# Very slowwwww startup!



## parman (Mar 9, 2007)

MY COMPUTER HAS BECOME VERY SLOW AT STARTUP. TAKES 5 OR 6 MIN. TO QUIT LOADING. I HAVE A DELL DEMENSION 2400 WITH WINDOWS XP HOME. 40GB HDD AND 1GB MEMORY. CAN SOMEONE READ MY HIJACK LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:48 PM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: (no name) - {3BEBF2FE-7248-40E2-9752-8163EB6C4038} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O20 - AppInit_DLLs: 
O22 - SharedTaskScheduler: enorganic - {8dc71747-ace0-40c1-8947-54f107d0639b} - (no file)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://www.cartoonnetwork.com/tools/img/homepage/reface_tile.jpg
O24 - Desktop Component 1: (no name) - https://shop.ecompanystore.com/MCPeStore/MCF_images/leftnav_tile.gif
O24 - Desktop Component 2: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 3: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 5: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 8565 bytes


----------



## shinybeast (Sep 29, 2008)

Hello parman,

I regret to inform you that your log shows evidence of a trojan. You can ask a mod to move this post to the malware forum if you want to pursue getting help here. They are quite busy over there and it could take some time to get to your log.


----------



## parman (Mar 9, 2007)

Mr. Moderator, would you please take alook at my posts?


----------



## Cookiegal (Aug 27, 2003)

Please download *SmitfraudFix* (by *S!Ri*) to your Desktop.

Double-click *SmitfraudFix.exe*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move *SmitfraudFix.exe* directly to the root of the system drive (usually *C:*), and launch from there.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## parman (Mar 9, 2007)

MY COMPUTER HAS BEEN DOWN FOR A WEEK. HOPEFULLY BACK UP FOR GOOD. I HAD NO NETWORK CONNECTIVITY. ANYWAY, THANKS COOKIEGAL FOR LOOKING AT MY POST.HERE'S MY REPORT FROM SMITFRAUDFIX:
SmitFraudFix v2.376

Scan done at 8:53:16.98, Sat 11/22/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN\Toolbar\3.0.0311.0\msntask.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\LOCALS~1\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Google\googletoolbar1.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.cartoonnetwork.com/tools/img/homepage/reface_tile.jpg"
"SubscribedURL"="http://www.cartoonnetwork.com/tools/img/homepage/reface_tile.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="https://shop.ecompanystore.com/MCPeStore/MCF_images/leftnav_tile.gif"
"SubscribedURL"="https://shop.ecompanystore.com/MCPeStore/MCF_images/leftnav_tile.gif"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif"
"SubscribedURL"="http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8dc71747-ace0-40c1-8947-54f107d0639b}"="enorganic"

[HKEY_CLASSES_ROOT\CLSID\{8dc71747-ace0-40c1-8947-54f107d0639b}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8dc71747-ace0-40c1-8947-54f107d0639b}\InProcServer32]

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 74.128.17.114
DNS Server Search Order: 74.128.19.102

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1300A403-20CA-4914-9A86-BBC779DBED0C}: DhcpNameServer=74.128.17.114 74.128.19.102
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1300A403-20CA-4914-9A86-BBC779DBED0C}: DhcpNameServer=74.128.17.114 74.128.19.102
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1300A403-20CA-4914-9A86-BBC779DBED0C}: DhcpNameServer=74.128.17.114 74.128.19.102
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=74.128.17.114 74.128.19.102
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=74.128.17.114 74.128.19.102
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=74.128.17.114 74.128.19.102

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cookiegal (Aug 27, 2003)

Please don't type in all capital letters as that means you're shouting in the cyber world. 

You should print out these instructions or copy them to a Notepad file for reading while in Safe Mode because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following:
Restart your computer
After hearing your computer beep once during startup but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear
Select the first option, to run Windows in Safe Mode then press "Enter"
Choose your usual account
Once in Safe Mode, double-click *smitfraudfix.exe*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process. Please copy/paste the content of that report into your next reply *along with a new HijackThis log*. The report can also be found at the root of the system drive, usually at *C:\rapport.txt*


----------



## parman (Mar 9, 2007)

When I opened safe mode I could not get to the option page for smitfraudfix.exe. The page stalled. Command Prompt opened but would not respond to press any key. Do you want me to clean in normal mode?I tried for the 3rd time opening the option page and it finally worked.


----------



## parman (Mar 9, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:28:52, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O20 - AppInit_DLLs: 
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 6824 bytes
SmitFraudFix v2.376

Scan done at 20:12:00.21, Sun 11/23/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8dc71747-ace0-40c1-8947-54f107d0639b}"="enorganic"

[HKEY_CLASSES_ROOT\CLSID\{8dc71747-ace0-40c1-8947-54f107d0639b}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8dc71747-ace0-40c1-8947-54f107d0639b}\InProcServer32]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\Google\googletoolbar1.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1300A403-20CA-4914-9A86-BBC779DBED0C}: DhcpNameServer=74.128.17.114 74.128.19.102
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1300A403-20CA-4914-9A86-BBC779DBED0C}: DhcpNameServer=74.128.17.114 74.128.19.102
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1300A403-20CA-4914-9A86-BBC779DBED0C}: DhcpNameServer=74.128.17.114 74.128.19.102
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=74.128.17.114 74.128.19.102
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=74.128.17.114 74.128.19.102
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=74.128.17.114 74.128.19.102

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## parman (Mar 9, 2007)

ComboFix 08-11-26.01 - Owner 2008-11-25 19:29:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.566 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\combo-fix.exe.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_003685_.tmp.dll
c:\windows\system32\_003686_.tmp.dll
c:\windows\system32\_003687_.tmp.dll
c:\windows\system32\_003694_.tmp.dll
c:\windows\system32\_003695_.tmp.dll
c:\windows\system32\_003696_.tmp.dll
c:\windows\system32\_003698_.tmp.dll
c:\windows\system32\_003699_.tmp.dll
c:\windows\system32\_003700_.tmp.dll
c:\windows\system32\_003701_.tmp.dll
c:\windows\system32\_003702_.tmp.dll
c:\windows\system32\_003703_.tmp.dll
c:\windows\system32\_003704_.tmp.dll
c:\windows\system32\_003706_.tmp.dll
c:\windows\system32\_003707_.tmp.dll
c:\windows\system32\_003708_.tmp.dll
c:\windows\system32\_003709_.tmp.dll
c:\windows\system32\_003710_.tmp.dll
c:\windows\system32\_003711_.tmp.dll
c:\windows\system32\_003712_.tmp.dll
c:\windows\system32\_003713_.tmp.dll
c:\windows\system32\_003716_.tmp.dll
c:\windows\system32\_003717_.tmp.dll
c:\windows\system32\_003718_.tmp.dll
c:\windows\system32\_003719_.tmp.dll
c:\windows\system32\_003720_.tmp.dll
c:\windows\system32\_003722_.tmp.dll
c:\windows\system32\_003723_.tmp.dll
c:\windows\system32\_003724_.tmp.dll
c:\windows\system32\_003725_.tmp.dll
c:\windows\system32\_003726_.tmp.dll
c:\windows\system32\_003727_.tmp.dll
c:\windows\system32\_003728_.tmp.dll
c:\windows\system32\_003729_.tmp.dll
c:\windows\system32\_003730_.tmp.dll
c:\windows\system32\_003731_.tmp.dll
c:\windows\system32\_003732_.tmp.dll
c:\windows\system32\_003733_.tmp.dll
c:\windows\system32\_003734_.tmp.dll
c:\windows\system32\_003735_.tmp.dll
c:\windows\system32\_003736_.tmp.dll
c:\windows\system32\_003737_.tmp.dll
c:\windows\system32\_003738_.tmp.dll
c:\windows\system32\_003739_.tmp.dll
c:\windows\system32\_003740_.tmp.dll
c:\windows\system32\_003741_.tmp.dll
c:\windows\system32\_003742_.tmp.dll
c:\windows\system32\_003743_.tmp.dll
c:\windows\system32\_003744_.tmp.dll
c:\windows\system32\_003745_.tmp.dll
c:\windows\system32\_003746_.tmp.dll
c:\windows\system32\_003748_.tmp.dll
c:\windows\system32\_003749_.tmp.dll
c:\windows\system32\_003750_.tmp.dll
c:\windows\system32\_003751_.tmp.dll
c:\windows\system32\_003752_.tmp.dll
c:\windows\system32\_003753_.tmp.dll
c:\windows\system32\_003754_.tmp.dll
c:\windows\system32\_003755_.tmp.dll
c:\windows\system32\_003756_.tmp.dll
c:\windows\system32\_003757_.tmp.dll
c:\windows\system32\_003758_.tmp.dll
c:\windows\system32\_003759_.tmp.dll
c:\windows\system32\_003760_.tmp.dll
c:\windows\system32\_003761_.tmp.dll
c:\windows\system32\_003762_.tmp.dll
c:\windows\system32\_003763_.tmp.dll
c:\windows\system32\_003764_.tmp.dll
c:\windows\system32\_003765_.tmp.dll
c:\windows\system32\_003766_.tmp.dll
c:\windows\system32\_003767_.tmp.dll
c:\windows\system32\_003768_.tmp.dll
c:\windows\system32\_003769_.tmp.dll
c:\windows\system32\_003770_.tmp.dll
c:\windows\system32\_003771_.tmp.dll
c:\windows\system32\_003772_.tmp.dll
c:\windows\system32\_003773_.tmp.dll
c:\windows\system32\_003774_.tmp.dll
c:\windows\system32\_003775_.tmp.dll
c:\windows\system32\_003776_.tmp.dll
c:\windows\system32\_003777_.tmp.dll
c:\windows\system32\_003778_.tmp.dll
c:\windows\system32\_003779_.tmp.dll
c:\windows\system32\_003780_.tmp.dll
c:\windows\system32\_003781_.tmp.dll
c:\windows\system32\_003782_.tmp.dll
c:\windows\system32\_003783_.tmp.dll
c:\windows\system32\_003784_.tmp.dll
c:\windows\system32\_003786_.tmp.dll
c:\windows\system32\_003787_.tmp.dll
c:\windows\system32\_003788_.tmp.dll
c:\windows\system32\_003789_.tmp.dll
c:\windows\system32\_003790_.tmp.dll
c:\windows\system32\_003791_.tmp.dll
c:\windows\system32\_003792_.tmp.dll
c:\windows\system32\_003793_.tmp.dll
c:\windows\system32\_003794_.tmp.dll
c:\windows\system32\_003795_.tmp.dll
c:\windows\system32\_003796_.tmp.dll
c:\windows\system32\_003797_.tmp.dll
c:\windows\system32\_003798_.tmp.dll
c:\windows\system32\_003799_.tmp.dll
c:\windows\system32\_003800_.tmp.dll
c:\windows\system32\_003801_.tmp.dll
c:\windows\system32\_003802_.tmp.dll
c:\windows\system32\_003803_.tmp.dll
c:\windows\system32\_003804_.tmp.dll
c:\windows\system32\_003805_.tmp.dll
c:\windows\system32\_003806_.tmp.dll
c:\windows\system32\_003807_.tmp.dll
c:\windows\system32\_003808_.tmp.dll
c:\windows\system32\_003809_.tmp.dll
c:\windows\system32\_003810_.tmp.dll
c:\windows\system32\_003811_.tmp.dll
c:\windows\system32\_003812_.tmp.dll
c:\windows\system32\_003813_.tmp.dll
c:\windows\system32\_003816_.tmp.dll
c:\windows\system32\_003817_.tmp.dll
c:\windows\system32\_003818_.tmp.dll
c:\windows\system32\_003819_.tmp.dll
c:\windows\system32\_003820_.tmp.dll
c:\windows\system32\_003821_.tmp.dll
c:\windows\system32\_003822_.tmp.dll
c:\windows\system32\_003823_.tmp.dll
c:\windows\system32\_003824_.tmp.dll
c:\windows\system32\_003825_.tmp.dll
c:\windows\system32\_003826_.tmp.dll
c:\windows\system32\_003827_.tmp.dll
c:\windows\system32\_003828_.tmp.dll
c:\windows\system32\_003829_.tmp.dll
c:\windows\system32\_003830_.tmp.dll
c:\windows\system32\_003831_.tmp.dll
c:\windows\system32\_003832_.tmp.dll
c:\windows\system32\_003833_.tmp.dll
c:\windows\system32\_003834_.tmp.dll
c:\windows\system32\_003835_.tmp.dll
c:\windows\system32\_003837_.tmp.dll
c:\windows\system32\_003838_.tmp.dll
c:\windows\system32\_003839_.tmp.dll
c:\windows\system32\_003840_.tmp.dll
c:\windows\system32\_003841_.tmp.dll
c:\windows\system32\_003842_.tmp.dll
c:\windows\system32\_003843_.tmp.dll
c:\windows\system32\_003846_.tmp.dll
c:\windows\system32\_003847_.tmp.dll
c:\windows\system32\_003848_.tmp.dll
c:\windows\system32\_003849_.tmp.dll
c:\windows\system32\_003851_.tmp.dll
c:\windows\system32\_003852_.tmp.dll
c:\windows\system32\_003853_.tmp.dll
c:\windows\system32\_003854_.tmp.dll
c:\windows\system32\_003855_.tmp.dll
c:\windows\system32\_003856_.tmp.dll
c:\windows\system32\_003857_.tmp.dll
c:\windows\system32\_003858_.tmp.dll
c:\windows\system32\_003859_.tmp.dll
c:\windows\system32\_003860_.tmp.dll
c:\windows\system32\_003861_.tmp.dll
c:\windows\system32\_003862_.tmp.dll
c:\windows\system32\_003863_.tmp.dll
c:\windows\system32\_003864_.tmp.dll
c:\windows\system32\_003865_.tmp.dll
c:\windows\system32\_003867_.tmp.dll
c:\windows\system32\_003868_.tmp.dll
c:\windows\system32\_003869_.tmp.dll
c:\windows\system32\_003870_.tmp.dll
c:\windows\system32\_003871_.tmp.dll
c:\windows\system32\_003872_.tmp.dll
c:\windows\system32\_003875_.tmp.dll
c:\windows\system32\_003876_.tmp.dll
c:\windows\system32\_003877_.tmp.dll
c:\windows\system32\_003878_.tmp.dll
c:\windows\system32\_003880_.tmp.dll
c:\windows\system32\_003882_.tmp.dll
c:\windows\system32\_003883_.tmp.dll
c:\windows\system32\_003884_.tmp.dll
c:\windows\system32\_003885_.tmp.dll
c:\windows\system32\_003886_.tmp.dll
c:\windows\system32\_003888_.tmp.dll
c:\windows\system32\_003889_.tmp.dll
c:\windows\system32\_003890_.tmp.dll
c:\windows\system32\_003891_.tmp.dll
c:\windows\system32\_003892_.tmp.dll
c:\windows\system32\_003893_.tmp.dll
c:\windows\system32\_003896_.tmp.dll
c:\windows\system32\_003897_.tmp.dll
c:\windows\system32\_003898_.tmp.dll
c:\windows\system32\_003899_.tmp.dll
c:\windows\system32\_003904_.tmp.dll
c:\windows\system32\_003906_.tmp.dll
c:\windows\system32\_003909_.tmp.dll
c:\windows\system32\_003911_.tmp.dll
c:\windows\system32\_003913_.tmp.dll
c:\windows\system32\_003914_.tmp.dll
c:\windows\system32\_003917_.tmp.dll
c:\windows\system32\_003918_.tmp.dll
c:\windows\system32\_003919_.tmp.dll
c:\windows\system32\_003920_.tmp.dll
c:\windows\system32\_003921_.tmp.dll
c:\windows\system32\_003926_.tmp.dll
c:\windows\system32\_003928_.tmp.dll
c:\windows\system32\_005808_.tmp.dll
c:\windows\system32\_005809_.tmp.dll
c:\windows\system32\_005810_.tmp.dll
c:\windows\system32\_005817_.tmp.dll
c:\windows\system32\_005818_.tmp.dll
c:\windows\system32\_005819_.tmp.dll
c:\windows\system32\_005820_.tmp.dll
c:\windows\system32\_005822_.tmp.dll
c:\windows\system32\_005823_.tmp.dll
c:\windows\system32\_005826_.tmp.dll
c:\windows\system32\_005827_.tmp.dll
c:\windows\system32\_005830_.tmp.dll
c:\windows\system32\_005831_.tmp.dll
c:\windows\system32\_005833_.tmp.dll
c:\windows\system32\_005834_.tmp.dll
c:\windows\system32\_005836_.tmp.dll
c:\windows\system32\_005837_.tmp.dll
c:\windows\system32\_005842_.tmp.dll
c:\windows\system32\_005844_.tmp.dll
c:\windows\system32\_005847_.tmp.dll
c:\windows\system32\_005849_.tmp.dll
c:\windows\system32\_005850_.tmp.dll
c:\windows\system32\_005851_.tmp.dll
c:\windows\system32\_005852_.tmp.dll
c:\windows\system32\_005853_.tmp.dll
c:\windows\system32\_005856_.tmp.dll
c:\windows\system32\_005857_.tmp.dll
c:\windows\system32\_005858_.tmp.dll
c:\windows\system32\_005859_.tmp.dll
c:\windows\system32\_005860_.tmp.dll
c:\windows\system32\_005865_.tmp.dll
c:\windows\system32\_005867_.tmp.dll
c:\windows\system32\_005868_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_xpdx

