D---- C:\WINDOWS\Debug
2009-01-15 19:34:10 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-15 01:42:35 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-01-15 01:42:03 ----D---- C:\Program Files\Common Files\Adobe
2009-01-15 01:41:45 ----D---- C:\Program Files\Adobe
2009-01-14 21:17:17 ----D---- C:\WINDOWS\Downloaded Installations
2009-01-13 22:28:06 ----D---- C:\WINDOWS\Minidump
2009-01-13 22:02:00 ----D---- C:\WINDOWS\WinSxS
2009-01-13 22:00:46 ----D---- C:\Program Files\Yahoo!
2009-01-13 21:57:30 ----D---- C:\Program Files\Java
2009-01-12 21:34:31 ----N---- C:\WINDOWS\system.ini
2009-01-12 21:31:54 ----D---- C:\WINDOWS\AppPatch
2009-01-12 19:07:52 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\Skype
2009-01-12 18:53:38 ----RASH---- C:\boot.ini
2009-01-12 18:04:02 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\skypePM
2009-01-10 09:23:12 ----D---- C:\Program Files\DIGStream
2009-01-10 00:18:56 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-08 00:50:14 ----D---- C:\Documents and Settings\Eva & Michelangelo\Application Data\U3
2008-12-18 18:26:14 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-18 18:26:14 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-18 18:26:14 ----A---- C:\WINDOWS\system32\java.exe
2008-12-13 17:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-11 00:33:43 ----D---- C:\Program Files\Internet Explorer
2008-12-03 22:03:18 ----D---- C:\WINDOWS\Help
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-13 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-13 23545]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2009-01-26 80400]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-01-19 8552]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R2 tmactmon;tmactmon; \??\C:\WINDOWS\system32\drivers\tmactmon.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmevtmgr;tmevtmgr; \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys []
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2008-11-27 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2008-11-27 205328]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2008-11-27 1195384]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-08-25 176128]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-18 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-18 212224]
R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 neokdss;neokdss; C:\WINDOWS\system32\Drivers\neokdss.sys []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-07-09 3198304]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
R3 P17;Sound Blaster Live! 24-bit; C:\WINDOWS\system32\drivers\P17.sys [2004-06-09 840960]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2009-01-26 334352]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-18 680704]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 glauiad;D-Link DSL-302G Modem; C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 29603]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-10-10 9216]
S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-10-10 12800]
S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-10-10 138240]
S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-10-10 12800]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-14 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-14 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-14 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-14 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-14 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-14 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-14 42240]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-13 44032]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 IAANTMon;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-06-17 86140]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-18 152984]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-07-09 127043]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service; C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
R2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2009-01-26 707128]
R2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2009-01-26 337160]
R2 TmPfw;Trend Micro Personal Firewall; C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [2009-01-26 492888]
R2 TmProxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2009-01-26 677128]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [2000-06-26 53520]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2006-11-06 210432]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------


----------



## Evawegner (Jan 10, 2009)

Something of concern, which I have noticed since changing the hosts file is that I have now a lot of reports of Adware (detected by Pc-Cillin scan), as well as repeated attempts at pharming, which is also a new thing. I've not been surfing the web beyond the very limited number of usual sites such as gmail, google, wikipedia, work email.

Could it be that downloading the hosts file has now caused these occurences? (PS: I haven't as yet downloaded the antispyware programs. I was waiting for us to finish with the clean-up.)

Is it safe to delete/fix the adware? I don't want to be in the position again, where PC-Cillin deletes something important. (It found: 80 instances of adware_memory watcher, adware_Inet and AdClicker.)


----------



## km2357 (Aug 9, 2007)

The OTMoveIT3 Log shows that those files were moved successfully. 

Downloading the new hosts file shouldn't have caused these occurences.

They should be ok to delete/remove, but can you post the PC-Cillin log/results that shows what it found, so I can make sure its ok for you to delete them.

Thanks.


----------



## Evawegner (Jan 10, 2009)

Anti spyware log. I will also post the other ones (shorter )

