# Mal_otorun1 Infection.



## Jonesiegirl (Apr 4, 2003)

Hello all of you hard working security experts. 

I've been trying to assist a friend with ridding her PC of what she's calling Mal_otorun1, which was found by TrendMicro. We've made a few attempts at getting malwarebytes installed, which, at this point has been a no-go. The program simply won't open so that she can install it. I had a brilliant computer technician suggest that she rename the file, in hopes that it would install. I'm awaiting word on that right now. If we get lucky, and the program installs, I'll post the log here. In the meantime, here's her HJT log.

Thanks for your time. 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:42 PM, on 3/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F81936B3-BFD0-4713-81E1-B19B2F7B8A45}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEECAD9-DC1E-4E98-9152-5684ED79B3A4}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12053 bytes


----------



## Jonesiegirl (Apr 4, 2003)

Update. Renaming the file didn't work.


----------



## Cookiegal (Aug 27, 2003)

Let's see if she can get this one installed and run the scan.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## Jonesiegirl (Apr 4, 2003)

Thanks, Karen.  

I'll post both of the logs as soon as she sends them to me.


----------



## Cookiegal (Aug 27, 2003)

Jonesiegirl said:


> Thanks, Karen.
> 
> I'll post both of the logs as soon as she sends them to me.


I'm signing off for the night so I'll check back tomorrow.


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> I'm signing off for the night so I'll check back tomorrow.


It'll probably be Thursday night before I get the logs, Karen. (She's working long hours.)

I'll see you then.


----------



## Jonesiegirl (Apr 4, 2003)

Oh! I spoke to soon! She just emailed them to me! :up:

Combo Fix Log in this post. Next post will be her new HJT log. 

ComboFix 09-03-25.02 - Mary 2009-03-25 22:39:45.1 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.893.294 [GMT -4:00]
Running from: c:\users\Mary\Desktop\combofix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Windows\Start Menu\Programs\MalwareCrush
c:\programdata\Microsoft\Windows\Start Menu\Programs\MalwareCrush\MalwareCrush 3.7 Website.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\MalwareCrush\Uninstall MalwareCrush 3.7.lnk
c:\recycler\S-8-9-82-100021030-100025445-100029154-5732.com
c:\windows\system32\drivers\gaopdxwoqdyqbuwtouqadmxffotvbocsvisxxj.sys
c:\windows\system32\gaopdxcdtxodjxampdgerxtnnetffapbegcftu.dll
D:\Autorun.inf
d:\recycler\S-8-9-82-100021030-100025445-100029154-5732.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-25 22:18 . 2009-03-25 22:18 d-------- c:\users\Mary\AppData\Roaming\VundoFixTool
2009-03-25 22:18 . 2009-03-25 22:18 d-------- c:\program files\VundoFixTool
2009-03-25 21:35 . 2009-03-25 21:35 d-------- c:\users\All Users\Malwarebytes
2009-03-25 21:35 . 2009-03-25 21:35 d-------- c:\programdata\Malwarebytes
2009-03-25 21:35 . 2009-03-25 21:35 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 21:35 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-25 21:35 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-24 19:51 . 2009-03-24 19:53 d-------- c:\program files\Windows Live Safety Center
2009-03-24 00:36 . 2009-03-24 00:36 d--hs---- C:\found.000
2009-03-21 23:17 . 2009-03-23 20:28 d-------- c:\windows\System32\Service
2009-03-21 22:44 . 2009-03-21 22:44 d-------- c:\windows\LocalSSL
2009-03-21 22:36 . 2009-03-21 23:34 d-------- c:\users\All Users\Trend Micro
2009-03-21 22:36 . 2009-03-21 23:34 d-------- c:\programdata\Trend Micro
2009-03-21 22:22 . 2009-03-21 22:22 1,195,448 --a------ c:\windows\System32\drivers\vsapint.sys
2009-03-21 22:22 . 2009-03-21 22:22 256,528 --a------ c:\windows\System32\drivers\tmwfp.sys
2009-03-21 22:22 . 2009-03-21 22:22 205,328 --a------ c:\windows\System32\drivers\tmxpflt.sys
2009-03-21 22:22 . 2009-03-21 22:22 145,424 --a------ c:\windows\System32\drivers\tmlwf.sys
2009-03-21 22:22 . 2009-03-21 22:22 144,912 --a------ c:\windows\System32\drivers\tmcomm.sys
2009-03-21 22:22 . 2009-03-21 22:22 80,400 --a------ c:\windows\System32\drivers\tmtdi.sys
2009-03-21 22:22 . 2009-03-21 22:22 50,192 --a------ c:\windows\System32\drivers\tmactmon.sys
2009-03-21 22:22 . 2009-03-21 22:22 49,680 --a------ c:\windows\System32\drivers\tmevtmgr.sys
2009-03-21 22:22 . 2009-03-21 22:22 36,368 --a------ c:\windows\System32\drivers\tmpreflt.sys
2009-03-21 16:22 . 2009-03-21 16:23 113,159,154 --a------ c:\windows\MEMORY.DMP
2009-03-20 20:16 . 2009-03-20 20:16 d-------- c:\users\Mary\AppData\Roaming\Talkback
2009-03-20 20:15 . 2009-03-20 20:16 d-------- c:\users\Mary\AppData\Roaming\Thunderbird
2009-03-19 20:23 . 2009-03-21 11:32 d----c--- c:\windows\System32\DRVSTORE
2009-03-19 20:22 . 2009-03-21 11:33 d-------- c:\users\All Users\Lavasoft
2009-03-19 20:22 . 2009-03-21 11:33 d-------- c:\programdata\Lavasoft
2009-03-19 18:32 . 2009-03-21 15:01 d-------- c:\program files\SpywareGuard
2009-03-18 20:40 . 2009-03-18 20:40 d-------- c:\program files\Alwil Software
2009-03-15 20:06 . 2009-03-15 20:06 d-------- c:\program files\HDExtrem
2009-03-14 20:10 . 2009-03-18 20:25 d-------- c:\users\All Users\McAfee
2009-03-14 20:10 . 2009-03-18 20:25 d-------- c:\programdata\McAfee
2009-03-11 08:14 . 2009-03-11 08:15 d-------- c:\program files\James Patterson's Women's Murder Club - A Darker Shade of Grey
2009-03-10 18:22 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 18:22 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 18:22 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-10 18:21 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-02 21:42 . 2009-03-02 21:42 d-------- c:\users\Mary\AppData\Roaming\BrandX Games
2009-02-28 22:31 . 2009-02-28 22:31 d-------- c:\users\All Users\BigFish
2009-02-28 22:31 . 2009-02-28 22:31 d-------- c:\programdata\BigFish

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 00:55 --------- d-----w c:\users\Mary\AppData\Roaming\ComcastToolbar
2009-03-23 21:20 --------- d---a-w c:\programdata\TEMP
2009-03-23 21:18 --------- d-----w c:\program files\Mystery Case Files - Ravenhearst
2009-03-23 20:30 --------- d-----w c:\users\Mary\AppData\Roaming\WeatherBug
2009-03-23 01:29 --------- d-----w c:\program files\Trend Micro
2009-03-20 00:27 --------- d-----w c:\program files\Google
2009-03-12 00:58 --------- d-----w c:\program files\WildGames
2009-03-12 00:50 --------- d-----w c:\program files\MSN Games
2009-03-11 12:27 --------- d-----w c:\users\Mary\AppData\Roaming\Flood Light Games
2009-03-11 12:27 --------- d-----w c:\programdata\Flood Light Games
2009-03-11 07:05 --------- d-----w c:\programdata\Microsoft Help
2009-02-25 02:27 --------- d-----w c:\users\Mary\AppData\Roaming\WildTangent
2009-02-25 02:26 --------- d-----w c:\programdata\WildTangent
2009-02-20 20:17 --------- d-----w c:\users\Mary\AppData\Roaming\HSA
2009-02-20 12:32 --------- d-----w c:\programdata\GameHouse
2009-02-14 03:56 --------- d-----w c:\programdata\HoverBee Studios
2009-02-12 13:51 --------- d-----w c:\program files\AIM6
2009-02-12 13:50 --------- d-----w c:\programdata\Viewpoint
2009-02-12 13:50 --------- d-----w c:\programdata\acccore
2009-02-12 13:50 --------- d-----w c:\program files\Common Files\Software Update Utility
2009-02-12 13:48 --------- d-----w c:\programdata\AOL Downloads
2009-02-11 23:10 936,288 ----a-w c:\windows\System32\Incinerator.dll
2009-02-09 02:14 --------- d-----w c:\users\Mary\AppData\Roaming\Jetsetter
2009-01-31 03:49 --------- d-----w c:\users\Mary\AppData\Roaming\Island
2009-01-31 02:49 --------- d-----w c:\users\Mary\AppData\Roaming\RobinsonCrusoe
2009-01-31 02:40 --------- d-----w c:\program files\Adventures of Robinson Crusoe
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-07-19 00:40 174 --sha-w c:\program files\desktop.ini
2007-12-13 23:08 0 ----a-w c:\users\Mary\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-21 497008]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"VundoFixTool"="c:\program files\VundoFixTool\VundoFixTool.exe" [2009-03-24 19451904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2009-02-11 314224]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-21 970808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-21 497008]