((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 18:46 . 2008-11-25 18:58 d--------	C:\ComboFix
2008-11-22 08:48 . 2008-11-23 20:12	2,104	--a------	c:\windows\system32\tmp.reg
2008-11-22 08:46 . 2008-11-22 08:49 d--------	c:\documents and settings\Owner\SmitfraudFix
2008-11-22 08:46 . 2007-09-05 23:22	289,144	--a------	c:\windows\system32\VCCLSID.exe
2008-11-22 08:46 . 2006-04-27 16:49	288,417	--a------	c:\windows\system32\SrchSTS.exe
2008-11-22 08:46 . 2008-10-01 14:51	87,552	--a------	c:\windows\system32\VACFix.exe
2008-11-22 08:46 . 2008-10-10 07:58	82,944	--a------	c:\windows\system32\o4Patch.exe
2008-11-22 08:46 . 2008-05-18 20:40	82,944	--a------	c:\windows\system32\IEDFix.exe
2008-11-22 08:46 . 2008-10-10 07:58	82,944	--a------	c:\windows\system32\IEDFix.C.exe
2008-11-22 08:46 . 2008-08-18 11:19	82,432	--a------	c:\windows\system32\404Fix.exe
2008-11-22 08:46 . 2003-06-05 20:13	53,248	--a------	c:\windows\system32\Process.exe
2008-11-22 08:46 . 2004-07-31 17:50	51,200	--a------	c:\windows\system32\dumphive.exe
2008-11-22 08:46 . 2007-10-03 23:36	25,600	--a------	c:\windows\system32\WS2Fix.exe
2008-11-18 20:58 . 2008-11-21 18:13 d--------	c:\program files\D-Link(2)
2008-11-16 18:30 . 2008-11-21 18:13 d--------	c:\program files\Security Task Manager
2008-11-16 18:30 . 2008-11-21 18:13 d--------	c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-16 16:26 . 2008-11-21 18:13 d--------	c:\program files\ACW
2008-11-14 08:37 . 2008-10-24 05:21	455,296	-----c---	c:\windows\system32\dllcache\mrxsmb.sys
2008-11-14 08:36 . 2008-09-04 11:15	1,106,944	-----c---	c:\windows\system32\dllcache\msxml3.dll
2008-11-06 18:55 . 2008-11-06 18:55 d--------	c:\documents and settings\Owner\Application Data\Acronis
2008-11-05 19:30 . 2008-11-06 06:33 d--------	c:\documents and settings\All Users\Application Data\Acronis
2008-11-05 19:30 . 2008-11-05 19:30	971,232	--a------	c:\windows\system32\drivers\tdrpm147.sys
2008-11-05 19:30 . 2008-11-05 19:30	540,000	--a------	c:\windows\system32\drivers\timntr.sys
2008-11-05 19:30 . 2008-11-05 19:30	134,272	--a------	c:\windows\system32\drivers\snman380.sys
2008-11-05 19:30 . 2008-11-05 19:30	44,704	--a------	c:\windows\system32\drivers\tifsfilt.sys
2008-11-05 19:28 . 2008-11-05 19:29 d--------	c:\program files\Common Files\Acronis
2008-11-05 19:28 . 2008-11-05 19:28 d--------	c:\program files\Acronis
2008-10-27 17:55 . 2008-10-27 17:55	7,756	--a------	C:\BG DAILY NEWS October 26.zip
2008-10-27 17:53 . 2008-10-27 17:53	41,984	--a------	C:\BG DAILY NEWS October 26.doc
2008-10-26 15:21 . 2008-10-26 07:36	94	--a------	C:\reset.cmd.cmd
2008-10-26 10:45 . 2008-04-14 04:42	539,136	--a------	c:\windows\system32\SET14EE.tmp
2008-10-26 10:45 . 2008-04-14 04:42	354,304	--a------	c:\windows\system32\SET14BD.tmp
2008-10-26 10:45 . 2008-04-14 04:42	80,896	--a------	c:\windows\system32\SET14B8.tmp
2008-10-26 10:45 . 2008-04-14 04:42	75,776	--a------	c:\windows\system32\SET14C8.tmp
2008-10-26 10:45 . 2008-04-14 04:41	24,576	--a------	c:\windows\system32\SET1514.tmp
2008-10-26 10:45 . 2008-04-14 04:42	15,872	--a------	c:\windows\system32\SET14C1.tmp
2008-10-26 10:44 . 2008-04-14 04:42	6,656	--a------	c:\windows\system32\SET14B3.tmp
2008-10-26 10:34 . 2008-04-14 04:42	3,066,880	--a------	c:\windows\system32\SET8AE.tmp
2008-10-26 10:33 . 2008-04-14 04:42	8,461,312	--a------	c:\windows\system32\SET6FE.tmp
2008-10-26 10:32 . 2008-04-14 04:42	727,040	--a------	c:\windows\system32\SET55B.tmp
2008-10-26 10:29 . 2006-12-28 23:31	19,569	--a------	c:\windows\003200_.tmp
2008-10-26 10:23 . 2008-08-14 04:11	2,189,184	--a------	c:\windows\system32\ntoskrnl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 02:19	---------	d-----w	c:\documents and settings\LocalService\Application Data\VMware
2008-11-26 02:19	---------	d-----w	c:\documents and settings\All Users\Application Data\VMware
2008-11-24 02:12	---------	d-----w	c:\program files\Google
2008-11-22 00:13	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-10-25 18:06	---------	d-----w	c:\program files\Windows Resource Kits
2008-10-24 11:21	455,296	----a-w	c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 01:24	---------	d-----w	c:\documents and settings\Owner\Application Data\VMware
2008-10-21 00:55	---------	d-----w	c:\documents and settings\NetworkService\Application Data\VMware
2008-09-17 03:12	222,488	----a-w	c:\windows\system32\snapapi.dll
2008-09-15 12:12	1,846,400	----a-w	c:\windows\system32\win32k.sys
2008-09-10 01:14	1,307,648	----a-w	c:\windows\system32\msxml6.dll
2008-09-04 17:15	1,106,944	----a-w	c:\windows\system32\msxml3.dll
2008-08-31 16:46	223,960	----a-w	C:\BrowzarBlack1300.exe
2008-08-31 16:43	211,616	----a-w	C:\BrowzarWinstyle1500.exe
2008-08-30 23:36	164	----a-w	C:\install.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL" [2008-08-30 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-08-30 17:38	66912	--a------	c:\program files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"Webroot Desktop Firewall"="c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe" [2008-07-31 2401672]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2007-12-14 26112]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-09 5418864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages	REG_MULTI_SZ cli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-02-18 19:12 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCPCOM(135)
"1723:TCP"= 1723:TCPxpsp2res.dll,-22015
"1701:UDP"= 1701:UDPxpsp2res.dll,-22016
"500:UDP"= 500:UDPxpsp2res.dll,-22017

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-07-31 103304]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [2008-07-31 353672]
R3 SbieDrv;SbieDrv;\??\c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
.
Contents of the 'Scheduled Tasks' folder

2008-11-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-17 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-07-08 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 15:04]

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 15:04]

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- a:\","c:\","d:\","e:\" []

2008-11-26 c:\windows\Tasks\{5563F6B8-2FFA-4310-AE81-CC11EEAE72CC}_HOME-YWXI839F5J_Owner.job
- c:\windows\system32\mobsync.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
HKLM-Run-CTXFIREG - CTxfiReg.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\a0fs5u5p.default\
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npagent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 20:21:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'explorer.exe'(3172)
c:\windows\system32\wdfproc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnat.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2008-11-25 20:58:43 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-11-26 02:58:13

Pre-Run: 18,760,548,352 bytes free
Post-Run: 18,687,959,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

436	--- E O F ---	2008-11-22 14:37:56
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:54, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\CF27807.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O20 - AppInit_DLLs: 
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 6578 bytes


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
c:\windows\003200_.tmp

Folder::
c:\program files\AskSBar

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## parman (Mar 9, 2007)

ComboFix 08-11-26.01 - Owner 2008-11-27 7:48:50.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.682 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\combo-fix.exe.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\003200_.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\AskSBar
c:\program files\AskSBar\bar\2.bin\A2FFXTBR.JAR
c:\program files\AskSBar\bar\2.bin\A2FFXTBR.MANIFEST
c:\program files\AskSBar\bar\2.bin\A2HIGHIN.EXE
c:\program files\AskSBar\bar\2.bin\A2NTSTBR.JAR
c:\program files\AskSBar\bar\2.bin\A2NTSTBR.MANIFEST
c:\program files\AskSBar\bar\2.bin\A2PLUGIN.DLL
c:\program files\AskSBar\bar\2.bin\NPASKSBR.DLL
c:\program files\AskSBar\bar\Cache\0002D4BB.bin
c:\program files\AskSBar\bar\Cache\0002D690.bin
c:\program files\AskSBar\bar\Cache\0002D807.bin
c:\program files\AskSBar\bar\Cache\0002D93F.bin
c:\program files\AskSBar\bar\Cache\0002DAE5.bin
c:\program files\AskSBar\bar\Cache\0002DC3D.bin
c:\program files\AskSBar\bar\Cache\0002DD37.bin
c:\program files\AskSBar\bar\Cache\0002DE31.bin
c:\program files\AskSBar\bar\Cache\000451F5
c:\program files\AskSBar\bar\Cache\027A04D6
c:\program files\AskSBar\bar\Cache\files.ini
c:\program files\AskSBar\bar\History\search2
c:\program files\AskSBar\bar\Settings\prevcfg2.htm
c:\program files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL
c:\windows\003200_.tmp