"Spyware Scan Logs" "Jan 27, 2009" "SOCRATES"
"Time" "Type" "Threat Name" "Infected File" "Name" "Action" "Status" "Detected by" "Source Type"
"18:40" "" "Adware_AdClicker" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_AdClicker" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_Inet" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_Inet" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_AdClicker" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_AdClicker" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:40" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"18:42" "" "Cookie_YieldManager" "Internet Explorer Cache" "ad.yieldmanager.com" "Quarantined Successfully" "Cookie_YieldManager" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_SpecificClick" "Internet Explorer Cache" "adopt.specificclick.net" "Quarantined Successfully" "Cookie_SpecificClick" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_AdRevolver" "Internet Explorer Cache" "adrevolver.com" "Quarantined Successfully" "Cookie_AdRevolver" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_Profiling" "Internet Explorer Cache" "adtech.de" "Quarantined Successfully" "Cookie_Profiling" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_Advertising" "Internet Explorer Cache" "advertising.com" "Quarantined Successfully" "Cookie_Advertising" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_Atdmt" "Internet Explorer Cache" "atdmt.com" "Quarantined Successfully" "Cookie_Atdmt" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_BurstNet" "Internet Explorer Cache" "burstnet.com" "Quarantined Successfully" "Cookie_BurstNet" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_Com" "Internet Explorer Cache" "com.com" "Quarantined Successfully" "Cookie_Com" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_DoubleClick" "Internet Explorer Cache" "doubleclick.net" "Quarantined Successfully" "Cookie_DoubleClick" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_FastClick" "Internet Explorer Cache" "fastclick.net" "Quarantined Successfully" "Cookie_FastClick" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_AdRevolver" "Internet Explorer Cache" "media.adrevolver.com" "Quarantined Successfully" "Cookie_AdRevolver" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_Mediaplex" "Internet Explorer Cache" "mediaplex.com" "Quarantined Successfully" "Cookie_Mediaplex" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_2o7" "Internet Explorer Cache" "msnportal.112.2o7.net" "Quarantined Successfully" "Cookie_2o7" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_Overture" "Internet Explorer Cache" "overture.com" "Quarantined Successfully" "Cookie_Overture" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_RealMedia" "Internet Explorer Cache" "realmedia.com" "Quarantined Successfully" "Cookie_RealMedia" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_Revsci" "Internet Explorer Cache" "revsci.net" "Quarantined Successfully" "Cookie_Revsci" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_ServingSys" "Internet Explorer Cache" "serving-sys.com" "Quarantined Successfully" "Cookie_ServingSys" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_SpecificClick" "Internet Explorer Cache" "specificclick.net" "Quarantined Successfully" "Cookie_SpecificClick" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_Profiling" "Internet Explorer Cache" "tribalfusion.com" "Quarantined Successfully" "Cookie_Profiling" " " "Bad Internet Browser Cookies"
"18:42" "" "Cookie_Zedo" "Internet Explorer Cache" "zedo.com" "Quarantined Successfully" "Cookie_Zedo" " " "Bad Internet Browser Cookies"
"19:00" "" "Adware_AdClicker" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_AdClicker" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_Inet" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_Inet" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_AdClicker" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_AdClicker" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"
"19:00" "" "Adware_MemWatcher" "C:\WINDOWS\system32\drivers\etc\hosts" "127.0.0.1" "Detected" "Adware_MemWatcher" "Manual Scan" "Hosts File Modification"


----------



## Evawegner (Jan 10, 2009)

Firewall log

"Personal Firewall" "Jan 26, 2009" "SOCRATES"
"Type" "Time" "L3 Protocol" "Source IP Address" "Source Port" "Destination IP Address" "Destination Port" "Application Path" "Application Description" "Rule Description"
"Firewall" "00:31:35" "IGMP" "1" "192.168.2.3" "n/a" "224.0.0.22" "n/a" "---" "---" "Security Rule Matched"
"Firewall" "03:40:50" "IGMP" "1" "192.168.2.3" "n/a" "224.0.0.22" "n/a" "---" "---" "Security Rule Matched"
"Firewall" "03:40:51" "IGMP" "1" "192.168.2.3" "n/a" "224.0.0.22" "n/a" "---" "---" "Security Rule Matched"
"Firewall" "13:10:17" "IGMP" "1" "192.168.2.3" "n/a" "224.0.0.22" "n/a" "---" "---" "Security Rule Matched"
"Exception List Rule" "13:10:17" "TCP" "2" "---" "n/a" "192.168.2.3" "139" "SYSTEM" "---" "NetBIOS (Incoming, Fixed)"
"Firewall" "13:10:17" "IGMP" "1" "192.168.2.3" "n/a" "224.0.0.22" "n/a" "---" "---" "Security Rule Matched"
"Firewall" "13:10:18" "IGMP" "1" "192.168.2.3" "n/a" "224.0.0.22" "n/a" "---" "---" "Security Rule Matched"
"Firewall" "19:00:08" "IGMP" "1" "192.168.2.3" "n/a" "224.0.0.22" "n/a" "---" "---" "Security Rule Matched"


----------



## Evawegner (Jan 10, 2009)

Pharming log

"Protection Against Web Threats" "Jan 26, 2009" "SOCRATES"
"Time" "Website Address" "Block Extra Hosts File Entries" "Threat"
"16:50" "http://update.microsoft.com/library/toolbar/3.0/subbanner.aspx?t=TWljcm9zb2Z0IFVwZGF0ZQ%%3d%%3d&f=FFFFFF&b=003399&s=5A7CBC&r=False&font=Segoe%%2c+13pt&v=0&c=OwagJh8INVeX5VRqgYtTJdq0zss%%3d" "-" "Pharming"
"16:51" "http://www.google.com/setgmail?zx=hwxsmdwujpv7" "-" "Pharming"
"18:42" "http://mail.google.com/mail/?ui=2&i...b&attid=0.2&disp=thd&realattid=f_fqetgypv1&zw" "-" "Pharming"
"21:19" "http://www.google.com/setgmail?zx=msiqbtcls9hg" "-" "Pharming"
"22:05" "http://www.google.com/setgmail?zx=wiiylwdw7pte" "-" "Pharming"


----------



## km2357 (Aug 9, 2007)

Hi Eva,

Looking over the "Spyware Scan Logs", it looks like PC-Cillin has detected the changes added to your Hosts file by mvps and thought they were malicious. You can go ahead and tell PC-Cillin to ignore those entries. 