c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-07 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3586541812-533695731-4199019274-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7F4889EC-579F-4D71-BC1B-ACE9ABEB4DC1}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{30D010D9-E843-48E6-83EB-2ED46FB6211B}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{D175FBC6-119E-4BAC-B7B0-A4946739773A}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{C7C5BC49-1135-49B3-AC17-01597EDD2642}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{35326614-FB84-42E7-BF60-5F936509910C}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{E25E7D60-921A-4539-8D75-1A1EA3F4CC93}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{B6C57DB6-A5B2-48E0-9ECF-FBF2147C5FCF}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{9E09E2AA-4AFA-4018-9F7E-A65A93C32D20}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{9092D829-87CB-41EC-B0F8-3E2BE9DD81B8}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{9B96259D-F91D-4360-8FD9-850741F16CC6}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{B73EF684-E652-4107-BC47-99763993A09E}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{898AAC2C-DBD2-40FB-B61B-D2BE8145D176}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{CCB12DA5-6F1C-4A95-AE49-2D18700E5B38}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{DECEAC32-1BBE-4553-A413-3F1DDCF1368C}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{C7AA985A-5D2F-4576-848B-A93E2DCB2E2A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{85D01A0F-A054-4324-A234-C72BBA3CF210}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{FEF1D0DD-9EDC-4906-89CB-97AFB12E19F0}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{CD535AD3-67B9-446D-A3E4-A2D6E49396BC}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{866044E7-7FAC-4076-BD99-0F5084694057}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{9180FD48-7387-489A-924E-BEEB225636B9}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{289800C0-E530-474A-A1E0-F817BCA96F2E}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{41F88FB0-2148-43C6-8658-BA36E8967025}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{E52E6BD5-FE5A-4ECA-BDFF-C75FB87A2681}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{CB7355D1-1809-42C8-B009-94420BD70062}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{9A057361-D3C4-40B8-B280-8243DA722E0E}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{C2EC1CC5-F054-49FA-8B78-5BF4DD2738FE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0F2210C7-5EFE-466F-80ED-05938DAE4221}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6A8E1455-2A88-4EF3-B76D-D1501D9BB31E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{19B1BE35-B2F5-4887-B4F3-48B1407E4780}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0C2CDAC7-139F-416B-8E1E-09561D5C0983}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{FE5E8346-43E1-4945-B5CB-E7A59CFA2C45}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{123BCAF2-EA42-447C-9930-2B67591190C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D7D4F645-8AE3-480D-9981-D0C135D7DC3F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B35DADDE-B647-4CBA-BD43-09E926448E4D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AC93B261-6543-47D3-9B7A-86BDDE3A73AB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{98291DEC-E2A0-401E-B9A1-CE59642DF7DB}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{EF8ED2C2-A5BD-420E-940B-6F90B9CB085B}"= Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{94F7C70A-8D87-423F-93D5-9D659DAD7D43}"= UDP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{6719C64E-E781-4E84-A13F-77B6960CBAD0}"= TCP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{8155B286-8452-450C-9D3E-A11A2ADD3AAF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9DB4DD33-5831-4A88-8842-5F2112CADFC5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{919EC946-E465-425A-A0D7-3932482D6D64}"= UDP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exeriveScrubber 3
"{A44216C4-DF98-4A08-803F-5BADEE4914C6}"= TCP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exeriveScrubber 3
"{791E7A25-C7ED-438C-8E00-03C39A2AA1EC}"= UDP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
"{0A82E8FF-B4FA-4B81-A2B4-EE2B6EFC7591}"= TCP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
"{4EB7C6D7-F5FA-4C04-A064-F9CFBE9B0F2B}"= UDP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
"{77B5D989-46F3-4CEA-B105-9A408F5795C6}"= TCP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
"{9CB1B822-24A0-47E6-BBFE-239B7A16632B}"= UDP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
"{75DFE27C-43F4-40C3-A66C-C80FEFBC04A9}"= TCP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
"{90556DEB-23C8-4183-908B-F3E784C94954}"= UDP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger 
"{A7D5F094-3EE4-4540-9A8B-6D752808752F}"= TCP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger 
"{B15FD292-C021-4385-92D6-82BA4C06E71F}"= Disabled:UDP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{5E5DB1EB-B1C8-4DD8-A285-EB4EEAA8F0F9}"= Disabled:TCP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{2E9E2649-60D6-4597-AD7A-AC31DBE5D83F}"= Disabled:c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{70F4D63B-9EB7-44BE-8316-CAB0C1536CEF}"= Disabled:UDP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{8F8B6735-C493-4DEB-BD0D-CA4652702BCE}"= Disabled:TCP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{5CB05E5B-D12B-444E-A87D-EF922193D54A}"= Disabled:UDP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
"{2D4B8DCC-A3BB-407C-AD4D-297EAEAB0513}"= Disabled:TCP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
"{CC7DCEBD-DD82-40D6-92EB-38BF6645BC82}"= Disabled:UDP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
"{5613C2FD-9840-4C1A-831E-73715877A339}"= Disabled:TCP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
"{9812BCE1-D6F9-4C50-812E-620FB6000DA0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A230A7F3-5617-4FE9-80DA-83871D49A375}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{46C8DB4B-F3C3-4F49-A1F0-02994D0706D6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3710AAC5-F10D-4B6C-A276-F72423F6FD19}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{ED47475A-1765-4DC1-93FF-FC36DFE14C0B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9D4A312A-3F91-4CD0-86C9-F516F9CCA80D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AAF5B073-7BE8-4D32-8735-A62DE90F72EE}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9D8D69B2-24A8-48F8-9B42-A71BF03811FF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A9411C03-217C-4F44-9AEE-8C577116C8DC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0E37C095-FC56-44AA-B246-E50CEAEAFE0E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{28DFEE7A-8E04-4BEE-A5E9-87B7346620B4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{03565B16-AB53-4E22-B571-9D3E9FD8AFCF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

R1 ElRawDisk;ElRawDisk;c:\windows\System32\drivers\elrawdsk.sys [2008-05-11 12800]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [2009-03-21 145424]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2007-12-07 73728]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-21 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [2009-03-21 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-21 492888]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2009-03-21 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-21 677128]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [2009-03-21 256528]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-15 24652]
R2 VundoFixToolSrv;VundoFixTool Scanning Engine;c:\program files\VundoFixTool\VundoFixTool.srv.exe [2009-03-24 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2008-01-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2009-03-21 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []

2009-03-25 c:\windows\Tasks\User_Feed_Synchronization-{04FDB26F-EAC6-4E4E-A4A1-98E788060B08}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 03:33]

2009-03-26 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool\VundoFixTool.exe [2009-03-24 09:34]

2009-03-26 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool [2009-03-25 22:18]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = actsvr.comcast:8100
Trusted Zone: internet
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 22:51:02
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
Completion time: 2009-03-25 22:54:37
ComboFix-quarantined-files.txt 2009-03-26 02:54:32

Pre-Run: 96,109,043,712 bytes free
Post-Run: 96,074,567,680 bytes free

328 --- E O F --- 2009-03-15 07:28:01


----------



## Jonesiegirl (Apr 4, 2003)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:42 PM, on 3/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F81936B3-BFD0-4713-81E1-B19B2F7B8A45}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEECAD9-DC1E-4E98-9152-5684ED79B3A4}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12053 bytes


----------



## Cookiegal (Aug 27, 2003)

If there's an entry in Add or Remove programs for Winferno\RegistryPowerCleaner then have her uninstall it from therefore doing the following. If it doesn't exist then just carry on with the rest of the instructions.