.
((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-25 18:46 . 2008-11-25 18:58 d--------	C:\ComboFix
2008-11-22 08:48 . 2008-11-23 20:12	2,104	--a------	c:\windows\system32\tmp.reg
2008-11-22 08:46 . 2008-11-22 08:49 d--------	c:\documents and settings\Owner\SmitfraudFix
2008-11-22 08:46 . 2007-09-05 23:22	289,144	--a------	c:\windows\system32\VCCLSID.exe
2008-11-22 08:46 . 2006-04-27 16:49	288,417	--a------	c:\windows\system32\SrchSTS.exe
2008-11-22 08:46 . 2008-10-01 14:51	87,552	--a------	c:\windows\system32\VACFix.exe
2008-11-22 08:46 . 2008-10-10 07:58	82,944	--a------	c:\windows\system32\o4Patch.exe
2008-11-22 08:46 . 2008-05-18 20:40	82,944	--a------	c:\windows\system32\IEDFix.exe
2008-11-22 08:46 . 2008-10-10 07:58	82,944	--a------	c:\windows\system32\IEDFix.C.exe
2008-11-22 08:46 . 2008-08-18 11:19	82,432	--a------	c:\windows\system32\404Fix.exe
2008-11-22 08:46 . 2003-06-05 20:13	53,248	--a------	c:\windows\system32\Process.exe
2008-11-22 08:46 . 2004-07-31 17:50	51,200	--a------	c:\windows\system32\dumphive.exe
2008-11-22 08:46 . 2007-10-03 23:36	25,600	--a------	c:\windows\system32\WS2Fix.exe
2008-11-18 20:58 . 2008-11-21 18:13 d--------	c:\program files\D-Link(2)
2008-11-16 18:30 . 2008-11-21 18:13 d--------	c:\program files\Security Task Manager
2008-11-16 18:30 . 2008-11-21 18:13 d--------	c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-16 16:26 . 2008-11-21 18:13 d--------	c:\program files\ACW
2008-11-14 08:37 . 2008-10-24 05:21	455,296	-----c---	c:\windows\system32\dllcache\mrxsmb.sys
2008-11-14 08:36 . 2008-09-04 11:15	1,106,944	-----c---	c:\windows\system32\dllcache\msxml3.dll
2008-11-06 18:55 . 2008-11-06 18:55 d--------	c:\documents and settings\Owner\Application Data\Acronis
2008-11-05 19:30 . 2008-11-06 06:33 d--------	c:\documents and settings\All Users\Application Data\Acronis
2008-11-05 19:30 . 2008-11-05 19:30	971,232	--a------	c:\windows\system32\drivers\tdrpm147.sys
2008-11-05 19:30 . 2008-11-05 19:30	540,000	--a------	c:\windows\system32\drivers\timntr.sys
2008-11-05 19:30 . 2008-11-05 19:30	134,272	--a------	c:\windows\system32\drivers\snman380.sys
2008-11-05 19:30 . 2008-11-05 19:30	44,704	--a------	c:\windows\system32\drivers\tifsfilt.sys
2008-11-05 19:28 . 2008-11-05 19:29 d--------	c:\program files\Common Files\Acronis
2008-11-05 19:28 . 2008-11-05 19:28 d--------	c:\program files\Acronis
2008-10-27 17:55 . 2008-10-27 17:55	7,756	--a------	C:\BG DAILY NEWS October 26.zip
2008-10-27 17:53 . 2008-10-27 17:53	41,984	--a------	C:\BG DAILY NEWS October 26.doc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 13:24	---------	d-----w	c:\documents and settings\LocalService\Application Data\VMware
2008-11-27 13:24	---------	d-----w	c:\documents and settings\All Users\Application Data\VMware
2008-11-24 02:12	---------	d-----w	c:\program files\Google
2008-11-22 00:13	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-10-26 13:36	94	----a-w	C:\reset.cmd.cmd
2008-10-25 18:06	---------	d-----w	c:\program files\Windows Resource Kits
2008-10-24 11:21	455,296	----a-w	c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 01:24	---------	d-----w	c:\documents and settings\Owner\Application Data\VMware
2008-10-21 00:55	---------	d-----w	c:\documents and settings\NetworkService\Application Data\VMware
2008-09-17 03:12	222,488	----a-w	c:\windows\system32\snapapi.dll
2008-09-15 12:12	1,846,400	----a-w	c:\windows\system32\win32k.sys
2008-09-10 01:14	1,307,648	----a-w	c:\windows\system32\msxml6.dll
2008-09-04 17:15	1,106,944	----a-w	c:\windows\system32\msxml3.dll
2008-08-31 16:46	223,960	----a-w	C:\BrowzarBlack1300.exe
2008-08-31 16:43	211,616	----a-w	C:\BrowzarWinstyle1500.exe
2008-08-30 23:36	164	----a-w	C:\install.dat
.

((((((((((((((((((((((((((((( [email protected]_20.44.45.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-27 13:24:22	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_2d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"Webroot Desktop Firewall"="c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe" [2008-07-31 2401672]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2007-12-14 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-02-18 19:12 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCPCOM(135)
"1723:TCP"= 1723:TCPxpsp2res.dll,-22015
"1701:UDP"= 1701:UDPxpsp2res.dll,-22016
"500:UDP"= 500:UDPxpsp2res.dll,-22017

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-07-31 103304]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [2008-07-31 353672]
R3 SbieDrv;SbieDrv;\??\c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
.
Contents of the 'Scheduled Tasks' folder

2008-08-17 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-07-08 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 15:04]

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 15:04]

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- a:\","c:\","d:\","e:\" []

2008-11-26 c:\windows\Tasks\{5563F6B8-2FFA-4310-AE81-CC11EEAE72CC}_HOME-YWXI839F5J_Owner.job
- c:\windows\system32\mobsync.exe [2008-04-13 18:12]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 08:23:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\wdfproc.dll
.
Completion time: 2008-11-27 8:45:11
ComboFix-quarantined-files.txt 2008-11-27 14:44:49
ComboFix2.txt 2008-11-26 02:59:04

Pre-Run: 18,663,014,400 bytes free
Post-Run: 18,666,901,504 bytes free

167	--- E O F ---	2008-11-22 14:37:56
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:48:05, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\CF29327.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 6096 bytes


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes Anti-Malware form *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. 
Also, if you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots. *


----------



## parman (Mar 9, 2007)

Malwarebytes' Anti-Malware 1.19
Database version: 919
Windows 5.1.2600 Service Pack 3

8:09:18 AM 11/28/2008
mbam-log-11-28-2008 (08-09-18).txt

Scan type: Quick Scan
Objects scanned: 47379
Time elapsed: 9 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:14:05, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 6208 bytes


----------



## Cookiegal (Aug 27, 2003)

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

*Java Runtime Environment (JRE) 6 Update 10*

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## parman (Mar 9, 2007)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 29, 2008 12:40:36
Records in database: 1426420
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 43477
Threat name: 2
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 00:48:45


File name / Threat name / Threats count
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
C:\Documents and Settings\Owner\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
C:\Qoobox\Quarantine\C\Program Files\AskSBar\bar\2.bin\A2PLUGIN.DLL.vir	Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dw	1

The selected area was scanned.


----------



## parman (Mar 9, 2007)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 29, 2008 12:40:36
Records in database: 1426420
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 43477
Threat name: 2
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 00:48:45


File name / Threat name / Threats count
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
C:\Documents and Settings\Owner\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
C:\Qoobox\Quarantine\C\Program Files\AskSBar\bar\2.bin\A2PLUGIN.DLL.vir	Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dw	1

The selected area was scanned.


----------



## parman (Mar 9, 2007)

I apologize for the duplicate online scan!


----------



## parman (Mar 9, 2007)

What is WinWeb Security?I received a popup security warning :
Intercepting programs that may compromise your privacy and harm your system have been detected on your PC.Click here to remove them immediately with WinWeb Security.


----------



## parman (Mar 9, 2007)

When I log off and then re-boot my windows firewall is turned off. I turn it back on , restart and it is back off. Every few minutes I get a popup. The last one says firefox is infected with worm LLas.Blaster,Keyloger. This worn is trying to send your credit card details using firefox to connect to remote host.Every 5 min. I get this popup. 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:36:45, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Documents and Settings\All Users\Application Data\1672730441\775219191.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O2 - BHO: BHOws Object - {D5DF7C9D-6069-4552-8B0C-D02A912FC889} - ws.dll (file missing)
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [775219191] "C:\Documents and Settings\All Users\Application Data\1672730441\775219191.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 6746 bytes


----------



## Cookiegal (Aug 27, 2003)

You must have just picked that up as MalwareBytes would remove it.

WinWeb Security is a rogue program and the files it detects are not infected. It's a goad to get you to purchase the program.

Please update and run MalwareBytes again and post the new log.


----------



## parman (Mar 9, 2007)

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

12/1/2008 5:54:46 AM
mbam-log-2008-12-01 (05-54-34).txt

Scan type: Quick Scan
Objects scanned: 56945
Time elapsed: 13 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\276177 (Trojan.BHO) -> No action taken.

Files Infected:
(No malicious items detected)


----------



## parman (Mar 9, 2007)

This is my full scan of malwarebytes'.
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

12/1/2008 6:24:44 PM
mbam-log-2008-12-01 (18-24-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 108420
Time elapsed: 49 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\276177 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log.


----------



## parman (Mar 9, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:22:31, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Documents and Settings\All Users\Application Data\1672730441\775219191.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O2 - BHO: BHOws Object - {D5DF7C9D-6069-4552-8B0C-D02A912FC889} - ws.dll (file missing)
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [775219191] "C:\Documents and Settings\All Users\Application Data\1672730441\775219191.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 7127 bytes


----------



## parman (Mar 9, 2007)

I updated my malware-bytes and ran another scan. Here's the results:
Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 3

12/2/2008 8:19:50 PM
mbam-log-2008-12-02 (20-19-50).txt

Scan type: Quick Scan
Objects scanned: 60965
Time elapsed: 10 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5df7c9d-6069-4552-8b0c-d02a912fc889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ws.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.


----------



## parman (Mar 9, 2007)

Even though malware-bytes scan showed trojan faked alert quarantined and deleted I am still having a popup from Llas.Blaster.keyloger. Very annoying! Every 5 min. It's turning my windows firewall off. When I bootup my windows firewall is off. I turn it back on when I'm on online.


----------



## Cookiegal (Aug 27, 2003)

What is the name and location of the file you're getting the alert for?


----------



## parman (Mar 9, 2007)

The file that malware-bytes showed quarantined and deleted was:
C:\Windows\system32\ws.dll
I have not seen win web security anywhere on any scan. Every 5 min. I get this popup:
WinWeb Security Firewall has blocked a program from accessing the internet. Firefox is infected with LLas.Blogger.Keyloger.


----------



## parman (Mar 9, 2007)

Should I run Combo-Fix again? I ran a full sweep of my anti-virus Spy Sweeper. I quarantined and deleted the trojans it showed. I ran AVG anti-root, Malware-bytes,Windows Defender. I'm still getting this popup, WinWeb Security Warning! Please advise!


----------



## Cookiegal (Aug 27, 2003)

I'm sorry, I've had some problems at home that needed attending to.

Please delete the ComboFix you have (drag it to the recycle bin) and grab a new copy as it's updated often, then run it and post a new scan log.

I won't be able to post back until sometime tomorrow though.