You can also do the following as well:

Delete *RSIT.exe* from your Desktop.

Please open *OTMoveIt3*.


Click on the *CleanUp!* button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
Answer *Yes* to the prompt.
The program will ask for a reboot. Answer *Yes*.

Empty your Recycle Bin.

Download and install antispyware programs (i.e. SpywareBlaster and WinPatrol) if you haven't already.


----------



## Evawegner (Jan 10, 2009)

Done!

The Pc-Cillin is AGAIN slowing my computer down (even before I had made any changes or installed anything), but I decided not to bother with it at present. I just have to wait a few minutes on start-up and then it all "wakes up". Go figure. To date I've had no joy with Trend Micro support, wrote them a pissy reply to one of their yet another repetitive and totally unhelpful suggestions and heard nothing back since. Oh well, I'm in the black book! 

Spyware Blaster and WinPatrol are activated and "patrolling". I hope they will play nice with the AV and not clash. I've noticed something new in the ActiveX which is running (according to WinPatrol): 
OggX control (Oggx.ocx) from Maciej Software. 
It's something I don't recognise. Was it downloaded by us? Or should I kill it?
Interestingly there are also some programs which I thought I had deleted, like Line Speed Meter. I guess you just never completely delete anything from the computer. 

I've also deleted all the temp internet files.

So I gather I should run MalwareBytes every week or so? Should I also do a CClean every week or two, or is that better left alone?

Thanks!
Eva


----------



## km2357 (Aug 9, 2007)

> I've noticed something new in the ActiveX which is running (according to WinPatrol):
> OggX control (Oggx.ocx) from Maciej Software.
> It's something I don't recognise. Was it downloaded by us? Or should I kill it?


It has to do with this line in your HJT logs:

*O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx*

It looks like it has to do with a streaming video/audio player. Eska.pl looks to be a polish radio station. It should be ok to leave alone.



> So I gather I should run MalwareBytes every week or so? Should I also do a CClean every week or two, or is that better left alone?


Running both MalwareBytes' and CCleaner every two weeks is fine.  Just remember to update before every scan with MalwareBytes'.


----------



## Evawegner (Jan 10, 2009)

Hey, does this mean that we're done cleaning up? That would be awsome.



> It has to do with this line in your HJT logs:
> 
> *O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx*
> 
> It looks like it has to do with a streaming video/audio player. Eska.pl looks to be a polish radio station. It should be ok to leave alone.


I don't think this should be running at all times. This was most likely a website that my hubby visited once and then never went back again. But he thinks he may have put it in "favourites" for some reason. How do I get rid of it (safely and effectively)?

Computer still running very slow. After we're done I will try to contact Trend Micro again and maybe this time I'll not fight with them.  At the end of the day I'm not sure it is Pc Cillin, iit started soon after (but not immediately after) I did the hosts files, etc. When I turn PCCillin off, everything gets quite fast, so it must be that, right? Otherwise I have enough memory, it doesn't need a defrag, etc....

Cheers,
Eva


----------



## km2357 (Aug 9, 2007)

Evawegner said:


> Hey, does this mean that we're done cleaning up? That would be awsome.


Yep. 



> I don't think this should be running at all times. This was most likely a website that my hubby visited once and then never went back again. But he thinks he may have put it in "favourites" for some reason. How do I get rid of it (safely and effectively)?


To remove it, do the following:


 Run *HijackThis* 
 Click on the *Scan* button 
 Put a *check* beside all of the items listed below (if present):

*O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx*

 *Close all open windows and browsers/email, etc...* 
 Click on the *"Fix Checked"* button 
 When completed, close the application.



> Computer still running very slow. After we're done I will try to contact Trend Micro again and maybe this time I'll not fight with them.  At the end of the day I'm not sure it is Pc Cillin, iit started soon after (but not immediately after) I did the hosts files, etc. When I turn PCCillin off, everything gets quite fast, so it must be that, right? Otherwise I have enough memory, it doesn't need a defrag, etc....
> 
> Cheers,
> Eva


It sounds like PC-Cillin and the hosts file may be conflicting with each other, as you said your computer returns to normal/speeds up when you have PC-Cillin. If you don't get anywhere with Trend Micro this time, you can always switch to another AV and Firewall as listed in Post #47 of the thread.


----------



## Evawegner (Jan 10, 2009)

Thank you so much for all your help. You've beeen wonderfully patient and knowledgeable. I will try to sort out the PCCillin issue. 

I hope I don't have to use this thread again . It's great to know that there are smart and kind people out there who are willing to help! :up:

Have a great day,
Eva


----------



## km2357 (Aug 9, 2007)

You're welcome. I'm glad I was able to help you out. 

If you ever need help again, you can always start another thread and myself or another helper will be along to help you.

Since your problem(s) have been resolved, you can mark this thread as "solved" by clicking on *The Mark Solved* button which is at the top of the page.

Thanks. 

Good luck and safe surfing!


----------