Open Notepad and copy and paste the text in the code box below into it:


```
File::
c:\windows\Tasks\rpc.job
c:\windows\Tasks\VundoFixTool Scheduled Scan.job

Folder::
c:\program files\Winferno
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

Please see if she can run MalwareBytes now that ComboFix has cleaned up some of the mess.

Also, have her do this please:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## Jonesiegirl (Apr 4, 2003)

You're getting her there, Karen!! :up:

ComboFix 09-03-25.04 - Mary 2009-03-26 20:14:19.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.893.221 [GMT -4:00]
Running from: c:\users\Mary\Desktop\combofix.exe
Command switches used :: c:\users\Mary\Desktop\CFscript.txt.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\Tasks\rpc.job
c:\windows\Tasks\VundoFixTool Scheduled Scan.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\gaopdxwoqdyqbuwtouqadmxffotvbocsvisxxj.sys
c:\windows\system32\gaopdxcounter
c:\windows\Tasks\rpc.job
c:\windows\Tasks\VundoFixTool Scheduled Scan.job
.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.
2009-03-26 19:17 . 2009-03-26 19:17 
d-------- c:\users\Mary\AppData\Roaming\Malwarebytes
2009-03-26 05:39 . 2009-03-05 22:17 1,195,512 --a------ c:\windows\System32\drivers\vsapint.sys
2009-03-26 05:39 . 2009-03-05 22:17 205,328 --a------ c:\windows\System32\drivers\tmxpflt.sys
2009-03-26 05:39 . 2009-03-05 22:17 36,368 --a------ c:\windows\System32\drivers\tmpreflt.sys
2009-03-25 22:18 . 2009-03-25 22:18 
d-------- c:\users\Mary\AppData\Roaming\VundoFixTool
2009-03-25 22:18 . 2009-03-25 22:18 
d-------- c:\program files\VundoFixTool
2009-03-25 21:35 . 2009-03-25 21:35 
d-------- c:\users\All Users\Malwarebytes
2009-03-25 21:35 . 2009-03-25 21:35 
d-------- c:\programdata\Malwarebytes
2009-03-25 21:35 . 2009-03-26 19:19 
d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 21:35 . 2009-03-26 16:49 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-25 21:35 . 2009-03-26 16:49 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-24 19:51 . 2009-03-24 19:53 
d-------- c:\program files\Windows Live Safety Center
2009-03-24 00:36 . 2009-03-24 00:36 
d--hs---- C:\found.000
2009-03-21 23:17 . 2009-03-23 20:28 
d-------- c:\windows\System32\Service
2009-03-21 22:44 . 2009-03-21 22:44 
d-------- c:\windows\LocalSSL
2009-03-21 22:36 . 2009-03-21 23:34 
d-------- c:\users\All Users\Trend Micro
2009-03-21 22:36 . 2009-03-21 23:34 
d-------- c:\programdata\Trend Micro
2009-03-21 22:22 . 2009-03-03 19:12 256,528 --a------ c:\windows\System32\drivers\tmwfp.sys
2009-03-21 22:22 . 2009-03-03 04:34 150,032 --a------ c:\windows\System32\drivers\tmcomm.sys
2009-03-21 22:22 . 2009-03-03 19:12 145,424 --a------ c:\windows\System32\drivers\tmlwf.sys
2009-03-21 22:22 . 2009-03-03 19:12 80,400 --a------ c:\windows\System32\drivers\tmtdi.sys
2009-03-21 22:22 . 2009-03-03 04:34 50,192 --a------ c:\windows\System32\drivers\tmevtmgr.sys
2009-03-21 22:22 . 2009-03-03 04:34 50,192 --a------ c:\windows\System32\drivers\tmactmon.sys
2009-03-21 16:22 . 2009-03-21 16:23 113,159,154 --a------ c:\windows\MEMORY.DMP
2009-03-20 20:16 . 2009-03-20 20:16 
d-------- c:\users\Mary\AppData\Roaming\Talkback
2009-03-20 20:15 . 2009-03-20 20:16 
d-------- c:\users\Mary\AppData\Roaming\Thunderbird
2009-03-19 20:23 . 2009-03-21 11:32 
d----c--- c:\windows\System32\DRVSTORE
2009-03-19 20:22 . 2009-03-21 11:33 
d-------- c:\users\All Users\Lavasoft
2009-03-19 20:22 . 2009-03-21 11:33 
d-------- c:\programdata\Lavasoft
2009-03-19 18:32 . 2009-03-21 15:01 
d-------- c:\program files\SpywareGuard
2009-03-18 20:40 . 2009-03-18 20:40 
d-------- c:\program files\Alwil Software
2009-03-15 20:06 . 2009-03-26 19:48 
d-------- c:\program files\HDExtrem
2009-03-14 20:10 . 2009-03-18 20:25 
d-------- c:\users\All Users\McAfee
2009-03-14 20:10 . 2009-03-18 20:25 
d-------- c:\programdata\McAfee
2009-03-11 08:14 . 2009-03-11 08:15 
d-------- c:\program files\James Patterson's Women's Murder Club - A Darker Shade of Grey
2009-03-10 18:22 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 18:22 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 18:22 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 18:22 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-10 18:21 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-02 21:42 . 2009-03-02 21:42 
d-------- c:\users\Mary\AppData\Roaming\BrandX Games
2009-02-28 22:31 . 2009-02-28 22:31 
d-------- c:\users\All Users\BigFish
2009-02-28 22:31 . 2009-02-28 22:31 
d-------- c:\programdata\BigFish
,

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 00:55 --------- d-----w c:\users\Mary\AppData\Roaming\ComcastToolbar
2009-03-23 21:20 --------- d---a-w c:\programdata\TEMP
2009-03-23 21:18 --------- d-----w c:\program files\Mystery Case Files - Ravenhearst
2009-03-23 20:30 --------- d-----w c:\users\Mary\AppData\Roaming\WeatherBug
2009-03-23 01:29 --------- d-----w c:\program files\Trend Micro
2009-03-20 00:27 --------- d-----w c:\program files\Google
2009-03-12 00:58 --------- d-----w c:\program files\WildGames
2009-03-12 00:50 --------- d-----w c:\program files\MSN Games
2009-03-11 12:27 --------- d-----w c:\users\Mary\AppData\Roaming\Flood Light Games
2009-03-11 12:27 --------- d-----w c:\programdata\Flood Light Games
2009-03-11 07:05 --------- d-----w c:\programdata\Microsoft Help
2009-02-25 02:27 --------- d-----w c:\users\Mary\AppData\Roaming\WildTangent
2009-02-25 02:26 --------- d-----w c:\programdata\WildTangent
2009-02-20 20:17 --------- d-----w c:\users\Mary\AppData\Roaming\HSA
2009-02-20 12:32 --------- d-----w c:\programdata\GameHouse
2009-02-14 03:56 --------- d-----w c:\programdata\HoverBee Studios
2009-02-12 13:51 --------- d-----w c:\program files\AIM6
2009-02-12 13:50 --------- d-----w c:\programdata\Viewpoint
2009-02-12 13:50 --------- d-----w c:\programdata\acccore
2009-02-12 13:50 --------- d-----w c:\program files\Common Files\Software Update Utility
2009-02-12 13:48 --------- d-----w c:\programdata\AOL Downloads
2009-02-11 23:10 936,288 ----a-w c:\windows\System32\Incinerator.dll
2009-02-09 02:14 --------- d-----w c:\users\Mary\AppData\Roaming\Jetsetter
2009-01-31 03:49 --------- d-----w c:\users\Mary\AppData\Roaming\Island
2009-01-31 02:49 --------- d-----w c:\users\Mary\AppData\Roaming\RobinsonCrusoe
2009-01-31 02:40 --------- d-----w c:\program files\Adventures of Robinson Crusoe
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-07-19 00:40 174 --sha-w c:\program files\desktop.ini
2007-12-13 23:08 0 ----a-w c:\users\Mary\AppData\Roaming\wklnhst.dat
.
((((((((((((((((((((((((((((( [email protected]_22.52.14.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 00:11:50 6,438,912 ----a-w c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
- 2009-03-26 01:34:00 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-03-26 09:57:34 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
- 2009-03-26 02:37:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-26 09:53:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-03-26 02:37:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-26 09:53:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-26 02:50:52 262,144 ----a-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-03-26 09:56:17 262,144 ----a-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-03-26 02:51:08 262,144 ----a-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-03-26 09:56:10 262,144 ----a-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-03-26 01:30:46 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-27 00:11:31 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-26 01:30:46 32,768 ------w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-27 00:11:31 32,768 ------w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-26 01:30:46 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-27 00:11:31 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-26 02:31:25 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-03-27 00:12:22 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2009-03-26 02:37:05 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-03-26 09:57:56 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-03-26 02:40:00 10,694 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3586541812-533695731-4199019274-1000_UserData.bin
+ 2009-03-26 09:56:26 10,710 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3586541812-533695731-4199019274-1000_UserData.bin
- 2009-03-26 02:40:00 73,278 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-26 09:56:25 73,372 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-26 02:39:55 51,638 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-26 09:56:07 52,262 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-03-26 00:34:15 259,752 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-03-26 23:10:15 260,222 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-13 492808]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"VundoFixTool"="c:\program files\VundoFixTool\VundoFixTool.exe" [2009-03-24 19451904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2009-02-11 314224]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-13 995528]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-13 492808]
c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-07 50688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3586541812-533695731-4199019274-1000]
"EnableNotificationsRef"=dword:00000002
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7F4889EC-579F-4D71-BC1B-ACE9ABEB4DC1}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{30D010D9-E843-48E6-83EB-2ED46FB6211B}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{D175FBC6-119E-4BAC-B7B0-A4946739773A}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{C7C5BC49-1135-49B3-AC17-01597EDD2642}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{35326614-FB84-42E7-BF60-5F936509910C}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{E25E7D60-921A-4539-8D75-1A1EA3F4CC93}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{B6C57DB6-A5B2-48E0-9ECF-FBF2147C5FCF}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{9E09E2AA-4AFA-4018-9F7E-A65A93C32D20}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{9092D829-87CB-41EC-B0F8-3E2BE9DD81B8}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{9B96259D-F91D-4360-8FD9-850741F16CC6}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{B73EF684-E652-4107-BC47-99763993A09E}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{898AAC2C-DBD2-40FB-B61B-D2BE8145D176}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{CCB12DA5-6F1C-4A95-AE49-2D18700E5B38}"= UDP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{DECEAC32-1BBE-4553-A413-3F1DDCF1368C}"= TCP:c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{C7AA985A-5D2F-4576-848B-A93E2DCB2E2A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{85D01A0F-A054-4324-A234-C72BBA3CF210}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{FEF1D0DD-9EDC-4906-89CB-97AFB12E19F0}"= UDP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{CD535AD3-67B9-446D-A3E4-A2D6E49396BC}"= TCP:c:\program files\Common Files\AOL\System Information\sinf.exe:AOL System Information