----------



## parman (Mar 9, 2007)

ComboFix 08-12-04.04 - Owner 2008-12-04 16:37:18.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.590 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-02 20:27 . 2008-12-04 15:12	198,741	--a------	c:\windows\system32\ws.dll
2008-12-02 18:54 . 2008-10-16 14:07	23,576	--a------	c:\windows\system32\wuapi.dll.mui
2008-12-02 18:20 . 2007-01-18 06:00	3,968	--a------	c:\windows\system32\drivers\AvgArCln.sys
2008-12-01 05:36 . 2008-10-22 16:10	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 13:34 . 2008-11-30 13:36 d--------	c:\documents and settings\All Users\Application Data\1672730441
2008-11-29 14:37 . 2008-11-29 14:37 d--------	c:\documents and settings\Owner\.SunDownloadManager
2008-11-27 17:12 . 2008-11-27 17:12 d--------	c:\windows\.jagex_cache_32
2008-11-27 17:12 . 2008-11-27 17:13	31	--a------	c:\documents and settings\Owner\jagex_runescape_preferences.dat
2008-11-22 08:48 . 2008-11-23 20:12	2,104	--a------	c:\windows\system32\tmp.reg
2008-11-22 08:46 . 2008-11-22 08:49 d--------	c:\documents and settings\Owner\SmitfraudFix
2008-11-22 08:46 . 2007-09-05 23:22	289,144	--a------	c:\windows\system32\VCCLSID.exe
2008-11-22 08:46 . 2006-04-27 16:49	288,417	--a------	c:\windows\system32\SrchSTS.exe
2008-11-22 08:46 . 2008-10-01 14:51	87,552	--a------	c:\windows\system32\VACFix.exe
2008-11-22 08:46 . 2008-10-10 07:58	82,944	--a------	c:\windows\system32\o4Patch.exe
2008-11-22 08:46 . 2008-05-18 20:40	82,944	--a------	c:\windows\system32\IEDFix.exe
2008-11-22 08:46 . 2008-10-10 07:58	82,944	--a------	c:\windows\system32\IEDFix.C.exe
2008-11-22 08:46 . 2008-08-18 11:19	82,432	--a------	c:\windows\system32\404Fix.exe
2008-11-22 08:46 . 2003-06-05 20:13	53,248	--a------	c:\windows\system32\Process.exe
2008-11-22 08:46 . 2004-07-31 17:50	51,200	--a------	c:\windows\system32\dumphive.exe
2008-11-22 08:46 . 2007-10-03 23:36	25,600	--a------	c:\windows\system32\WS2Fix.exe
2008-11-18 20:58 . 2008-11-21 18:13 d--------	c:\program files\D-Link(2)
2008-11-16 18:30 . 2008-11-21 18:13 d--------	c:\program files\Security Task Manager
2008-11-16 18:30 . 2008-11-21 18:13 d--------	c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-16 16:26 . 2008-11-21 18:13 d--------	c:\program files\ACW
2008-11-14 08:37 . 2008-10-24 05:21	455,296	-----c---	c:\windows\system32\dllcache\mrxsmb.sys
2008-11-14 08:36 . 2008-09-04 11:15	1,106,944	-----c---	c:\windows\system32\dllcache\msxml3.dll
2008-11-06 18:55 . 2008-11-06 18:55 d--------	c:\documents and settings\Owner\Application Data\Acronis
2008-11-05 19:30 . 2008-11-06 06:33 d--------	c:\documents and settings\All Users\Application Data\Acronis
2008-11-05 19:30 . 2008-11-05 19:30	971,232	--a------	c:\windows\system32\drivers\tdrpm147.sys
2008-11-05 19:30 . 2008-11-05 19:30	540,000	--a------	c:\windows\system32\drivers\timntr.sys
2008-11-05 19:30 . 2008-11-05 19:30	134,272	--a------	c:\windows\system32\drivers\snman380.sys
2008-11-05 19:30 . 2008-11-05 19:30	44,704	--a------	c:\windows\system32\drivers\tifsfilt.sys
2008-11-05 19:28 . 2008-11-05 19:29 d--------	c:\program files\Common Files\Acronis
2008-11-05 19:28 . 2008-11-05 19:28 d--------	c:\program files\Acronis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 21:12	---------	d-----w	c:\documents and settings\LocalService\Application Data\VMware
2008-12-04 21:12	---------	d-----w	c:\documents and settings\All Users\Application Data\VMware
2008-12-01 11:36	---------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2008-11-29 16:02	---------	d-----w	c:\program files\Common Files\Adobe
2008-11-27 14:59	---------	d-----w	c:\program files\Windows Defender
2008-11-24 02:12	---------	d-----w	c:\program files\Google
2008-11-22 00:13	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-10-27 23:55	7,756	----a-w	C:\BG DAILY NEWS October 26.zip
2008-10-26 13:36	94	----a-w	C:\reset.cmd.cmd
2008-10-25 18:06	---------	d-----w	c:\program files\Windows Resource Kits
2008-10-24 11:21	455,296	----a-w	c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 01:24	---------	d-----w	c:\documents and settings\Owner\Application Data\VMware
2008-10-22 22:10	15,504	----a-w	c:\windows\system32\drivers\mbam.sys
2008-10-21 00:55	---------	d-----w	c:\documents and settings\NetworkService\Application Data\VMware
2008-10-16 20:13	202,776	----a-w	c:\windows\system32\wuweb.dll
2008-10-16 20:13	1,809,944	----a-w	c:\windows\system32\wuaueng.dll
2008-10-16 20:12	561,688	----a-w	c:\windows\system32\wuapi.dll
2008-10-16 20:12	323,608	----a-w	c:\windows\system32\wucltui.dll
2008-10-16 20:09	92,696	----a-w	c:\windows\system32\cdm.dll
2008-10-16 20:09	51,224	----a-w	c:\windows\system32\wuauclt.exe
2008-10-16 20:09	43,544	----a-w	c:\windows\system32\wups2.dll
2008-10-16 20:08	34,328	----a-w	c:\windows\system32\wups.dll
2008-10-16 20:06	268,648	----a-w	c:\windows\system32\mucltui.dll
2008-10-16 20:06	208,744	----a-w	c:\windows\system32\muweb.dll
2008-09-17 03:12	222,488	----a-w	c:\windows\system32\snapapi.dll
2008-09-15 12:12	1,846,400	----a-w	c:\windows\system32\win32k.sys
2008-09-10 01:14	1,307,648	----a-w	c:\windows\system32\msxml6.dll
2008-09-04 17:15	1,106,944	----a-w	c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((( [email protected]_20.44.45.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-27 23:12:57	315,392	----a-w	c:\windows\.jagex_cache_32\runescape\jogl.dll
+ 2008-11-27 23:12:57	20,480	----a-w	c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
+ 2008-04-14 00:11:48	61,440	-c--a-w	c:\windows\ie7\admparse.dll
+ 2008-04-14 00:11:48	99,840	-c--a-w	c:\windows\ie7\advpack.dll
+ 2004-08-04 07:56:41	28,672	-c--a-w	c:\windows\ie7\custsat.dll
+ 2008-04-14 00:11:52	357,888	-c--a-w	c:\windows\ie7\dxtmsft.dll
+ 2008-04-14 00:11:52	205,312	-c--a-w	c:\windows\ie7\dxtrans.dll
+ 2008-04-14 00:11:53	55,808	-c--a-w	c:\windows\ie7\extmgr.dll
+ 2008-04-14 00:11:54	38,912	-c--a-w	c:\windows\ie7\hmmapi.dll
+ 2008-04-14 00:12:22	34,304	-c--a-w	c:\windows\ie7\ie4uinit.exe
+ 2008-04-14 00:11:54	143,360	-c--a-w	c:\windows\ie7\ieakeng.dll
+ 2008-04-14 00:11:54	216,576	-c--a-w	c:\windows\ie7\ieaksie.dll
+ 2003-07-16 20:30:08	221,184	-c--a-w	c:\windows\ie7\ieakui.dll
+ 2008-04-14 00:11:54	323,584	-c--a-w	c:\windows\ie7\iedkcs32.dll
+ 2008-04-14 00:12:22	18,432	-c--a-w	c:\windows\ie7\iedw.exe
+ 2008-04-14 00:11:54	251,904	-c--a-w	c:\windows\ie7\iepeers.dll
+ 2008-04-14 00:11:54	48,640	-c--a-w	c:\windows\ie7\iernonce.dll
+ 2008-04-14 00:11:54	62,976	-c--a-w	c:\windows\ie7\iesetup.dll
+ 2008-04-14 00:12:22	93,184	-c--a-w	c:\windows\ie7\iexplore.exe
+ 2008-04-14 00:11:54	35,840	-c--a-w	c:\windows\ie7\imgutil.dll
+ 2008-04-14 00:11:55	96,256	-c--a-w	c:\windows\ie7\inseng.dll
+ 2008-04-14 00:11:56	15,872	-c--a-w	c:\windows\ie7\jsproxy.dll
+ 2008-04-14 00:11:56	22,016	-c--a-w	c:\windows\ie7\licmgr10.dll
+ 2008-04-14 00:12:27	29,184	-c--a-w	c:\windows\ie7\mshta.exe
+ 2008-08-20 05:30:53	3,067,904	-c--a-w	c:\windows\ie7\mshtml.dll
+ 2008-04-14 00:11:59	449,024	-c--a-w	c:\windows\ie7\mshtmled.dll
+ 2008-04-13 16:26:26	56,832	-c--a-w	c:\windows\ie7\mshtmler.dll
+ 2003-07-16 20:36:08	146,432	-c--a-w	c:\windows\ie7\msls31.dll
+ 2008-04-14 00:12:00	146,432	-c--a-w	c:\windows\ie7\msrating.dll
+ 2008-04-14 00:12:00	532,480	-c--a-w	c:\windows\ie7\mstime.dll
+ 2008-04-14 00:12:02	96,256	-c--a-w	c:\windows\ie7\occache.dll
+ 2008-04-14 00:12:02	39,424	-c--a-w	c:\windows\ie7\pngfilt.dll
+ 2007-08-14 00:54:42	32,960	-c--a-w	c:\windows\ie7\spuninst\iecustom.dll
+ 2007-08-14 00:52:06	66,048	-c--a-w	c:\windows\ie7\spuninst\ieResetIcons.exe
+ 2006-09-06 23:43:16	213,216	-c--a-w	c:\windows\ie7\spuninst\spuninst.exe
+ 2006-09-06 23:43:18	371,424	-c--a-w	c:\windows\ie7\spuninst\updspapi.dll
+ 2008-04-14 00:12:08	37,888	-c--a-w	c:\windows\ie7\url.dll
+ 2008-08-20 05:30:52	619,520	-c--a-w	c:\windows\ie7\urlmon.dll
+ 2008-04-14 00:12:08	851,968	-c--a-w	c:\windows\ie7\vgx.dll
+ 2008-04-14 00:12:08	276,480	-c--a-w	c:\windows\ie7\webcheck.dll
+ 2008-08-20 05:30:51	666,112	-c--a-w	c:\windows\ie7\wininet.dll
+ 2007-03-06 01:22:39	213,216	-c----w	c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47	371,424	-c----w	c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-08-14 00:54:10	765,952	-c----w	c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2007-08-14 00:39:00	123,904	-c----w	c:\windows\ie7updates\KB956390-IE7\advpack.dll
+ 2007-08-14 00:35:46	346,624	-c----w	c:\windows\ie7updates\KB956390-IE7\dxtmsft.dll
+ 2007-08-14 00:35:38	214,528	-c----w	c:\windows\ie7updates\KB956390-IE7\dxtrans.dll
+ 2007-08-14 00:54:10	131,584	-c----w	c:\windows\ie7updates\KB956390-IE7\extmgr.dll
+ 2007-08-14 00:36:26	61,952	-c----w	c:\windows\ie7updates\KB956390-IE7\icardie.dll
+ 2007-08-14 00:39:06	54,784	-c----w	c:\windows\ie7updates\KB956390-IE7\ie4uinit.exe
+ 2007-08-14 00:39:26	152,064	-c----w	c:\windows\ie7updates\KB956390-IE7\ieakeng.dll
+ 2007-08-14 00:39:54	229,376	-c----w	c:\windows\ie7updates\KB956390-IE7\ieaksie.dll
+ 2007-08-13 23:56:54	161,792	-c----w	c:\windows\ie7updates\KB956390-IE7\ieakui.dll
+ 2007-02-12 22:10:12	2,451,312	-c----w	c:\windows\ie7updates\KB956390-IE7\ieapfltr.dat
+ 2007-07-11 18:27:48	383,488	-c----w	c:\windows\ie7updates\KB956390-IE7\ieapfltr.dll
+ 2007-08-14 00:39:50	382,976	-c----w	c:\windows\ie7updates\KB956390-IE7\iedkcs32.dll
+ 2007-08-14 00:54:10	6,049,280	-c----w	c:\windows\ie7updates\KB956390-IE7\ieframe.dll
+ 2007-08-14 00:39:10	43,008	-c----w	c:\windows\ie7updates\KB956390-IE7\iernonce.dll
+ 2007-08-14 00:34:04	266,752	-c----w	c:\windows\ie7updates\KB956390-IE7\iertutil.dll
+ 2007-08-14 00:39:10	13,312	-c----w	c:\windows\ie7updates\KB956390-IE7\ieudinit.exe
+ 2007-08-14 00:43:56	622,080	-c----w	c:\windows\ie7updates\KB956390-IE7\iexplore.exe
+ 2007-08-14 00:54:10	27,136	-c----w	c:\windows\ie7updates\KB956390-IE7\jsproxy.dll
+ 2007-08-14 00:54:10	458,752	-c----w	c:\windows\ie7updates\KB956390-IE7\msfeeds.dll
+ 2007-08-14 00:54:10	50,688	-c----w	c:\windows\ie7updates\KB956390-IE7\msfeedsbs.dll
+ 2007-08-14 00:54:12	3,578,368	-c----w	c:\windows\ie7updates\KB956390-IE7\mshtml.dll
+ 2007-08-14 00:54:10	475,648	-c----w	c:\windows\ie7updates\KB956390-IE7\mshtmled.dll
+ 2007-08-14 00:44:26	192,000	-c----w	c:\windows\ie7updates\KB956390-IE7\msrating.dll
+ 2007-08-14 00:54:10	670,720	-c----w	c:\windows\ie7updates\KB956390-IE7\mstime.dll
+ 2007-08-14 00:44:06	101,376	-c----w	c:\windows\ie7updates\KB956390-IE7\occache.dll
+ 2007-08-14 00:36:12	44,544	-c----w	c:\windows\ie7updates\KB956390-IE7\pngfilt.dll
+ 2007-03-06 01:22:41	213,216	-c----w	c:\windows\ie7updates\KB956390-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51	371,424	-c----w	c:\windows\ie7updates\KB956390-IE7\spuninst\updspapi.dll
+ 2007-08-14 00:44:30	105,984	-c----w	c:\windows\ie7updates\KB956390-IE7\url.dll
+ 2007-08-14 00:54:10	1,162,240	-c----w	c:\windows\ie7updates\KB956390-IE7\urlmon.dll
+ 2007-08-14 00:54:10	231,424	-c----w	c:\windows\ie7updates\KB956390-IE7\webcheck.dll
+ 2007-08-14 00:54:10	818,688	-c----w	c:\windows\ie7updates\KB956390-IE7\wininet.dll
+ 2008-11-29 16:03:43	295,606	----a-r	c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
- 2008-04-14 00:11:48	61,440	----a-w	c:\windows\system32\admparse.dll
+ 2007-08-14 00:39:20	71,680	----a-w	c:\windows\system32\admparse.dll
- 2008-04-14 00:11:48	99,840	----a-w	c:\windows\system32\advpack.dll
+ 2008-08-26 07:24:28	124,928	----a-w	c:\windows\system32\advpack.dll
+ 2007-08-14 00:39:20	71,680	-c----w	c:\windows\system32\dllcache\admparse.dll
+ 2008-08-26 07:24:28	124,928	-c----w	c:\windows\system32\dllcache\advpack.dll
+ 2006-09-23 19:12:50	1,022,976	-c----w	c:\windows\system32\dllcache\browseui.dll