"{866044E7-7FAC-4076-BD99-0F5084694057}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{9180FD48-7387-489A-924E-BEEB225636B9}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{289800C0-E530-474A-A1E0-F817BCA96F2E}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{41F88FB0-2148-43C6-8658-BA36E8967025}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{E52E6BD5-FE5A-4ECA-BDFF-C75FB87A2681}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{CB7355D1-1809-42C8-B009-94420BD70062}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{9A057361-D3C4-40B8-B280-8243DA722E0E}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{C2EC1CC5-F054-49FA-8B78-5BF4DD2738FE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0F2210C7-5EFE-466F-80ED-05938DAE4221}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6A8E1455-2A88-4EF3-B76D-D1501D9BB31E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{19B1BE35-B2F5-4887-B4F3-48B1407E4780}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0C2CDAC7-139F-416B-8E1E-09561D5C0983}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{FE5E8346-43E1-4945-B5CB-E7A59CFA2C45}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{123BCAF2-EA42-447C-9930-2B67591190C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D7D4F645-8AE3-480D-9981-D0C135D7DC3F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B35DADDE-B647-4CBA-BD43-09E926448E4D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AC93B261-6543-47D3-9B7A-86BDDE3A73AB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{98291DEC-E2A0-401E-B9A1-CE59642DF7DB}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{EF8ED2C2-A5BD-420E-940B-6F90B9CB085B}"= Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{94F7C70A-8D87-423F-93D5-9D659DAD7D43}"= UDP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{6719C64E-E781-4E84-A13F-77B6960CBAD0}"= TCP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{8155B286-8452-450C-9D3E-A11A2ADD3AAF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9DB4DD33-5831-4A88-8842-5F2112CADFC5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{919EC946-E465-425A-A0D7-3932482D6D64}"= UDP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exeriveScrubber 3
"{A44216C4-DF98-4A08-803F-5BADEE4914C6}"= TCP:c:\program files\iolo\System Mechanic Professional\DriveScrubber\DriveScrubber.exeriveScrubber 3
"{791E7A25-C7ED-438C-8E00-03C39A2AA1EC}"= UDP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
"{0A82E8FF-B4FA-4B81-A2B4-EE2B6EFC7591}"= TCP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
"{4EB7C6D7-F5FA-4C04-A064-F9CFBE9B0F2B}"= UDP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
"{77B5D989-46F3-4CEA-B105-9A408F5795C6}"= TCP:c:\program files\iolo\System Mechanic Professional\Search and Recover\SearchAndRecover.exe:Search and Recover
"{9CB1B822-24A0-47E6-BBFE-239B7A16632B}"= UDP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
"{75DFE27C-43F4-40C3-A66C-C80FEFBC04A9}"= TCP:c:\program files\iolo\System Mechanic Professional\SysMech.exe:System Mechanic Professional
"{90556DEB-23C8-4183-908B-F3E784C94954}"= UDP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger 
"{A7D5F094-3EE4-4540-9A8B-6D752808752F}"= TCP:c:\program files\Windows Live\Messenger\msnmsgr.exe:Windows Live Messenger 
"{B15FD292-C021-4385-92D6-82BA4C06E71F}"= Disabled:UDP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{5E5DB1EB-B1C8-4DD8-A285-EB4EEAA8F0F9}"= Disabled:TCP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{2E9E2649-60D6-4597-AD7A-AC31DBE5D83F}"= Disabled:c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{70F4D63B-9EB7-44BE-8316-CAB0C1536CEF}"= Disabled:UDP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{8F8B6735-C493-4DEB-BD0D-CA4652702BCE}"= Disabled:TCP:c:\program files\Spyware Doctor\pctsGui.exe:Spyware Doctor
"{5CB05E5B-D12B-444E-A87D-EF922193D54A}"= Disabled:UDP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
"{2D4B8DCC-A3BB-407C-AD4D-297EAEAB0513}"= Disabled:TCP:c:\program files\SpywareGuard\sgmain.exe:SpywareGuard
"{CC7DCEBD-DD82-40D6-92EB-38BF6645BC82}"= Disabled:UDP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
"{5613C2FD-9840-4C1A-831E-73715877A339}"= Disabled:TCP:c:\program files\SpywareGuard\sgliveupdate.exe:SpywareGuard LiveUpdate
"{9812BCE1-D6F9-4C50-812E-620FB6000DA0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A230A7F3-5617-4FE9-80DA-83871D49A375}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{46C8DB4B-F3C3-4F49-A1F0-02994D0706D6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3710AAC5-F10D-4B6C-A276-F72423F6FD19}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{ED47475A-1765-4DC1-93FF-FC36DFE14C0B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9D4A312A-3F91-4CD0-86C9-F516F9CCA80D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AAF5B073-7BE8-4D32-8735-A62DE90F72EE}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9D8D69B2-24A8-48F8-9B42-A71BF03811FF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A9411C03-217C-4F44-9AEE-8C577116C8DC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0E37C095-FC56-44AA-B246-E50CEAEAFE0E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{28DFEE7A-8E04-4BEE-A5E9-87B7346620B4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{03565B16-AB53-4E22-B571-9D3E9FD8AFCF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{DB98AAF7-0058-4355-B069-A249FA8159B8}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3C74B2C8-61D7-4797-A0BA-B6FF82106464}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8168BCE6-D599-4EF9-A266-1F9F9E059BA7}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)
R1 ElRawDisk;ElRawDisk;c:\windows\System32\drivers\elrawdsk.sys [2008-05-11 12800]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [2009-03-21 145424]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2007-12-07 73728]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-07-10 712048]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-21 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [2009-03-21 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-21 497008]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2009-03-26 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-21 677128]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [2009-03-21 256528]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-15 24652]
R2 VundoFixToolSrv;VundoFixTool Scanning Engine;c:\program files\VundoFixTool\VundoFixTool.srv.exe [2009-03-24 315392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
2009-03-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
2008-01-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2009-03-26 c:\windows\Tasks\User_Feed_Synchronization-{04FDB26F-EAC6-4E4E-A4A1-98E788060B08}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 03:33]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = actsvr.comcast:8100
Trusted Zone: internet
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 20:30:38
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ...

c:\users\Mary\AppData\Local\Temp\catchme.dll 53248 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
Completion time: 2009-03-26 20:42:05
ComboFix-quarantined-files.txt 2009-03-27 00:41:48
ComboFix2.txt 2009-03-26 02:54:39
Pre-Run: 95,515,959,296 bytes free
Post-Run: 97,931,313,152 bytes free
348 --- E O F --- 2009-03-15 07:28:01


----------



## Jonesiegirl (Apr 4, 2003)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:42 PM, on 3/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F81936B3-BFD0-4713-81E1-B19B2F7B8A45}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEECAD9-DC1E-4E98-9152-5684ED79B3A4}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12053 bytes


----------



## Jonesiegirl (Apr 4, 2003)

She's running malwarebytes right now. :up:


----------



## Jonesiegirl (Apr 4, 2003)

Karen, you want a full scan of malwarebytes, right?


----------



## Cookiegal (Aug 27, 2003)

Yes, if it will complete. Otherwise, she can do the quick scan.


----------



## Jonesiegirl (Apr 4, 2003)

She chose the full scan, which is still running.


----------



## Cookiegal (Aug 27, 2003)

Since I'm signing off for the night, I'll leave more instructions for you that you can do after running MalwareBytes and I will review tomorrow.

Also, please don't forget to do this:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.

Download *OTScanIt2.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt2* on your desktop.

Close any open browsers.
Open the *OTScanit2* folder and double-click on *OTScanit2.exe* to start the program.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
In the *Processes * group click *ALL* 
In the * Services * group click *Safe List* 
In the *Drivers* group click *Safe List* 
In the *Registry * group click *ALL*
In the *Rootkit Search* group select *YES* 
In the *Files Age* drop down box click *60 days* 
Make sure *Use White List *and *Include All Unicode Names *boxes are checked
 In the Files Created and Files Modified groups select *Whitelist/File age *
in the *Additional scans sections* please press select * Everything *and make sure Safe List box is checked
Now on the toolbar at the top select "Scan all users" then click the *Run Scan* button
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 
Use the * Reply* button and *upload the notepad file here as an attachment*. If it's too large then you will have to zip it to upload it.


----------



## Cookiegal (Aug 27, 2003)

Also, please find out what the D drive is. Is it an external or flash drive?


----------



## Jonesiegirl (Apr 4, 2003)

Ok, Karen. We'll get that taken care of and I'll post it here. 

Thank you so much for everything. See you tomorrow. 

Sleep sweetly.


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> Also, please find out what the D drive is. Is it an external or flash drive?


Ok.


----------



## Cookiegal (Aug 27, 2003)

OK, goodnight.


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> Also, please find out what the D drive is. Is it an external or flash drive?


D says recovery.


----------



## Jonesiegirl (Apr 4, 2003)

I'm still waiting for the new HJT log, as well as the OTScanIt notepad log. 








Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 6.0.6001 Service Pack 1

3/26/2009 11:44:04 PM
mbam-log-2009-03-26 (23-43-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 207107
Time elapsed: 2 hour(s), 36 minute(s), 36 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 15

Memory Processes Infected:
C:\Program Files\VundoFixTool\VundoFixTool.exe (Fake.VundoFixTool) -> No action taken.
C:\Program Files\VundoFixTool\VundoFixTool.srv.exe (Fake.VundoFixTool) -> No action taken.

Memory Modules Infected:
C:\Program Files\VundoFixTool\SpyCleaner.dll (Rogue.SpyCleaner) -> No action taken.
C:\Program Files\VundoFixTool\TCL.dll (Fake.VundoFixTool) -> No action taken.
C:\Program Files\VundoFixTool\zlib.dll (Fake.VundoFixTool) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vundofixtoolsrv (Fake.VundoFixTool) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vundofixtoolsrv (Fake.VundoFixTool) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vundofixtoolsrv (Fake.VundoFixTool) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\HDExtrem (Trojan.DNSChanger) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HDExtrem (Trojan.DNSChanger) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\VundoFixTool (Fake.VundoFixTool) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vundofixtool (Fake.VundoFixTool) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\VundoFixTool (Fake.VundoFixTool) -> No action taken.
C:\Users\Mary\AppData\Roaming\VundoFixTool (Fake.VundoFixTool) -> No action taken.
C:\Users\Mary\AppData\Roaming\VundoFixTool\Log (Fake.VundoFixTool) -> No action taken.
C:\Users\Mary\AppData\Roaming\VundoFixTool\Settings (Fake.VundoFixTool) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VundoFixTool (Fake.VundoFixTool) -> No action taken.
C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDExtrem (Trojan.DNSChanger) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDExtrem (Trojan.DNSChanger) -> No action taken.
C:\Program Files\HDExtrem (Trojan.DNSChanger) -> No action taken.

Files Infected:
C:\Program Files\VundoFixTool\SpyCleaner.dll (Rogue.SpyCleaner) -> No action taken.
C:\Windows\Installer\{70A63A65-804D-45ED-9CDD-C504EEC68467}\Icon.exe (FakeVundoFixTool) -> No action taken.
C:\Program Files\VundoFixTool\DataBase.ref (Fake.VundoFixTool) -> No action taken.
C:\Program Files\VundoFixTool\TCL.dll (Fake.VundoFixTool) -> No action taken.
C:\Program Files\VundoFixTool\vistaCPtasks.xml (Fake.VundoFixTool) -> No action taken.
C:\Program Files\VundoFixTool\VundoFixTool.exe (Fake.VundoFixTool) -> No action taken.
C:\Program Files\VundoFixTool\VundoFixTool.srv.exe (Fake.VundoFixTool) -> No action taken.
C:\Program Files\VundoFixTool\VundoFixTool.url (Fake.VundoFixTool) -> No action taken.
C:\Program Files\VundoFixTool\zlib.dll (Fake.VundoFixTool) -> No action taken.
C:\Users\Mary\AppData\Roaming\VundoFixTool\Log\2009 Mar 26 - 08_51_23 PM_001.log (Fake.VundoFixTool) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VundoFixTool\VundoFixTool on the Web.lnk (Fake.VundoFixTool) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VundoFixTool\VundoFixTool.lnk (Fake.VundoFixTool) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDExtrem\Uninstall.lnk (Trojan.DNSChanger) -> No action taken.
C:\Users\Public\Desktop\VundoFixTool.lnk (Fake.VundoFixTool) -> No action taken.
C:\Windows\Tasks\VundoFixTool Scheduled Scan.job (Fake.VundoFixTool) -> No action taken.


----------



## Jonesiegirl (Apr 4, 2003)

Here's the OTScanIt log.


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


Does this list look right to you? 

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
80s Game With Martha Quinn
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Adventures of Robinson Crusoe
AIM 6
Amazing Adventures Around The World
AOL Install
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI PCI Express (3GIO) Filter Driver
Banctec Service Agreement
Big Fish Games Client
Bonjour
Broadcom Management Programs
Browser Address Error Redirector
Catalyst Control Center - Branding
CCScore
Comcast Toolbar
Conexant HDA D330 MDC V.92 Modem
CSI-Hard Evidence Demo
CuteFTP 8 Home
Dell DataSafe Online
Dell Getting Started Guide
Dell Support Center
Dell Wireless WLAN Card
Detective Stories: Hollywood
Digital Line Detect
Download Updater (AOL LLC)
Dr. Lynch: Grave Secrets
EarthLink Setup Files
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
FTP Commander Pro
Guitar Pro 5.2
Haunted Hotel II: Believe the Lies
HDExtrem
HDView for Internet Explorer
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Infinite Crosswords
Internet Service Offers Launcher
Interpol 2 Most Wanted
iolo technologies' System Mechanic Professional
iTunes
James Patterson's Women's Murder Club: A Darker Shade of Grey
Java(TM) SE Runtime Environment 6
kgcbase
Kodak EasyShare software
KSU
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
MediaDirect
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Diagnostic Tool
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Music, Photos & Videos Launcher
Mystery Case Files: Huntsville ™
Mystery Case Files: Madame Fate 
Mystery Case Files: Ravenhearst ™
Mystery Case Files: Return to Ravenhearst ™
Mystery Chronicles: Murder Among Friends
Mystery Legends: Sleepy Hollow
Mystery P.I. - The New York Fortune
Mystery PI
Mystery PI - The NY Fortune
Mystery PI The Vegas Heist
netbrdg
NetWaiting
NetZeroInstallers
Nocturnal: Boston Nightfall ™
Notifier
OfotoXMI
OutlookAddinSetup
Picasa 2
Product Documentation Launcher
QuickSet
QuickTime
Redrum 
Righteous Kill
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
RTC Client API v1.2
Safari
Samantha Swift and the Hidden Roses of Athena
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
SFR
SHASTA
skin0001
SKINXSDK
Smart Menus (Windows Live Toolbar)
SmartFTP Client
SmartFTP Client 3.0 Setup Files (remove only)
Sonic Activation Module
staticcr
TEFView 2.62
Terayon DOCSIS Modem
Tiks Texas Hold em
tooltips
Trend Micro Internet Security Pro
Trend Micro Internet Security Pro
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
User's Guides
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
VundoFixTool
WeatherBug
WildTangent Games
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Mobile Device Center
Windows Mobile Device Center Driver Update
WIRELESS
Womens Murder Club
Yahoo! Music Jukebox


----------



## Jonesiegirl (Apr 4, 2003)

After reading a ton of threads in here today, I had Mary run MBAM again. Log is clean.  



Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 6.0.6001 Service Pack 1
3/27/2009 5:46:18 PM
mbam-log-2009-03-27 (17-46-18).txt
Scan type: Quick Scan
Objects scanned: 64351
Time elapsed: 9 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## Cookiegal (Aug 27, 2003)

Yes, that was the proper uninstall list.

Go to Control Panel - Add or Remove Programs and remove:

*HDExtrem
Viewpoint Media Player
VundoFixTool
WeatherBug*

Start *OTScanIt*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill Explorer]
[Unregister Dlls]
[Processes - All]
YY -> vundofixtool.srv.exe -> %ProgramFiles%\VundoFixTool\VundoFixTool.srv.exe
[Win32 Services - Safe List]
YN -> (McShield) McAfee Real-time Scanner [Win32_Own | Unknown | Stopped] -> 
YN -> (McSysmon) McAfee SystemGuards [Win32_Own | On_Demand | Stopped] -> 
YY -> (VundoFixToolSrv) VundoFixTool Scanning Engine [Win32_Own | Auto | Running] -> %ProgramFiles%\VundoFixTool\VundoFixTool.srv.exe
[Registry - All]
< HOSTS File > (1083 bytes and 27 lines) -> C:\Windows\System32\drivers\etc\Hosts
YN -> Reset Hosts -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKLM] -> %ProgramFiles%\Dell\BAE\BAE.dll [CBrowserHelperObject Object]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "VundoFixTool" -> %ProgramFiles%\VundoFixTool\VundoFixTool.exe [C:\Program Files\VundoFixTool\VundoFixTool.exe -boot]
< Run [HKEY_USERS\S-1-5-21-3586541812-533695731-4199019274-1000\] > -> HKEY_USERS\S-1-5-21-3586541812-533695731-4199019274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "VundoFixTool" -> %ProgramFiles%\VundoFixTool\VundoFixTool.exe [C:\Program Files\VundoFixTool\VundoFixTool.exe -boot]
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3586541812-533695731-4199019274-1000\] > -> HKEY_USERS\S-1-5-21-3586541812-533695731-4199019274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> internet .[about] -> Trusted sites
[Files/Folders - Created Within 60 Days]
NY -> VundoFixTool Scheduled Scan.job -> %SystemRoot%\tasks\VundoFixTool Scheduled Scan.job
NY -> VundoFixTool.lnk -> %SystemDrive%\Users\Public\Desktop\VundoFixTool.lnk
NY -> VundoFixTool -> %ProgramFiles%\VundoFixTool
NY -> HDExtrem -> %ProgramFiles%\HDExtrem
[Files/Folders - Modified Within 60 Days]
NY -> VundoFixTool Scheduled Scan.job -> %SystemRoot%\tasks\VundoFixTool Scheduled Scan.job
NY -> VundoFixTool.lnk -> %SystemDrive%\Users\Public\Desktop\VundoFixTool.lnk
[Alternate Data Streams]
NY -> @Alternate Data Stream - 0 bytes -> %AllUsersProfile%\TEMP:4673E9EA
NY -> @Alternate Data Stream - 100 bytes -> %AllUsersProfile%\TEMP:27D1368B
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\TEMP:3E69E337
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\TEMP:50497812
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\TEMP:92A815D8
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\TEMP:B904C348
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\TEMP:CB16385F
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\TEMP:F3EFA8A8
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersProfile%\TEMP:4CF76F21
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\TEMP:7A2A588D
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\TEMP:876B6C70
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersProfile%\TEMP:9BB9DCC9
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\TEMP:2FCCEABB
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\TEMP:337FC984
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\TEMP:8160BC44
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\TEMP:B2CD146E
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersProfile%\TEMP:FFFCB9A9
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersProfile%\TEMP:13FB6DB8
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersProfile%\TEMP:4FE30352
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersProfile%\TEMP:95970EA3
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersProfile%\TEMP:F33C37D5
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersProfile%\TEMP:315B4A13
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersProfile%\TEMP:61F0C8FB
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersProfile%\TEMP:DFC5A2B2
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:73933431
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\TEMP:D1B17966
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:5A5B3ADB
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:78E0DF72
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:ACECBBFF
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:B6FD7157
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:C3A4217C
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:CEF2A14E
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\TEMP:1B927722