- 2008-07-19 03:10:48	94,920	-c--a-w	c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 20:09:44	92,696	-c--a-w	c:\windows\system32\dllcache\cdm.dll
+ 2007-08-14 00:42:54	17,408	-c----w	c:\windows\system32\dllcache\corpol.dll
- 2004-08-04 07:56:41	28,672	-c--a-w	c:\windows\system32\dllcache\custsat.dll
+ 2007-08-14 00:54:10	33,792	-c--a-w	c:\windows\system32\dllcache\custsat.dll
+ 2008-08-26 07:24:28	347,136	-c----w	c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-08-26 07:24:28	214,528	-c----w	c:\windows\system32\dllcache\dxtrans.dll
+ 2008-08-26 07:24:28	133,120	-c----w	c:\windows\system32\dllcache\extmgr.dll
+ 2007-08-14 00:18:02	60,416	-c----w	c:\windows\system32\dllcache\hmmapi.dll
+ 2008-08-26 07:24:28	63,488	-c----w	c:\windows\system32\dllcache\icardie.dll
+ 2008-08-25 08:37:59	70,656	-c----w	c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-08-26 07:24:28	153,088	-c----w	c:\windows\system32\dllcache\ieakeng.dll
+ 2008-08-26 07:24:28	230,400	-c----w	c:\windows\system32\dllcache\ieaksie.dll
- 2003-07-16 20:30:08	221,184	-c--a-w	c:\windows\system32\dllcache\ieakui.dll
+ 2008-08-23 05:54:51	161,792	-c--a-w	c:\windows\system32\dllcache\ieakui.dll
+ 2007-04-17 09:32:38	2,455,488	-c----w	c:\windows\system32\dllcache\ieapfltr.dat
+ 2008-08-26 07:24:28	383,488	-c----w	c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-08-26 07:24:29	384,512	-c----w	c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-14 00:44:02	69,120	-c----w	c:\windows\system32\dllcache\iedw.exe
+ 2007-08-14 00:45:18	78,336	-c----w	c:\windows\system32\dllcache\ieencode.dll
+ 2008-10-03 17:41:15	6,066,176	-c----w	c:\windows\system32\dllcache\ieframe.dll
+ 2007-08-14 00:54:10	191,488	-c----w	c:\windows\system32\dllcache\iepeers.dll
+ 2008-08-26 07:24:29	44,544	-c----w	c:\windows\system32\dllcache\iernonce.dll
+ 2008-08-26 07:24:29	267,776	-c----w	c:\windows\system32\dllcache\iertutil.dll
+ 2007-08-14 00:39:12	55,296	-c----w	c:\windows\system32\dllcache\iesetup.dll
+ 2008-08-25 08:38:00	13,824	-c----w	c:\windows\system32\dllcache\ieudinit.exe
+ 2008-08-23 05:56:15	635,848	-c----w	c:\windows\system32\dllcache\iexplore.exe
+ 2007-08-14 00:36:06	36,352	-c----w	c:\windows\system32\dllcache\imgutil.dll
+ 2007-08-14 00:39:02	92,672	-c----w	c:\windows\system32\dllcache\inseng.dll
+ 2008-08-26 07:24:30	27,648	-c----w	c:\windows\system32\dllcache\jsproxy.dll
+ 2007-08-14 00:44:18	40,960	-c----w	c:\windows\system32\dllcache\licmgr10.dll
+ 2008-08-26 07:24:30	459,264	-c----w	c:\windows\system32\dllcache\msfeeds.dll
+ 2008-08-26 07:24:30	52,224	-c----w	c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-08-14 00:32:30	45,568	-c----w	c:\windows\system32\dllcache\mshta.exe
- 2008-08-20 05:30:53	3,067,904	-c----w	c:\windows\system32\dllcache\mshtml.dll
+ 2008-08-27 08:24:32	3,593,216	-c--a-w	c:\windows\system32\dllcache\mshtml.dll
+ 2008-08-26 07:24:30	477,696	-c----w	c:\windows\system32\dllcache\mshtmled.dll
+ 2007-08-14 00:01:12	48,128	-c----w	c:\windows\system32\dllcache\mshtmler.dll
- 2003-07-16 20:36:08	146,432	-c--a-w	c:\windows\system32\dllcache\msls31.dll
+ 2007-08-14 00:54:10	156,160	-c--a-w	c:\windows\system32\dllcache\msls31.dll
+ 2008-08-26 07:24:30	193,024	-c----w	c:\windows\system32\dllcache\msrating.dll
+ 2008-08-26 07:24:30	671,232	-c----w	c:\windows\system32\dllcache\mstime.dll
+ 2008-08-26 07:24:30	102,912	-c----w	c:\windows\system32\dllcache\occache.dll
+ 2008-08-26 07:24:30	44,544	-c----w	c:\windows\system32\dllcache\pngfilt.dll
+ 2006-09-23 19:12:50	474,112	-c----w	c:\windows\system32\dllcache\shlwapi.dll
+ 2008-08-26 07:24:30	105,984	-c----w	c:\windows\system32\dllcache\url.dll
- 2008-08-20 05:30:52	619,520	-c----w	c:\windows\system32\dllcache\urlmon.dll
+ 2008-08-26 07:24:31	1,159,680	-c--a-w	c:\windows\system32\dllcache\urlmon.dll
+ 2008-05-27 17:23:58	765,952	-c----w	c:\windows\system32\dllcache\vgx.dll
+ 2008-08-26 07:24:31	233,472	-c----w	c:\windows\system32\dllcache\webcheck.dll
- 2008-08-20 05:30:51	666,112	-c----w	c:\windows\system32\dllcache\wininet.dll
+ 2008-08-26 07:24:31	826,368	-c--a-w	c:\windows\system32\dllcache\wininet.dll
- 2008-07-19 03:09:44	563,912	-c--a-w	c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 20:12:20	561,688	-c--a-w	c:\windows\system32\dllcache\wuapi.dll
- 2008-07-19 03:10:42	53,448	-c--a-w	c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 20:09:44	51,224	-c--a-w	c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-19 03:09:42	1,811,656	-c--a-w	c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 20:13:40	1,809,944	-c--a-w	c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-19 03:09:46	325,832	-c--a-w	c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 20:12:22	323,608	-c--a-w	c:\windows\system32\dllcache\wucltui.dll
- 2008-07-19 03:10:20	36,552	-c--a-w	c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 20:08:58	34,328	-c--a-w	c:\windows\system32\dllcache\wups.dll
- 2008-07-19 03:09:44	205,000	-c--a-w	c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 20:13:40	202,776	-c--a-w	c:\windows\system32\dllcache\wuweb.dll
+ 2007-01-31 13:33:46	5,632	----a-w	c:\windows\system32\drivers\avgarkt.sys
- 2008-04-14 00:11:52	357,888	----a-w	c:\windows\system32\dxtmsft.dll
+ 2008-08-26 07:24:28	347,136	----a-w	c:\windows\system32\dxtmsft.dll
- 2008-04-14 00:11:52	205,312	----a-w	c:\windows\system32\dxtrans.dll
+ 2008-08-26 07:24:28	214,528	----a-w	c:\windows\system32\dxtrans.dll
- 2008-04-14 00:11:53	55,808	----a-w	c:\windows\system32\extmgr.dll
+ 2008-08-26 07:24:28	133,120	----a-w	c:\windows\system32\extmgr.dll
+ 2008-08-26 07:24:28	63,488	----a-w	c:\windows\system32\icardie.dll
+ 2006-06-29 14:05:44	26,112	------w	c:\windows\system32\idndl.dll
- 2008-04-14 00:12:22	34,304	----a-w	c:\windows\system32\ie4uinit.exe
+ 2008-08-25 08:37:59	70,656	----a-w	c:\windows\system32\ie4uinit.exe
- 2008-04-14 00:11:54	143,360	----a-w	c:\windows\system32\ieakeng.dll
+ 2008-08-26 07:24:28	153,088	----a-w	c:\windows\system32\ieakeng.dll
- 2008-04-14 00:11:54	216,576	----a-w	c:\windows\system32\ieaksie.dll
+ 2008-08-26 07:24:28	230,400	----a-w	c:\windows\system32\ieaksie.dll
- 2003-07-16 20:30:08	221,184	----a-w	c:\windows\system32\ieakui.dll
+ 2008-08-23 05:54:51	161,792	----a-w	c:\windows\system32\ieakui.dll
+ 2007-04-17 09:32:38	2,455,488	----a-w	c:\windows\system32\ieapfltr.dat
+ 2008-08-26 07:24:28	383,488	----a-w	c:\windows\system32\ieapfltr.dll
- 2008-04-14 00:11:54	323,584	----a-w	c:\windows\system32\iedkcs32.dll
+ 2008-08-26 07:24:29	384,512	----a-w	c:\windows\system32\iedkcs32.dll
+ 2008-10-03 17:41:15	6,066,176	----a-w	c:\windows\system32\ieframe.dll
- 2008-04-14 00:11:54	251,904	----a-w	c:\windows\system32\iepeers.dll
+ 2007-08-14 00:54:10	191,488	----a-w	c:\windows\system32\iepeers.dll
- 2008-04-14 00:11:54	48,640	----a-w	c:\windows\system32\iernonce.dll
+ 2008-08-26 07:24:29	44,544	----a-w	c:\windows\system32\iernonce.dll
+ 2008-08-26 07:24:29	267,776	----a-w	c:\windows\system32\iertutil.dll
- 2008-04-14 00:11:54	62,976	----a-w	c:\windows\system32\iesetup.dll
+ 2007-08-14 00:39:12	55,296	----a-w	c:\windows\system32\iesetup.dll
+ 2008-08-25 08:38:00	13,824	----a-w	c:\windows\system32\ieudinit.exe
+ 2007-08-14 00:54:10	180,736	------w	c:\windows\system32\ieui.dll
- 2008-04-14 00:11:54	35,840	----a-w	c:\windows\system32\imgutil.dll
+ 2007-08-14 00:36:06	36,352	----a-w	c:\windows\system32\imgutil.dll
- 2008-04-14 00:11:55	96,256	----a-w	c:\windows\system32\inseng.dll
+ 2007-08-14 00:39:02	92,672	----a-w	c:\windows\system32\inseng.dll
- 2008-04-14 00:11:56	15,872	----a-w	c:\windows\system32\jsproxy.dll
+ 2008-08-26 07:24:30	27,648	----a-w	c:\windows\system32\jsproxy.dll
- 2008-04-14 00:11:56	22,016	----a-w	c:\windows\system32\licmgr10.dll
+ 2007-08-14 00:44:18	40,960	----a-w	c:\windows\system32\licmgr10.dll
+ 2008-08-26 07:24:30	459,264	----a-w	c:\windows\system32\msfeeds.dll
+ 2008-08-26 07:24:30	52,224	----a-w	c:\windows\system32\msfeedsbs.dll
+ 2007-08-14 00:36:40	12,288	------w	c:\windows\system32\msfeedssync.exe
- 2008-04-14 00:12:27	29,184	----a-w	c:\windows\system32\mshta.exe
+ 2007-08-14 00:32:30	45,568	----a-w	c:\windows\system32\mshta.exe
- 2008-08-20 05:30:53	3,067,904	----a-w	c:\windows\system32\mshtml.dll
+ 2008-08-27 08:24:32	3,593,216	----a-w	c:\windows\system32\mshtml.dll
- 2008-04-14 00:11:59	449,024	----a-w	c:\windows\system32\mshtmled.dll
+ 2008-08-26 07:24:30	477,696	----a-w	c:\windows\system32\mshtmled.dll
- 2008-04-13 16:26:26	56,832	----a-w	c:\windows\system32\mshtmler.dll
+ 2007-08-14 00:01:12	48,128	----a-w	c:\windows\system32\mshtmler.dll
- 2003-07-16 20:36:08	146,432	----a-w	c:\windows\system32\msls31.dll
+ 2007-08-14 00:54:10	156,160	----a-w	c:\windows\system32\msls31.dll
- 2008-04-14 00:12:00	146,432	----a-w	c:\windows\system32\msrating.dll
+ 2008-08-26 07:24:30	193,024	----a-w	c:\windows\system32\msrating.dll
- 2008-04-14 00:12:00	532,480	----a-w	c:\windows\system32\mstime.dll
+ 2008-08-26 07:24:30	671,232	----a-w	c:\windows\system32\mstime.dll
+ 2006-06-28 23:59:26	24,576	------w	c:\windows\system32\nlsdl.dll
+ 2006-06-29 14:05:44	23,552	------w	c:\windows\system32\normaliz.dll
- 2008-04-14 00:12:02	96,256	----a-w	c:\windows\system32\occache.dll
+ 2008-08-26 07:24:30	102,912	----a-w	c:\windows\system32\occache.dll
- 2008-04-14 00:12:02	39,424	----a-w	c:\windows\system32\pngfilt.dll
+ 2008-08-26 07:24:30	44,544	----a-w	c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:12:20	561,688	----a-w	c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.2.6001.788\wuapi.dll
+ 2008-10-16 20:08:58	34,328	----a-w	c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 20:09:44	43,544	----a-w	c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2008-07-08 13:02:01	17,272	------w	c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22	17,272	------w	c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:08	37,888	----a-w	c:\windows\system32\url.dll
+ 2008-08-26 07:24:30	105,984	----a-w	c:\windows\system32\url.dll
- 2008-08-20 05:30:52	619,520	----a-w	c:\windows\system32\urlmon.dll
+ 2008-08-26 07:24:31	1,159,680	----a-w	c:\windows\system32\urlmon.dll
- 2008-04-14 00:12:08	276,480	----a-w	c:\windows\system32\webcheck.dll
+ 2008-08-26 07:24:31	233,472	----a-w	c:\windows\system32\webcheck.dll
+ 2007-08-14 00:45:16	206,336	------w	c:\windows\system32\WinFXDocObj.exe
- 2008-08-20 05:30:51	666,112	----a-w	c:\windows\system32\wininet.dll
+ 2008-08-26 07:24:31	826,368	----a-w	c:\windows\system32\wininet.dll
+ 2008-12-04 21:12:10	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_144.dat
- 2006-06-05 19:14:28	479,232	----a-w	c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 20:14:28	479,232	----a-w	c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
- 2006-06-05 19:14:28	548,864	----a-w	c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 20:14:28	548,864	----a-w	c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
- 2006-06-05 19:14:28	626,688	----a-w	c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
+ 2006-06-05 20:14:28	626,688	----a-w	c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"Webroot Desktop Firewall"="c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe" [2008-07-31 2401672]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2007-12-14 26112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"775219191"="c:\documents and settings\All Users\Application Data\1672730441\775219191.exe" [2008-11-30 1070120]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-09 5418864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-02-18 19:12 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCPCOM(135)
"1723:TCP"= 1723:TCPxpsp2res.dll,-22015
"1701:UDP"= 1701:UDPxpsp2res.dll,-22016
"500:UDP"= 500:UDPxpsp2res.dll,-22017