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\TEMP:7972CF54
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\TEMP:8BA6C9F8
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\TEMP:A4F63AED
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\TEMP:ED810E46
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:090FB735
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:53DF59D1
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:5B85C37B
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersProfile%\TEMP:C46995DA
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:3B812EE0
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:51E1A4D8
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:614F17D3
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\TEMP:8999FD56
NY -> @Alternate Data Stream - 116 bytes -> %AllUsersProfile%\TEMP:2361E235
NY -> @Alternate Data Stream - 116 bytes -> %AllUsersProfile%\TEMP:D46ECFD5
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:0CE0AE44
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:5A0DD071
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:620EC79A
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:77A023CE
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:7B52659E
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:90D89144
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersProfile%\TEMP:98DFF516
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:20767002
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:3E06C78F
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:63CFD724
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:9ACB70D7
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:A7DA2BCD
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\TEMP:B2735F9E
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\TEMP:0879ECE9
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\TEMP:2871B698
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\TEMP:5F1019FF
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\TEMP:F321F01E
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:00D5EBC2
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:DA9A5EA8
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:E5294695
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\TEMP:FD537E5A
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersProfile%\TEMP:2ED10FD7
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersProfile%\TEMP:3C3DE159
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersProfile%\TEMP:918B7566
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersProfile%\TEMP:B894C266
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersProfile%\TEMP:BDD9C638
NY -> @Alternate Data Stream - 122 bytes -> %AllUsersProfile%\TEMP:2320420B
NY -> @Alternate Data Stream - 122 bytes -> %AllUsersProfile%\TEMP:E8B5993B
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:213AFE42
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:22313216
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:389D51A1
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:41B3EF33
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:54997B77
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:560D46AC
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:89117BDE
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\TEMP:FDDD8917
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersProfile%\TEMP:85C3B823
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\TEMP:225CD7D5
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\TEMP:3539CD43
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\TEMP:83E716F0
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\TEMP:90865A6D
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersProfile%\TEMP:2F6462DF
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersProfile%\TEMP:4A6D00A6
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersProfile%\TEMP:5856B2C0
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersProfile%\TEMP:813B8EB6
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersProfile%\TEMP:4CD2D817
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersProfile%\TEMP:FF981A7F
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\TEMP:9398DBB4
NY -> @Alternate Data Stream - 129 bytes -> %AllUsersProfile%\TEMP:848CC150
NY -> @Alternate Data Stream - 129 bytes -> %AllUsersProfile%\TEMP:9B0F9E15
NY -> @Alternate Data Stream - 129 bytes -> %AllUsersProfile%\TEMP:BDCD8531
NY -> @Alternate Data Stream - 131 bytes -> %AllUsersProfile%\TEMP:6FDD5C6E
NY -> @Alternate Data Stream - 160 bytes -> %AllUsersProfile%\TEMP:13B137AF
NY -> @Alternate Data Stream - 166 bytes -> %AllUsersProfile%\TEMP:B156F3F2
NY -> @Alternate Data Stream - 169 bytes -> %AllUsersProfile%\TEMP:864A52B8
NY -> @Alternate Data Stream - 173 bytes -> %AllUsersProfile%\TEMP:72E546C1
NY -> @Alternate Data Stream - 174 bytes -> %AllUsersProfile%\TEMP:2FAFBD6A
NY -> @Alternate Data Stream - 183 bytes -> %AllUsersProfile%\TEMP:05113FB9
NY -> @Alternate Data Stream - 194 bytes -> %AllUsersProfile%\TEMP:0E684AC9
NY -> @Alternate Data Stream - 197 bytes -> %AllUsersProfile%\TEMP:3C282BEA
NY -> @Alternate Data Stream - 211 bytes -> %AllUsersProfile%\TEMP:260575F1
NY -> @Alternate Data Stream - 211 bytes -> %AllUsersProfile%\TEMP:C8E82994
NY -> @Alternate Data Stream - 214 bytes -> %AllUsersProfile%\TEMP:C22674B6
NY -> @Alternate Data Stream - 216 bytes -> %AllUsersProfile%\TEMP:561B1D2B
NY -> @Alternate Data Stream - 219 bytes -> %AllUsersProfile%\TEMP:52641FBE
NY -> @Alternate Data Stream - 221 bytes -> %AllUsersProfile%\TEMP:6425A235
NY -> @Alternate Data Stream - 222 bytes -> %AllUsersProfile%\TEMP:072F1F69
NY -> @Alternate Data Stream - 224 bytes -> %AllUsersProfile%\TEMP:2BC498A4
NY -> @Alternate Data Stream - 224 bytes -> %AllUsersProfile%\TEMP:5C6EBC69
NY -> @Alternate Data Stream - 226 bytes -> %AllUsersProfile%\TEMP:D31BE97C
NY -> @Alternate Data Stream - 94 bytes -> %AllUsersProfile%\TEMP:E0F561FE
NY -> @Alternate Data Stream - 95 bytes -> %AllUsersProfile%\TEMP:54D5DB8A
NY -> @Alternate Data Stream - 95 bytes -> %AllUsersProfile%\TEMP:7881FECE
NY -> @Alternate Data Stream - 95 bytes -> %AllUsersProfile%\TEMP:7D3DC77E
NY -> @Alternate Data Stream - 96 bytes -> %AllUsersProfile%\TEMP:5D351BC6
NY -> @Alternate Data Stream - 96 bytes -> %AllUsersProfile%\TEMP:A3E01678
NY -> @Alternate Data Stream - 97 bytes -> %AllUsersProfile%\TEMP:14520962
NY -> @Alternate Data Stream - 97 bytes -> %AllUsersProfile%\TEMP:182786D9
NY -> @Alternate Data Stream - 97 bytes -> %AllUsersProfile%\TEMP:1E5E0A4D
NY -> @Alternate Data Stream - 97 bytes -> %AllUsersProfile%\TEMP:2E49D185
NY -> @Alternate Data Stream - 97 bytes -> %AllUsersProfile%\TEMP:8140CB50
NY -> @Alternate Data Stream - 97 bytes -> %AllUsersProfile%\TEMP:AD2AB6E9
NY -> @Alternate Data Stream - 98 bytes -> %AllUsersProfile%\TEMP:2C22C34B
NY -> @Alternate Data Stream - 98 bytes -> %AllUsersProfile%\TEMP:EFCCC46E
NY -> @Alternate Data Stream - 99 bytes -> %AllUsersProfile%\TEMP:C17FCA88
NY -> @Alternate Data Stream - 99 bytes -> %AllUsersProfile%\TEMP:D5E5CFEC
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## Jonesiegirl (Apr 4, 2003)

Process Explorer.EXE killed successfully!
[Processes - All]
No active process named vundofixtool.srv.exe was found!
File C:\Program Files\VundoFixTool\VundoFixTool.srv.exe not found.
[Win32 Services - Safe List]
No service named McShield was found to stop!
Service McSysmon stopped successfully!
No service named VundoFixToolSrv was found to stop!
No service named VundoFixToolSrv was found to delete!
File C:\Program Files\VundoFixTool\VundoFixTool.srv.exe not found.
[Registry - All]
Unable to update HOSTS file!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777}\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\VundoFixTool not found.
File C:\Program Files\VundoFixTool\VundoFixTool.exe not found.
Registry value HKEY_USERS\S-1-5-21-3586541812-533695731-4199019274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\VundoFixTool not found.
File C:\Program Files\VundoFixTool\VundoFixTool.exe not found.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet not found.
[Files/Folders - Created Within 60 Days]
File C:\Windows\tasks\VundoFixTool Scheduled Scan.job not found!
File C:\Users\Public\Desktop\VundoFixTool.lnk not found!
File C:\Program Files\VundoFixTool not found!
File C:\Program Files\HDExtrem not found!
[Files/Folders - Modified Within 60 Days]
File C:\Windows\tasks\VundoFixTool Scheduled Scan.job not found!
File C:\Users\Public\Desktop\VundoFixTool.lnk not found!
[Alternate Data Streams]
ADS C:\ProgramData\TEMP:4673E9EA deleted successfully.
ADS C:\ProgramData\TEMP:27D1368B deleted successfully.
ADS C:\ProgramData\TEMP:3E69E337 deleted successfully.
ADS C:\ProgramData\TEMP:50497812 deleted successfully.
ADS C:\ProgramData\TEMP:92A815D8 deleted successfully.
ADS C:\ProgramData\TEMP:B904C348 deleted successfully.
ADS C:\ProgramData\TEMP:CB16385F deleted successfully.
ADS C:\ProgramData\TEMP:F3EFA8A8 deleted successfully.
ADS C:\ProgramData\TEMP:4CF76F21 deleted successfully.
ADS C:\ProgramData\TEMP:7A2A588D deleted successfully.
ADS C:\ProgramData\TEMP:876B6C70 deleted successfully.
ADS C:\ProgramData\TEMP:9BB9DCC9 deleted successfully.
ADS C:\ProgramData\TEMP:2FCCEABB deleted successfully.
ADS C:\ProgramData\TEMP:337FC984 deleted successfully.
ADS C:\ProgramData\TEMP:8160BC44 deleted successfully.
ADS C:\ProgramData\TEMP:B2CD146E deleted successfully.
ADS C:\ProgramData\TEMP:FFFCB9A9 deleted successfully.
ADS C:\ProgramData\TEMP:13FB6DB8 deleted successfully.
ADS C:\ProgramData\TEMP:4FE30352 deleted successfully.
ADS C:\ProgramData\TEMP:95970EA3 deleted successfully.
ADS C:\ProgramData\TEMP:F33C37D5 deleted successfully.
ADS C:\ProgramData\TEMP:315B4A13 deleted successfully.
ADS C:\ProgramData\TEMP:61F0C8FB deleted successfully.
ADS C:\ProgramData\TEMPFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:73933431 deleted successfully.
ADS C:\ProgramData\TEMP1B17966 deleted successfully.
ADS C:\ProgramData\TEMP:5A5B3ADB deleted successfully.
ADS C:\ProgramData\TEMP:78E0DF72 deleted successfully.
ADS C:\ProgramData\TEMP:ACECBBFF deleted successfully.
ADS C:\ProgramData\TEMP:B6FD7157 deleted successfully.
ADS C:\ProgramData\TEMP:C3A4217C deleted successfully.
ADS C:\ProgramData\TEMP:CEF2A14E deleted successfully.
ADS C:\ProgramData\TEMP:1B927722 deleted successfully.
ADS C:\ProgramData\TEMP:7972CF54 deleted successfully.
ADS C:\ProgramData\TEMP:8BA6C9F8 deleted successfully.
ADS C:\ProgramData\TEMP:A4F63AED deleted successfully.
ADS C:\ProgramData\TEMP:ED810E46 deleted successfully.
ADS C:\ProgramData\TEMP:090FB735 deleted successfully.
ADS C:\ProgramData\TEMP:53DF59D1 deleted successfully.
ADS C:\ProgramData\TEMP:5B85C37B deleted successfully.
ADS C:\ProgramData\TEMP:C46995DA deleted successfully.