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-07-31 103304]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [2008-07-31 353672]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 SbieDrv;SbieDrv;\??\c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-17 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-07-08 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 15:04]

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 15:04]

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- a:\","c:\","d:\","e:\" []

2008-12-04 c:\windows\Tasks\{5563F6B8-2FFA-4310-AE81-CC11EEAE72CC}_HOME-YWXI839F5J_Owner.job
- c:\windows\system32\mobsync.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D5DF7C9D-6069-4552-8B0C-D02A912FC889} - ws.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\a0fs5u5p.default\
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npagent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 17:21:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'explorer.exe'(3640)
c:\windows\system32\wdfproc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2008-12-04 18:16:44
ComboFix-quarantined-files.txt 2008-12-05 00:16:20
ComboFix2.txt 2008-11-27 14:45:34
ComboFix3.txt 2008-11-26 02:59:04

Pre-Run: 22,541,279,232 bytes free
Post-Run: 22,641,377,280 bytes free

412	--- E O F ---	2008-12-01 12:05:10


----------



## parman (Mar 9, 2007)

I've been on online for about 3hrs. and I don't see any popups of winweb security warning or llas.blogger.keylogger. That's good! My Windows Firewall is turned off, though. Every time I log on. Would it be because I have Webroot Desktop Firewall turned on? One firewall conflicting with another. I don't know. 
It still seems to take about 3min. to load at startup. Webroot AntiVirus with AntiSpyware is slow at loading. 
My system tray clock is showing 16:53 instead of 4:53. In the mornings it shows like 07:30 instead of 7:30. Please respond!


----------



## Cookiegal (Aug 27, 2003)

If you go to Control Panel - Security Center, does it show one of the firewalls as running?

ComboFix changes the clock to military time but it should change back before it finishes. It will likely get changed back after this run. If not, let me know and I'll tell you how to fix it.