ADS C:\ProgramData\TEMP:3B812EE0 deleted successfully.
ADS C:\ProgramData\TEMP:51E1A4D8 deleted successfully.
ADS C:\ProgramData\TEMP:614F17D3 deleted successfully.
ADS C:\ProgramData\TEMP:8999FD56 deleted successfully.
ADS C:\ProgramData\TEMP:2361E235 deleted successfully.
ADS C:\ProgramData\TEMP46ECFD5 deleted successfully.
ADS C:\ProgramData\TEMP:0CE0AE44 deleted successfully.
ADS C:\ProgramData\TEMP:5A0DD071 deleted successfully.
ADS C:\ProgramData\TEMP:620EC79A deleted successfully.
ADS C:\ProgramData\TEMP:77A023CE deleted successfully.
ADS C:\ProgramData\TEMP:7B52659E deleted successfully.
ADS C:\ProgramData\TEMP:90D89144 deleted successfully.
ADS C:\ProgramData\TEMP:98DFF516 deleted successfully.
ADS C:\ProgramData\TEMP:20767002 deleted successfully.
ADS C:\ProgramData\TEMP:3E06C78F deleted successfully.
ADS C:\ProgramData\TEMP:63CFD724 deleted successfully.
ADS C:\ProgramData\TEMP:9ACB70D7 deleted successfully.
ADS C:\ProgramData\TEMP:A7DA2BCD deleted successfully.
ADS C:\ProgramData\TEMP:B2735F9E deleted successfully.
ADS C:\ProgramData\TEMP:0879ECE9 deleted successfully.
ADS C:\ProgramData\TEMP:2871B698 deleted successfully.
ADS C:\ProgramData\TEMP:5F1019FF deleted successfully.
ADS C:\ProgramData\TEMP:F321F01E deleted successfully.
ADS C:\ProgramData\TEMP:00D5EBC2 deleted successfully.
ADS C:\ProgramData\TEMPA9A5EA8 deleted successfully.
ADS C:\ProgramData\TEMP:E5294695 deleted successfully.
ADS C:\ProgramData\TEMP:FD537E5A deleted successfully.
ADS C:\ProgramData\TEMP:2ED10FD7 deleted successfully.
ADS C:\ProgramData\TEMP:3C3DE159 deleted successfully.
ADS C:\ProgramData\TEMP:918B7566 deleted successfully.
ADS C:\ProgramData\TEMP:B894C266 deleted successfully.
ADS C:\ProgramData\TEMP:BDD9C638 deleted successfully.
ADS C:\ProgramData\TEMP:2320420B deleted successfully.
ADS C:\ProgramData\TEMP:E8B5993B deleted successfully.
ADS C:\ProgramData\TEMP:213AFE42 deleted successfully.
ADS C:\ProgramData\TEMP:22313216 deleted successfully.
ADS C:\ProgramData\TEMP:389D51A1 deleted successfully.
ADS C:\ProgramData\TEMP:41B3EF33 deleted successfully.
ADS C:\ProgramData\TEMP:54997B77 deleted successfully.
ADS C:\ProgramData\TEMP:560D46AC deleted successfully.
ADS C:\ProgramData\TEMP:89117BDE deleted successfully.
ADS C:\ProgramData\TEMP:FDDD8917 deleted successfully.
ADS C:\ProgramData\TEMP:85C3B823 deleted successfully.
ADS C:\ProgramData\TEMP:225CD7D5 deleted successfully.
ADS C:\ProgramData\TEMP:3539CD43 deleted successfully.
ADS C:\ProgramData\TEMP:83E716F0 deleted successfully.
ADS C:\ProgramData\TEMP:90865A6D deleted successfully.
ADS C:\ProgramData\TEMP:2F6462DF deleted successfully.
ADS C:\ProgramData\TEMP:4A6D00A6 deleted successfully.
ADS C:\ProgramData\TEMP:5856B2C0 deleted successfully.
ADS C:\ProgramData\TEMP:813B8EB6 deleted successfully.
ADS C:\ProgramData\TEMP:4CD2D817 deleted successfully.
ADS C:\ProgramData\TEMP:FF981A7F deleted successfully.
ADS C:\ProgramData\TEMP:9398DBB4 deleted successfully.
ADS C:\ProgramData\TEMP:848CC150 deleted successfully.
ADS C:\ProgramData\TEMP:9B0F9E15 deleted successfully.
ADS C:\ProgramData\TEMP:BDCD8531 deleted successfully.
ADS C:\ProgramData\TEMP:6FDD5C6E deleted successfully.
ADS C:\ProgramData\TEMP:13B137AF deleted successfully.
ADS C:\ProgramData\TEMP:B156F3F2 deleted successfully.
ADS C:\ProgramData\TEMP:864A52B8 deleted successfully.
ADS C:\ProgramData\TEMP:72E546C1 deleted successfully.
ADS C:\ProgramData\TEMP:2FAFBD6A deleted successfully.
ADS C:\ProgramData\TEMP:05113FB9 deleted successfully.
ADS C:\ProgramData\TEMP:0E684AC9 deleted successfully.
ADS C:\ProgramData\TEMP:3C282BEA deleted successfully.
ADS C:\ProgramData\TEMP:260575F1 deleted successfully.
ADS C:\ProgramData\TEMP:C8E82994 deleted successfully.
ADS C:\ProgramData\TEMP:C22674B6 deleted successfully.
ADS C:\ProgramData\TEMP:561B1D2B deleted successfully.
ADS C:\ProgramData\TEMP:52641FBE deleted successfully.
ADS C:\ProgramData\TEMP:6425A235 deleted successfully.
ADS C:\ProgramData\TEMP:072F1F69 deleted successfully.
ADS C:\ProgramData\TEMP:2BC498A4 deleted successfully.
ADS C:\ProgramData\TEMP:5C6EBC69 deleted successfully.
ADS C:\ProgramData\TEMP31BE97C deleted successfully.
ADS C:\ProgramData\TEMP:E0F561FE deleted successfully.
ADS C:\ProgramData\TEMP:54D5DB8A deleted successfully.
ADS C:\ProgramData\TEMP:7881FECE deleted successfully.
ADS C:\ProgramData\TEMP:7D3DC77E deleted successfully.
ADS C:\ProgramData\TEMP:5D351BC6 deleted successfully.
ADS C:\ProgramData\TEMP:A3E01678 deleted successfully.
ADS C:\ProgramData\TEMP:14520962 deleted successfully.
ADS C:\ProgramData\TEMP:182786D9 deleted successfully.
ADS C:\ProgramData\TEMP:1E5E0A4D deleted successfully.
ADS C:\ProgramData\TEMP:2E49D185 deleted successfully.
ADS C:\ProgramData\TEMP:8140CB50 deleted successfully.
ADS C:\ProgramData\TEMP:AD2AB6E9 deleted successfully.
ADS C:\ProgramData\TEMP:2C22C34B deleted successfully.
ADS C:\ProgramData\TEMP:EFCCC46E deleted successfully.
ADS C:\ProgramData\TEMP:C17FCA88 deleted successfully.
ADS C:\ProgramData\TEMP5E5CFEC deleted successfully.
[Empty Temp Folders]
File delete failed. C:\Users\Mary\AppData\Local\Temp\Low\TMFBE_3200\unif0000 scheduled to be deleted on reboot.
File delete failed. C:\Users\Mary\AppData\Local\Temp\Low\~DFC78D.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Mary\AppData\Local\Temp\Low\~DFC7AE.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\fb_2116.lck scheduled to be deleted on reboot.
Windows Temp folder emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.9.0 fix logfile created on 03272009_214802
Files moved on Reboot...
C:\Users\Mary\AppData\Local\Temp\Low\TMFBE_3200\unif0000 moved successfully.
File C:\Users\Mary\AppData\Local\Temp\Low\~DFC78D.tmp not found!
File C:\Users\Mary\AppData\Local\Temp\Low\~DFC7AE.tmp not found!
File C:\Windows\temp\fb_2116.lck not found!
Registry entries deleted on Reboot...


----------



## Jonesiegirl (Apr 4, 2003)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:42 PM, on 3/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F81936B3-BFD0-4713-81E1-B19B2F7B8A45}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEECAD9-DC1E-4E98-9152-5684ED79B3A4}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12053 bytes


----------



## Jonesiegirl (Apr 4, 2003)

Karen... Mary says her Laptop is already running wicked smooth. :up: 

I appreciate all that you're doing.


----------



## Cookiegal (Aug 27, 2003)

> Scan saved at 8:43:42 PM, on* 3/25/2009*


Kath, I need a newer HijackThis log taken after all of the last fixes please.

Also, please have her run this on-line scanner (it doesn't matter if the new HijackThis log is taken before or after this scan though).

Since the scan uses Java technology, please have her do this first to install the latest version of Java:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 13*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 13 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. *Do NOT use the Sun Download Manager.*
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with *Java Runtime Environment, JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Now, please do an online scan with Kaspersky WebScanner


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## Jonesiegirl (Apr 4, 2003)

Sorry, Karen! You'd think I would have noticed the time on that log.  My eyes are bleeding. 

I'll be back as soon as I get her new HJT log.


----------



## Jonesiegirl (Apr 4, 2003)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:00 PM, on 3/28/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcast:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/stg_drm.ocx
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Stories%20-%20Island%20of%20Hope/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9666 bytes


----------



## Jonesiegirl (Apr 4, 2003)

Karen... she says her Java won't update. 

This is the message she's getting. Java download failed says "failed maxiu"


EDIT: Nevermind. She got it.


----------



## Cookiegal (Aug 27, 2003)

The HijackThis log looks good now. :up:

The Kaspersky scan will likely detect things in a folder called Qoobox. This is OK because these are items that have already been quarantined by Combofix.


----------



## Jonesiegirl (Apr 4, 2003)

Awesome!  It's all because of you! :up: 

You still want the .txt log, when her scan is finished? (Her scan started a few minutes ago.)


----------



## Jonesiegirl (Apr 4, 2003)

Also, Karen, I've been wanting to ask you a question, but didn't want to sidetrack the progress. Since her log is looking good, I'm going to ask you now.  

A little history... 

When we first got into her PC having issues, I asked her which malware/spyware/antiviral programs she was running, only to learn it was an outdated version of TrendMicro, of which, she didn't want to spend 85 bucks to renew. So, I was having her download some programs. SpywareBlaster, SpywareGuard, Adaware, (don't yell at me,  CrapCleaner) and so on. When she tried to get Adaware up and running, the program was asking for her proxy information. (I've never heard of that!) She wound up getting frustrated and uninstalled everything! 

In looking at her HJT logs, I see mention of comcast proxy, and the string underneath it says *local. Does that mean she's indeed behind a proxy? If so, why? And if so, how do we get Adaware configured?

Thanks again for your time.


----------



## Cookiegal (Aug 27, 2003)

Jonesiegirl said:


> Awesome!  It's all because of you! :up:
> 
> You still want the .txt log, when her scan is finished? (Her scan started a few minutes ago.)


Yes please.


----------



## Cookiegal (Aug 27, 2003)

Jonesiegirl said:


> Also, Karen, I've been wanting to ask you a question, but didn't want to sidetrack the progress. Since her log is looking good, I'm going to ask you now.
> 
> A little history...
> 
> ...


It seems Comcast sets things up using a proxy but I'm not sure it's necessary. But I would contact them before making any changes if she's not having any connection issues.

If she has a decent anti-virus program and firewall, is up to date on MS critical updates and patches, has SpywareBlaster and either MalwareBytes Anti-Malware or SuperAntisyware and manages cookies properly then I don't think Ad-Aware is really going to add anything to the mix. I've uninstalled it myself. But if she really wants it, I believe there's a place for a proxy setting under Web Update menu - Proxy settings (if it's Ad-Aware 2007).


----------



## Cookiegal (Aug 27, 2003)

I just remembered you said her Trend anti-virus was outdated so she won't be able to get updates. This is not protecting her very much. If she doesn't want to pay for one, then I would get her to download Avast which is the better of the free ones, imo. She should also get the Comodo firewall in that case and not depend on the XP one, which is much less efficient.


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> It seems Comcast sets things up using a proxy but I'm not sure it's necessary. But I would contact them before making any changes if she's not having any connection issues.
> 
> If she has a decent anti-virus program and firewall, is up to date on MS critical updates and patches, has SpywareBlaster and either MalwareBytes Anti-Malware or SuperAntisyware and manages cookies properly then I don't think Ad-Aware is really going to add anything to the mix. I've uninstalled it myself. But if she really wants it, I believe there's a place for a proxy setting under Web Update menu - Proxy settings (if it's Ad-Aware 2007).


I'm going to suggest (insist ) Avast, as well as SpywareBlaster and SpywareGuard. Also, I'll make sure she keeps Malwarebytes, too. As for a firewall, what's your opinion of ZoneAlarm? I personally don't know anything about the program. 

Interesting about Ad-aware. I believe I'll uninstall mine, since these other programs seem to cover everything, and suggest the same to her.

Still waiting on her scan results.

Thanks, Karen.


----------



## Cookiegal (Aug 27, 2003)

Jonesiegirl said:


> I'm going to suggest (insist ) Avast, as well as SpywareBlaster and SpywareGuard. Also, I'll make sure she keeps Malwarebytes, too. As for a firewall, what's your opinion of ZoneAlarm? I personally don't know anything about the program.
> 
> Interesting about Ad-aware. I believe I'll uninstall mine, since these other programs seem to cover everything, and suggest the same to her.
> 
> ...


I used to use and like Zone Alarm but later versions have been buggy and they seem to slow down the system significantly. That's why I've been suggesting Comodo lately although I've never used it myself, I'm hearing lots of good things about it.

Of course nothing beats having a top notch paid anti-virus with firewall like Kaspersky or Eset Smart Security (which is the Nod32 anti-virus firewall suite).


----------



## Jonesiegirl (Apr 4, 2003)

I know that Rhett and mtbird use Comodo... they love it. 





KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 28, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 28, 2009 20:43:06
Records in database: 1981742

Scan settings
Scan using the following database	extended
Scan archives	yes
Scan mail databases	yes
Scan area	My Computer
C:\
D:\
E:\
Scan statistics
Files scanned	131418
Threat name	2
Infected objects	2
Suspicious objects	0
Duration of the scan	02:51:25

File name	Threat name	Threats count
C:\Program Files\Trend Micro\Internet Security\Quarantine\gaopdxcdtxodjxampdgerxtnnetffapbegcftu.dll	Infected: Packed.Win32.Tdss.f	1	
C:\Windows\System32\ConTest.dll	Infected: not-a-virus:FraudTool.Win32.Ascentive.b	1	
The selected area was scanned.


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> I just remembered you said her Trend anti-virus was outdated so she won't be able to get updates. This is not protecting her very much. If she doesn't want to pay for one, then I would get her to download Avast which is the better of the free ones, imo. She should also get the Comodo firewall in that case and not depend on the XP one, which is much less efficient.


 I just now saw this post.  Nothing wrong with me. 

I wasn't going to have her download and install anything until I got the go from you. Your post sounds like a go, so I'll let her know to take care of that now.

Thanks, Karen.


----------



## Cookiegal (Aug 27, 2003)

Have her delete this file:

C:\Windows\System32\*ConTest.dll*

How are things now?


----------



## Jonesiegirl (Apr 4, 2003)

Good morning, Karen.  

Her laptop is purring. :up: 

I'm having her install Comodo right now, then we're installing Avast. 

As soon as she's accomplished the installs, I'll have her remove that entry.


----------



## Cookiegal (Aug 27, 2003)

That's good. There's one more program I'd like her to download to make sure there are no more rootkits.

Download GMER from: http://gmer.net/index.php

Save it on your desktop and unzip it.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## Cookiegal (Aug 27, 2003)

Also, have her empty Trend's quarantine folder so this entry gets eliminated. It's not a threat in quarantine but there's no need to hang onto it either:

C:\Program Files\Trend Micro\Internet Security\Quarantine\gaopdxcdtxodjxampdgerxtnnetffapbegcftu.dll Infected: Packed.Win32.Tdss.f 1


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> Also, have her empty Trend's quarantine folder so this entry gets eliminated. It's not a threat in quarantine but there's no need to hang onto it either:
> 
> C:\Program Files\Trend Micro\Internet Security\Quarantine\gaopdxcdtxodjxampdgerxtnnetffapbegcftu.dll Infected: Packed.Win32.Tdss.f 1


Taken care of, and TrendMicro is now uninstalled. :up: Avast is up and running.


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> That's good. There's one more program I'd like her to download to make sure there are no more rootkits.
> 
> Download GMER from: http://gmer.net/index.php
> 
> ...


How does one copy text from the Vista clipboard, into notepad? I've googled it and it's all registry hacks.  And Mary? Well, you see the condition her machine was in, so... would you please break it down into kindergarten terms, Karen. 

 Isn't it funny how the easiest of things can throw a girl off.  *Hugs her XP machine*


----------



## Cookiegal (Aug 27, 2003)

Jonesiegirl said:


> How does one copy text from the Vista clipboard, into notepad? I've googled it and it's all registry hacks.  And Mary? Well, you see the condition her machine was in, so... would you please break it down into kindergarten terms, Karen.
> 
> Isn't it funny how the easiest of things can throw a girl off.  *Hugs her XP machine*


Yeah, I'm glad I still have XP too. 

Notepad should be in the same place - Start - All Programs- Accessories and when the GMER scan is complete, you just click on the box that says COPY. Then when she opens Notepad, she should click on Edit on the Toolbar and then "Paste" in the drop down menu. Otherwise, the right-click and "paste" method should work as well.


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> Notepad should be in the same place - Start - All Programs- Accessories and when the GMER scan is complete, you just click on the box that says COPY. Then when she opens Notepad, she should click on Edit on the Toolbar and then "Paste" in the drop down menu. Otherwise, the right-click and "paste" method should work as well.


With any luck at all, your post will now become a google hit for Vista users. :up:

Thanks, Karen.


----------



## Jonesiegirl (Apr 4, 2003)

*Groan*

It seems Mary is having issues with GMER. Here's what she's saying.



Mary said:


> Kathi, once this program starts running, after a while it stops, it's done that twice now, then twice I got that blue screen where my laptop shuts down on me.


And...



Mary said:


> Kathi, now my computer will not boot back up.


I wonder if Comodo is causing issues, Karen?


----------



## Jonesiegirl (Apr 4, 2003)

She finally got it booted.



Mary said:


> After manually turning it off like 5 times it finally booted up.


----------



## Cookiegal (Aug 27, 2003)

I've never heard of GMER causing such issues or Comodo either.

Was she able to get a log from GMER?


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> I've never heard of GMER causing such issues or Comodo either.
> 
> Was she able to get a log from GMER?


No Ma'am. The program won't run for her. It kept blue screening.


----------



## Cookiegal (Aug 27, 2003)

It's probably an incompatibility issue with Vista.

Are there any problems remaining?


----------



## Jonesiegirl (Apr 4, 2003)

Just the person behind the keyboard.


----------



## Cookiegal (Aug 27, 2003)

Jonesiegirl said:


> Just the person behind the keyboard.


LOL.

GMER is Vista compatible but sometimes there are conflicts with other drivers so it's not worth trying it again. It has its own uninstaller so she should run that to uninstall it. Just double-click the file C:\WINDOWS\*gmer_uninstall.cmd* to run the uninstaller.

Here are some final instructions for her.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now she should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

Click on the Start button to open your Start Menu. 
Click on the Control Panel menu option.
Click on the System and Maintenance menu option.
Click on the System menu option.
Click on System Protection in the left-hand task list.

You will now be at the System Protection tab in the System control panel.

Clear the check box next to the disk to turn off System Protection, and then click OK. This will flush out all previous restore points.

Now select the check box next to the disk, and then click OK to turn system restore back on.

Now create a new restore point. Click on the Create button. When you press this button a prompt will appear asking you to provide a title for this manual restore point.

Type in a title for the manual restore point and press the Create button. Vista will now create a manual restore point, and when completed, display a notice saying that it was created successfully.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## Cookiegal (Aug 27, 2003)

I also advise her to change all passwords for logging into site and especially anything to do with financial transactions that she does on-line as a precaution.


----------



## Jonesiegirl (Apr 4, 2003)

Cookiegal said:


> I also advise her to change all passwords for logging into site and especially anything to do with financial transactions that she does on-line as a precaution.


Oh really?  I know she's going to ask me why. 

So, Karen.  Why is that? Was her laptop that jacked up?


----------



## Jonesiegirl (Apr 4, 2003)

Karen, I want to thank you so very much for your time. You've been a godsend through all of this. Her laptop would have died without you. Thanks again.  

I'm going to go ahead and mark this solved. :up:


----------



## Cookiegal (Aug 27, 2003)

Jonesiegirl said:


> Oh really?  I know she's going to ask me why.
> 
> So, Karen.  Why is that? Was her laptop that jacked up?


She had a nasty rootkit and they hook deeply into the system to hide other files that are being downloaded usually with a payload to obtain sensitive data from the system. It is always prudent to change passwords after an infection but especially a rootkit and backdoor trojan.


----------



## Cookiegal (Aug 27, 2003)

Jonesiegirl said:


> Karen, I want to thank you so very much for your time. You've been a godsend through all of this. Her laptop would have died without you. Thanks again.
> 
> I'm going to go ahead and mark this solved. :up:


You're welcome Kath.


----------