Open Notepad and copy and paste the text in the code box below into it:


```
File::
c:\windows\system32\ws.dll

Folder::
c:\documents and settings\All Users\Application Data\1672730441

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"775219191"=-
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## parman (Mar 9, 2007)

Yes one of the firewalls is running.
ComboFix 08-12-04.04 - Owner 2008-12-05 18:35:18.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

FILE ::
c:\windows\system32\ws.dll
.

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 16:22 . 2008-12-05 16:22 d--------	C:\Binaries
2008-12-05 16:21 . 2008-12-05 16:21 d--------	c:\program files\AskSBar
2008-12-05 14:51 . 2008-12-05 14:52 d--------	c:\program files\QuickTime
2008-12-05 14:51 . 2008-12-05 14:51 d--------	c:\program files\Common Files\Apple
2008-12-05 14:51 . 2008-12-05 14:51 d--------	c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-05 14:50 . 2008-12-05 14:50 d--------	c:\program files\Apple Software Update
2008-12-05 14:50 . 2008-12-05 14:50 d--------	c:\documents and settings\All Users\Application Data\Apple
2008-12-02 18:54 . 2008-10-16 14:07	23,576	--a------	c:\windows\system32\wuapi.dll.mui
2008-12-01 05:36 . 2008-10-22 16:10	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 14:37 . 2008-12-05 15:08 d--------	c:\documents and settings\Owner\.SunDownloadManager
2008-11-27 17:12 . 2008-11-27 17:12 d--------	c:\windows\.jagex_cache_32
2008-11-27 17:12 . 2008-11-27 17:13	31	--a------	c:\documents and settings\Owner\jagex_runescape_preferences.dat
2008-11-22 08:48 . 2008-11-23 20:12	2,104	--a------	c:\windows\system32\tmp.reg
2008-11-22 08:46 . 2008-11-22 08:49 d--------	c:\documents and settings\Owner\SmitfraudFix
2008-11-22 08:46 . 2007-09-05 23:22	289,144	--a------	c:\windows\system32\VCCLSID.exe
2008-11-22 08:46 . 2006-04-27 16:49	288,417	--a------	c:\windows\system32\SrchSTS.exe
2008-11-22 08:46 . 2008-10-01 14:51	87,552	--a------	c:\windows\system32\VACFix.exe
2008-11-22 08:46 . 2008-10-10 07:58	82,944	--a------	c:\windows\system32\o4Patch.exe
2008-11-22 08:46 . 2008-05-18 20:40	82,944	--a------	c:\windows\system32\IEDFix.exe
2008-11-22 08:46 . 2008-10-10 07:58	82,944	--a------	c:\windows\system32\IEDFix.C.exe
2008-11-22 08:46 . 2008-08-18 11:19	82,432	--a------	c:\windows\system32\404Fix.exe
2008-11-22 08:46 . 2003-06-05 20:13	53,248	--a------	c:\windows\system32\Process.exe
2008-11-22 08:46 . 2004-07-31 17:50	51,200	--a------	c:\windows\system32\dumphive.exe
2008-11-22 08:46 . 2007-10-03 23:36	25,600	--a------	c:\windows\system32\WS2Fix.exe
2008-11-18 20:58 . 2008-11-21 18:13 d--------	c:\program files\D-Link(2)
2008-11-16 18:30 . 2008-11-21 18:13 d--------	c:\program files\Security Task Manager
2008-11-16 18:30 . 2008-11-21 18:13 d--------	c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-16 16:26 . 2008-11-21 18:13 d--------	c:\program files\ACW
2008-11-14 08:37 . 2008-10-24 05:21	455,296	-----c---	c:\windows\system32\dllcache\mrxsmb.sys
2008-11-14 08:36 . 2008-09-04 11:15	1,106,944	-----c---	c:\windows\system32\dllcache\msxml3.dll
2008-11-06 18:55 . 2008-11-06 18:55 d--------	c:\documents and settings\Owner\Application Data\Acronis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 22:39	---------	d-----w	c:\documents and settings\LocalService\Application Data\VMware
2008-12-05 22:39	---------	d-----w	c:\documents and settings\All Users\Application Data\VMware
2008-12-05 22:27	---------	d-----w	c:\documents and settings\All Users\Application Data\Webroot
2008-12-05 22:20	164	----a-w	C:\install.dat
2008-12-01 11:36	---------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2008-11-29 16:02	---------	d-----w	c:\program files\Common Files\Adobe
2008-11-27 14:59	---------	d-----w	c:\program files\Windows Defender
2008-11-24 02:12	---------	d-----w	c:\program files\Google
2008-11-22 00:13	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-11-13 23:11	1,553,272	----a-w	c:\windows\WRSetup.dll
2008-11-12 22:02	29,808	----a-w	c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 22:02	23,152	----a-w	c:\windows\system32\drivers\sshrmd.sys
2008-11-12 22:02	170,608	----a-w	c:\windows\system32\drivers\ssidrv.sys
2008-11-06 12:33	---------	d-----w	c:\documents and settings\All Users\Application Data\Acronis
2008-11-06 01:30	971,232	----a-w	c:\windows\system32\drivers\tdrpm147.sys
2008-11-06 01:30	540,000	----a-w	c:\windows\system32\drivers\timntr.sys
2008-11-06 01:30	44,704	----a-w	c:\windows\system32\drivers\tifsfilt.sys
2008-11-06 01:30	134,272	----a-w	c:\windows\system32\drivers\snman380.sys
2008-11-06 01:29	---------	d-----w	c:\program files\Common Files\Acronis
2008-11-06 01:28	---------	d-----w	c:\program files\Acronis
2008-10-27 23:55	7,756	----a-w	C:\BG DAILY NEWS October 26.zip
2008-10-26 13:36	94	----a-w	C:\reset.cmd.cmd
2008-10-25 18:06	---------	d-----w	c:\program files\Windows Resource Kits
2008-10-24 11:21	455,296	----a-w	c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 01:24	---------	d-----w	c:\documents and settings\Owner\Application Data\VMware
2008-10-22 22:10	15,504	----a-w	c:\windows\system32\drivers\mbam.sys
2008-10-21 00:55	---------	d-----w	c:\documents and settings\NetworkService\Application Data\VMware
2008-10-16 20:13	202,776	----a-w	c:\windows\system32\wuweb.dll
2008-10-16 20:13	1,809,944	----a-w	c:\windows\system32\wuaueng.dll
2008-10-16 20:12	561,688	----a-w	c:\windows\system32\wuapi.dll
2008-10-16 20:12	323,608	----a-w	c:\windows\system32\wucltui.dll
2008-10-16 20:09	92,696	----a-w	c:\windows\system32\cdm.dll
2008-10-16 20:09	51,224	----a-w	c:\windows\system32\wuauclt.exe
2008-10-16 20:09	43,544	----a-w	c:\windows\system32\wups2.dll
2008-10-16 20:08	34,328	----a-w	c:\windows\system32\wups.dll
2008-10-16 20:06	268,648	----a-w	c:\windows\system32\mucltui.dll
2008-10-16 20:06	208,744	----a-w	c:\windows\system32\muweb.dll
2008-09-17 03:12	222,488	----a-w	c:\windows\system32\snapapi.dll
2008-09-15 12:12	1,846,400	----a-w	c:\windows\system32\win32k.sys
2008-09-10 01:14	1,307,648	----a-w	c:\windows\system32\msxml6.dll
.

((((((((((((((((((((((((((((( snapshot_2008-12-04_17.26.58.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-05 22:22:35	10,134	----a-r	c:\windows\Installer\{32343DB6-9A52-40C9-87E4-5E7C79791C87}\ARPPRODUCTICON.exe
- 2008-08-30 23:38:48	10,134	----a-r	c:\windows\Installer\{3F5B6210-0903-4DC6-8034-8F488AA3A782}\ARPPRODUCTICON.exe
+ 2008-12-05 22:22:17	10,134	----a-r	c:\windows\Installer\{3F5B6210-0903-4DC6-8034-8F488AA3A782}\ARPPRODUCTICON.exe
+ 2008-12-05 20:50:48	27,136	----a-r	c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
- 2008-10-27 00:26:06	16,384	-c--a-w	c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-05 22:39:07	16,384	-c--a-w	c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-10-27 00:26:06	32,768	-c--a-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-05 22:39:07	32,768	-c--a-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-27 00:26:06	32,768	-c--a-w	c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-05 22:39:07	32,768	-c--a-w	c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-04-18 22:46:22	1,233,920	----a-w	c:\windows\system32\msxml4.dll
+ 2003-04-18 22:29:26	82,432	----a-w	c:\windows\system32\msxml4r.dll
- 2008-08-09 19:42:00	15,208	----a-w	c:\windows\system32\SsiEfr.exe
+ 2008-11-12 22:02:12	16,240	----a-w	c:\windows\system32\SsiEfr.exe
- 2008-08-09 19:42:08	31,080	----a-w	c:\windows\system32\wrLZMA.dll
+ 2008-11-12 22:02:20	31,088	----a-w	c:\windows\system32\wrLZMA.dll
+ 2008-12-05 22:39:24	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_544.dat
+ 2008-12-05 22:22:33	1,233,920	----a-w	c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2008-12-05 22:22:33	82,432	----a-w	c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\3.bin\A2SRCHAS.DLL" [2008-12-05 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-12-05 16:21	66912	--a------	c:\program files\AskSBar\SrchAstt\3.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"Webroot Desktop Firewall"="c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe" [2008-07-31 2401672]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2007-12-14 26112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-11-13 6273400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-02-18 19:12 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCPCOM(135)
"1723:TCP"= 1723:TCPxpsp2res.dll,-22015
"1701:UDP"= 1701:UDPxpsp2res.dll,-22016
"500:UDP"= 500:UDPxpsp2res.dll,-22017

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-07-31 103304]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [2008-07-31 353672]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe" [2008-12-05 1086840]
R3 SbieDrv;SbieDrv;\??\c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-17 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-07-08 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- a:\","c:\","d:\","e:\" []

2008-12-06 c:\windows\Tasks\{5563F6B8-2FFA-4310-AE81-CC11EEAE72CC}_HOME-YWXI839F5J_Owner.job
- c:\windows\system32\mobsync.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

.
------- Supplementary Scan -------
.
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\a0fs5u5p.default\
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npagent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 18:44:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\wdfproc.dll
.
Completion time: 2008-12-05 20:16:54
ComboFix-quarantined-files.txt 2008-12-06 02:16:50
ComboFix2.txt 2008-12-05 00:17:01
ComboFix3.txt 2008-11-27 14:45:34
ComboFix4.txt 2008-11-26 02:59:04

Pre-Run: 22,058,692,608 bytes free
Post-Run: 22,118,891,520 bytes free

217	--- E O F ---	2008-12-05 18:39:24
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:23, on 12/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\CF22125.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\3.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\3.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 7689 bytes


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
Folder::
c:\program files\AskSBar

DirLook::
C:\Binaries

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"=-
[-HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## parman (Mar 9, 2007)

ComboFix 08-12-04.04 - Owner 2008-12-06 15:31:26.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.605 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSBar
c:\program files\AskSBar\bar\3.bin\A2FFXTBR.JAR
c:\program files\AskSBar\bar\3.bin\A2FFXTBR.MANIFEST
c:\program files\AskSBar\bar\3.bin\A2HIGHIN.EXE
c:\program files\AskSBar\bar\3.bin\A2NTSTBR.JAR
c:\program files\AskSBar\bar\3.bin\A2NTSTBR.MANIFEST
c:\program files\AskSBar\bar\3.bin\A2PLUGIN.DLL
c:\program files\AskSBar\bar\3.bin\ASKSBAR.DLL
c:\program files\AskSBar\bar\3.bin\NPASKSBR.DLL
c:\program files\AskSBar\bar\Cache\00060235
c:\program files\AskSBar\bar\Cache\00060CA5
c:\program files\AskSBar\bar\Cache\00061177.bin
c:\program files\AskSBar\bar\Cache\000614B3.bin
c:\program files\AskSBar\bar\Cache\00DC327B.bin
c:\program files\AskSBar\bar\Cache\00DC3942.bin
c:\program files\AskSBar\bar\Cache\00DC3B74.bin
c:\program files\AskSBar\bar\Cache\00DC3D78.bin
c:\program files\AskSBar\bar\Cache\00DC3FE9.bin
c:\program files\AskSBar\bar\Cache\00DC40E3.bin
c:\program files\AskSBar\bar\Cache\00DC41DD.bin
c:\program files\AskSBar\bar\Cache\files.ini
c:\program files\AskSBar\bar\History\search2
c:\program files\AskSBar\bar\Settings\prevcfg2.htm
c:\program files\AskSBar\SrchAstt\3.bin\A2SRCHAS.DLL

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 12:27 . 2008-12-06 12:27 d--------	c:\program files\MSXML 4.0
2008-12-06 11:13 . 2008-12-06 11:13 d--------	c:\documents and settings\Owner\Application Data\Apple Computer
2008-12-05 16:22 . 2008-12-05 16:22 d--------	C:\Binaries
2008-12-05 14:51 . 2008-12-05 14:52 d--------	c:\program files\QuickTime
2008-12-05 14:51 . 2008-12-05 14:51 d--------	c:\program files\Common Files\Apple
2008-12-05 14:51 . 2008-12-05 14:51 d--------	c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-05 14:50 . 2008-12-05 14:50 d--------	c:\program files\Apple Software Update
2008-12-05 14:50 . 2008-12-05 14:50 d--------	c:\documents and settings\All Users\Application Data\Apple
2008-12-02 18:54 . 2008-10-16 14:07	23,576	--a------	c:\windows\system32\wuapi.dll.mui
2008-12-01 05:36 . 2008-10-22 16:10	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 14:37 . 2008-12-05 15:08 d--------	c:\documents and settings\Owner\.SunDownloadManager
2008-11-27 17:12 . 2008-11-27 17:12 d--------	c:\windows\.jagex_cache_32
2008-11-27 17:12 . 2008-11-27 17:13	31	--a------	c:\documents and settings\Owner\jagex_runescape_preferences.dat
2008-11-22 08:48 . 2008-11-23 20:12	2,104	--a------	c:\windows\system32\tmp.reg
2008-11-22 08:46 . 2008-11-22 08:49 d--------	c:\documents and settings\Owner\SmitfraudFix
2008-11-22 08:46 . 2007-09-05 23:22	289,144	--a------	c:\windows\system32\VCCLSID.exe
2008-11-22 08:46 . 2006-04-27 16:49	288,417	--a------	c:\windows\system32\SrchSTS.exe
2008-11-22 08:46 . 2008-10-01 14:51	87,552	--a------	c:\windows\system32\VACFix.exe
2008-11-22 08:46 . 2008-10-10 07:58	82,944	--a------	c:\windows\system32\o4Patch.exe
2008-11-22 08:46 . 2008-05-18 20:40	82,944	--a------	c:\windows\system32\IEDFix.exe
2008-11-22 08:46 . 2008-10-10 07:58	82,944	--a------	c:\windows\system32\IEDFix.C.exe
2008-11-22 08:46 . 2008-08-18 11:19	82,432	--a------	c:\windows\system32\404Fix.exe
2008-11-22 08:46 . 2003-06-05 20:13	53,248	--a------	c:\windows\system32\Process.exe
2008-11-22 08:46 . 2004-07-31 17:50	51,200	--a------	c:\windows\system32\dumphive.exe
2008-11-22 08:46 . 2007-10-03 23:36	25,600	--a------	c:\windows\system32\WS2Fix.exe
2008-11-18 20:58 . 2008-11-21 18:13 d--------	c:\program files\D-Link(2)
2008-11-16 18:30 . 2008-11-21 18:13 d--------	c:\program files\Security Task Manager
2008-11-16 18:30 . 2008-11-21 18:13 d--------	c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-16 16:26 . 2008-11-21 18:13 d--------	c:\program files\ACW
2008-11-14 08:37 . 2008-10-24 05:21	455,296	-----c---	c:\windows\system32\dllcache\mrxsmb.sys
2008-11-14 08:36 . 2008-09-04 11:15	1,106,944	-----c---	c:\windows\system32\dllcache\msxml3.dll
2008-11-06 18:55 . 2008-11-06 18:55 d--------	c:\documents and settings\Owner\Application Data\Acronis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 18:49	---------	d-----w	c:\documents and settings\LocalService\Application Data\VMware
2008-12-06 18:49	---------	d-----w	c:\documents and settings\All Users\Application Data\VMware
2008-12-05 22:27	---------	d-----w	c:\documents and settings\All Users\Application Data\Webroot
2008-12-05 22:20	164	----a-w	C:\install.dat
2008-12-01 11:36	---------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2008-11-29 16:02	---------	d-----w	c:\program files\Common Files\Adobe
2008-11-27 14:59	---------	d-----w	c:\program files\Windows Defender
2008-11-24 02:12	---------	d-----w	c:\program files\Google
2008-11-22 00:13	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-11-13 23:11	1,553,272	----a-w	c:\windows\WRSetup.dll
2008-11-12 22:02	29,808	----a-w	c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 22:02	23,152	----a-w	c:\windows\system32\drivers\sshrmd.sys
2008-11-12 22:02	170,608	----a-w	c:\windows\system32\drivers\ssidrv.sys
2008-11-06 12:33	---------	d-----w	c:\documents and settings\All Users\Application Data\Acronis
2008-11-06 01:30	971,232	----a-w	c:\windows\system32\drivers\tdrpm147.sys
2008-11-06 01:30	540,000	----a-w	c:\windows\system32\drivers\timntr.sys
2008-11-06 01:30	44,704	----a-w	c:\windows\system32\drivers\tifsfilt.sys
2008-11-06 01:30	134,272	----a-w	c:\windows\system32\drivers\snman380.sys
2008-11-06 01:29	---------	d-----w	c:\program files\Common Files\Acronis
2008-11-06 01:28	---------	d-----w	c:\program files\Acronis
2008-10-27 23:55	7,756	----a-w	C:\BG DAILY NEWS October 26.zip
2008-10-26 13:36	94	----a-w	C:\reset.cmd.cmd
2008-10-25 18:06	---------	d-----w	c:\program files\Windows Resource Kits
2008-10-24 11:21	455,296	----a-w	c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 01:24	---------	d-----w	c:\documents and settings\Owner\Application Data\VMware
2008-10-22 22:10	15,504	----a-w	c:\windows\system32\drivers\mbam.sys
2008-10-21 00:55	---------	d-----w	c:\documents and settings\NetworkService\Application Data\VMware
2008-10-16 20:13	202,776	----a-w	c:\windows\system32\wuweb.dll
2008-10-16 20:13	1,809,944	----a-w	c:\windows\system32\wuaueng.dll
2008-10-16 20:12	561,688	----a-w	c:\windows\system32\wuapi.dll
2008-10-16 20:12	323,608	----a-w	c:\windows\system32\wucltui.dll
2008-10-16 20:09	92,696	----a-w	c:\windows\system32\cdm.dll
2008-10-16 20:09	51,224	----a-w	c:\windows\system32\wuauclt.exe
2008-10-16 20:09	43,544	----a-w	c:\windows\system32\wups2.dll
2008-10-16 20:08	34,328	----a-w	c:\windows\system32\wups.dll
2008-10-16 20:06	268,648	----a-w	c:\windows\system32\mucltui.dll
2008-10-16 20:06	208,744	----a-w	c:\windows\system32\muweb.dll
2008-09-30 22:43	1,286,152	----a-w	c:\windows\system32\msxml4.dll
2008-09-17 03:12	222,488	----a-w	c:\windows\system32\snapapi.dll
2008-09-15 12:12	1,846,400	----a-w	c:\windows\system32\win32k.sys
2008-09-10 01:14	1,307,648	----a-w	c:\windows\system32\msxml6.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Binaries ----

2002-06-27 13:22	75	--a------	c:\binaries\SOAPVDIR.CMD 
2002-06-27 13:22	11729	--a------	c:\binaries\_svdir.VBS

((((((((((((((((((((((((((((( snapshot_2008-12-04_17.26.58.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-05 22:22:35	10,134	----a-r	c:\windows\Installer\{32343DB6-9A52-40C9-87E4-5E7C79791C87}\ARPPRODUCTICON.exe
- 2008-08-30 23:38:48	10,134	----a-r	c:\windows\Installer\{3F5B6210-0903-4DC6-8034-8F488AA3A782}\ARPPRODUCTICON.exe
+ 2008-12-05 22:22:17	10,134	----a-r	c:\windows\Installer\{3F5B6210-0903-4DC6-8034-8F488AA3A782}\ARPPRODUCTICON.exe
+ 2008-12-05 20:50:48	27,136	----a-r	c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2008-12-06 18:27:11	32,768	----a-r	c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-10-27 00:26:06	16,384	-c--a-w	c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-06 18:49:22	16,384	-c--a-w	c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-10-27 00:26:06	32,768	-c--a-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-06 18:49:22	32,768	-c--a-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-27 00:26:06	32,768	-c--a-w	c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-06 18:49:22	32,768	-c--a-w	c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-04-18 22:29:26	82,432	----a-w	c:\windows\system32\msxml4r.dll
- 2008-08-09 19:42:00	15,208	----a-w	c:\windows\system32\SsiEfr.exe
+ 2008-11-12 22:02:12	16,240	----a-w	c:\windows\system32\SsiEfr.exe
- 2008-08-09 19:42:08	31,080	----a-w	c:\windows\system32\wrLZMA.dll
+ 2008-11-12 22:02:20	31,088	----a-w	c:\windows\system32\wrLZMA.dll
+ 2008-12-06 18:49:27	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_4d4.dat
+ 2008-12-05 22:22:33	1,233,920	----a-w	c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2008-09-30 22:42:08	1,286,152	----a-w	c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-12-05 22:22:33	82,432	----a-w	c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
+ 2008-09-30 22:45:12	91,656	----a-w	c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"Webroot Desktop Firewall"="c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe" [2008-07-31 2401672]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2007-12-14 26112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-11-13 6273400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-02-18 19:12 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCPCOM(135)
"1723:TCP"= 1723:TCPxpsp2res.dll,-22015
"1701:UDP"= 1701:UDPxpsp2res.dll,-22016
"500:UDP"= 500:UDPxpsp2res.dll,-22017

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-07-31 103304]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [2008-07-31 353672]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe" [2008-12-05 1086840]
R3 SbieDrv;SbieDrv;\??\c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-17 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-07-08 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-08-30 c:\windows\Tasks\wrSpySweeperFullSweep.job
- a:\","c:\","d:\","e:\" []

2008-12-06 c:\windows\Tasks\{5563F6B8-2FFA-4310-AE81-CC11EEAE72CC}_HOME-YWXI839F5J_Owner.job
- c:\windows\system32\mobsync.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

.
------- Supplementary Scan -------
.
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\a0fs5u5p.default\
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npagent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 15:39:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP00000041B42E999632999A14 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\wdfproc.dll
.
Completion time: 2008-12-06 18:45:51
ComboFix-quarantined-files.txt 2008-12-07 00:45:47
ComboFix2.txt 2008-12-06 02:16:56
ComboFix3.txt 2008-12-05 00:17:01
ComboFix4.txt 2008-11-27 14:45:34
ComboFix5.txt 2008-12-06 21:30:04

Pre-Run: 22,082,727,936 bytes free
Post-Run: 22,108,913,664 bytes free

248	--- E O F ---	2008-12-06 18:27:12
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:48:15, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\CF6170.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL (file missing)
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 7459 bytes


----------



## Cookiegal (Aug 27, 2003)

Delete the following folder:

c:\windows\TEMP\*TMP00000041B42E999632999A14*

Do you have the SOAP Toolkit?

Do you recognize this as something you downloaded intentionally?

*C:\BG DAILY NEWS October 26.zip*

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL (file missing)

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL (file missing)*

Reboot and post a new HijackThis log please.


----------



## parman (Mar 9, 2007)

I did not find the folder nor do I know what the Soap Toolkit is! The BG Daily News is our local paper but don't remember downloading anything from them.


----------



## parman (Mar 9, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:23:55, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 7082 bytes


----------



## parman (Mar 9, 2007)

Forgive me but I responded about the daily news file before I looked it up. Yes, I did download a file from paper but at the time it would not open. Now it does!


----------



## Cookiegal (Aug 27, 2003)

Apparently the SoapBox Toolkit comes with Microsoft Visual Basic Express 2005.

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## parman (Mar 9, 2007)

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
Apple Software Update
Ask Toolbar
Broadcom 440x 10/100 Integrated Controller
Conexant D850 56K V.9x DFVc Modem
Creative EAX Console
Creative MediaSource
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
Dell Inkjet Printer J740
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Foxit Reader
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.3)
MSN Toolbar
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6.0 Parser (KB933579)
Paint Shop Pro 7
PE Builder 3.1.10a
QuickTime
Sandboxie 3.30
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster Audigy
SoundMAX
Spy Sweeper Core
Startup Delayer v2.3 (build 130)
The Weather Channel Desktop 6
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Viewpoint Media Player
VMware Workstation
Webroot AntiVirus with AntiSpyware
Webroot Desktop Firewall
Windows Defender
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
Yahoo! Toolbar for Internet Explorer


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*Ask Toolbar
Viewpoint Media Player*

How are things now?


----------



## parman (Mar 9, 2007)

I was able to remove Viewpoint Media Player but not Ask Toolbar. It gave me a RUNDLL error. 
Error Loading C:\Progra~1\asksbar\bar\3.bin\askbar.dll
The specified module could not be found.


----------



## Cookiegal (Aug 27, 2003)

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and double click on the file to run it. If your antivirus interferes you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box:

*Ask*


----------



## parman (Mar 9, 2007)

; RegSrch.vbs © Bill James

; Registry search results for string "ask" 12/13/2008 9:16:28 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\ActiveX]
"QTTask"="C:\\Program Files\\QuickTime\\QTTask.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\ActiveX]
"QTTaskRunFlags"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\bar]

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\bar]
"Dir"="C:\\Program Files\\AskSBar\\bar\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\bar]
"PluginPath"="C:\\Program Files\\AskSBar\\bar\\3.bin\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\bar]
"UninstallString"="\"C:\\Program Files\\AskSBar\\bar\\3.bin\\a2highin.exe\" asksbar.dll,O"

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\bar]
"CacheDir"="C:\\Program Files\\AskSBar\\bar\\Cache\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\bar]
"HistoryDir"="C:\\Program Files\\AskSBar\\bar\\History\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\bar]
"SettingsDir"="C:\\Program Files\\AskSBar\\bar\\Settings\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\bar]
"ConfigRevisionURL"="http://ccbar.ask.com/cfg/askbarcfg.jsp?s=as&p=WR"

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\SearchAssistant]

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\SearchAssistant]
"Dir"="C:\\Program Files\\AskSBar\\SrchAstt\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\SearchAssistant]
"ABS"="http://ask.askredir.com/search/cfg_redir3.jhtml?id=WR&psa=5F104904-98A0-40A0-A025-3B9637B9CBF2&url=http://www.ask.com/web&l=dis&o=1251&ind=2008120517&q="

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\SearchAssistant]
"DES"="http://ask.askredir.com/search/cfg_redir3.jhtml?id=WR&psa=5F104904-98A0-40A0-A025-3B9637B9CBF2&url=http://www.ask.com/web&l=dis&o=1249&gc=1&gct=dns&ind=2008120517&q="

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\MSNTask.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{371EFECE-BC65-4ECB-AAF5-6BF0B17EDC0A}]
@="MSNTask"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSched.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSched.1]
@="ASUTaskScheduler Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSched.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSchedul]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSchedul]
@="ASUTaskScheduler Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSchedul\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSchedul\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSchedul\CurVer]
@="AppleSoftwareUpdateAdmin.ASUTaskSched.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\explorer.exe]
"TaskbarGroupIcon"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,45,78,70,6c,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons\WordMail]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons\WordMail\IconPath]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons\WordMail\NewExeName]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin]
@="Ask Toolbar Settings Plugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin\CurVer]
@="AskSBar.SettingsPlugin.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin.1]
@="Ask Toolbar Settings Plugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin]
@="Ask Toolbar Plugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin\CurVer]
@="AskSBar.ToolbarPlugin.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin.1]
@="Ask Toolbar Plugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0010668C-0801-4DA6-A4A4-826522B6D28F}\Containers\{16100D66-8570-4BB9-B92D-FDA4B23ECE67}\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00da2f99-f2a6-40c2-b770-a920f8e44abc}\MergedFolder]
"AttributeMask"="0xffffffff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}\Containers\{22383CF1-ED17-4E2E-AF17-D85B8F6B30D0}\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}\Containers\{BB5ACC38-F216-4CEC-A6C5-5F6E739763A9}\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03012959-F4F6-44D7-9D09-DAA087A9DB57}\Containers\{537396C6-2D8A-4BB6-9BF8-2F0A8E2A3ADF}\0]
"Mask"=hex:ff,ff,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05BDC38E-5493-487a-A7FF-8CF2246ABC13}]
@="IE Background Task Scheduler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}]
@="TaskScheduler.TaskSchedulerApi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32]
"Class"="TaskScheduler.TaskSchedulerApi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32\4.3.15.3]
"Class"="TaskScheduler.TaskSchedulerApi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32\4.3.15.3]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32\4.3.15.3]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\ProgId]
@="TaskScheduler.TaskSchedulerApi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}]
@="Taskbar and Start Menu"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD520-A2AB-11CE-B11F-00AA00530503}]
@="Scheduling Agent Task Object Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD520-A2AB-11CE-B11F-00AA00530503}\DefaultIcon]
@="C:\\WINDOWS\\System32\\mstask.dll,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD520-A2AB-11CE-B11F-00AA00530503}\InProcServer32]
@="C:\\WINDOWS\\System32\\mstask.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\DefaultIcon]
@="C:\\WINDOWS\\System32\\mstask.dll,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32]
@="C:\\WINDOWS\\System32\\mstask.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C1EDB47-CE22-4bbb-B608-77B48F83C823}]
@="IE Fade Task"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2183DACA-D0BF-4a31-97F7-B87618A81955}]
@="IE Shared Task Scheduler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}]
@="TaskScheduler.OnLogonTrigger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32]
"Class"="TaskScheduler.OnLogonTrigger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32\4.3.15.3]
"Class"="TaskScheduler.OnLogonTrigger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32\4.3.15.3]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32\4.3.15.3]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\ProgId]
@="TaskScheduler.OnLogonTrigger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3697790B-223B-484E-9925-C4869218F17A}\Containers\{537396C6-2D8A-4BB6-9BF8-2F0A8E2A3ADF}\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{381DDA3C-9CE9-4834-A23E-1F98F8FC52BE}\Patterns\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{381DDA3C-9CE9-4834-A23E-1F98F8FC52BE}\Patterns\1]
"Mask"=hex:ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{389EA17B-5078-4CDE-B6EF-25C15175C751}\Patterns\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{395BF287-6477-495f-8427-2C09A23C3248}]
@="WMPlayer TaskCntr Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A04D93B-1EDD-4f3f-A375-A03EC19572C4}]
@="MaskFilter"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A04D93B-1EDD-4f3f-A375-A03EC19572C4}\ProgID]
@="DXImageTransform.Microsoft.MaskFilter.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A04D93B-1EDD-4f3f-A375-A03EC19572C4}\VersionIndependentProgID]
@="DXImageTransform.Microsoft.MaskFilter"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3D112E22-62B2-11D1-9FEF-00600832DB4A}]
@="MMCTask class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3D112E22-62B2-11D1-9FEF-00600832DB4A}\ProgID]
@="MMCTask.MMCTask.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3D112E22-62B2-11D1-9FEF-00600832DB4A}\VersionIndependentProgID]
@="MMCTask.MMCTask"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43324B33-A78F-480F-9111-9638AACCC832}\Containers\{19E4A5AA-5662-4FC5-A0C0-1758028E1057}\0]
"Mask"=hex:ff,ff,00,00,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44F9A03B-A3EC-4F3B-9364-08E0007F21DF}]
@="TaskSymbol Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44F9A03B-A3EC-4F3B-9364-08E0007F21DF}\ProgID]
@="Control.TaskSymbol.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44F9A03B-A3EC-4F3B-9364-08E0007F21DF}\VersionIndependentProgID]
@="Control.TaskSymbol"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}]
@="TaskScheduler.TaskCollection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32]
"Class"="TaskScheduler.TaskCollection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32\4.3.15.3]
"Class"="TaskScheduler.TaskCollection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32\4.3.15.3]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32\4.3.15.3]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\ProgId]
@="TaskScheduler.TaskCollection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B59AFCC-B8C3-408A-B670-89E5FAB6FDA7}\Containers\{1B7CFAF4-713F-473C-BBCD-6137425FAEAF}\0]
"Mask"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C6F940C-3CFE-11D2-9EE7-00C04F797396}]
@="SpTaskManager Class"


----------



## parman (Mar 9, 2007)

Happy Birthday "Karen" Cookiegal!


----------



## Cookiegal (Aug 27, 2003)

parman said:


> Happy Birthday "Karen" Cookiegal!


Thank you.


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a Fixparman.zip file to this post. Save it to your desktop. Unzip it and double-click the Fixparman.reg file and allow it to enter into the registry.

Reboot and post a new HijackThis uninstall list please.


----------



## parman (Mar 9, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:52, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 7208 bytes


----------



## Cookiegal (Aug 27, 2003)

Please post a new uninstall list log like you did in post no. 43.


----------



## parman (Mar 9, 2007)

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
Apple Software Update
Ask Toolbar
Broadcom 440x 10/100 Integrated Controller
Conexant D850 56K V.9x DFVc Modem
Creative EAX Console
Creative MediaSource
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
Dell Inkjet Printer J740
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Foxit Reader
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.3)
MSN Toolbar
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6.0 Parser (KB933579)
Paint Shop Pro 7
PE Builder 3.1.10a
QuickTime
Sandboxie 3.32
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster Audigy
SoundMAX
Spy Sweeper Core
Startup Delayer v2.3 (build 130)
The Weather Channel Desktop 6
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VMware Workstation
Webroot AntiVirus with AntiSpyware
Webroot Desktop Firewall
Windows Defender
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
Yahoo! Toolbar for Internet Explorer


----------



## Cookiegal (Aug 27, 2003)

It's probably SpySweeper blocking the changes so please disabled it's real-time protection and then run the regifx again. After doing that reboot and post a new uninstall list please.:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".


----------



## parman (Mar 9, 2007)

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
Apple Software Update
Ask Toolbar
Broadcom 440x 10/100 Integrated Controller
Conexant D850 56K V.9x DFVc Modem
Creative EAX Console
Creative MediaSource
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
Dell Inkjet Printer J740
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Foxit Reader
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.3)
MSN Toolbar
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6.0 Parser (KB933579)
Paint Shop Pro 7
PE Builder 3.1.10a
QuickTime
Sandboxie 3.32
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster Audigy
SoundMAX
Spy Sweeper Core
Startup Delayer v2.3 (build 130)
The Weather Channel Desktop 6
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VMware Workstation
Webroot AntiVirus with AntiSpyware
Webroot Desktop Firewall
Windows Defender
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
Yahoo! Toolbar for Internet Explorer


----------



## parman (Mar 9, 2007)

Cookiegal, I disabled the real time protection of Spy Sweeper, unchecked the home page shield and uncheck load at windows startup. Ran the regifix rebooted and this is the uninstall list.Above!
It looks the same to me.


----------



## Cookiegal (Aug 27, 2003)

Please do another search for Ask like you did before and post the results.


----------



## parman (Mar 9, 2007)

; RegSrch.vbs © Bill James

; Registry search results for string "ask" 12/18/2008 6:36:59 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\ActiveX]
"QTTask"="C:\\Program Files\\QuickTime\\QTTask.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\ActiveX]
"QTTaskRunFlags"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\MSNTask.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{371EFECE-BC65-4ECB-AAF5-6BF0B17EDC0A}]
@="MSNTask"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSched.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSched.1]
@="ASUTaskScheduler Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSched.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSchedul]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSchedul]
@="ASUTaskScheduler Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSchedul\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSchedul\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppleSoftwareUpdateAdmin.ASUTaskSchedul\CurVer]
@="AppleSoftwareUpdateAdmin.ASUTaskSched.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\explorer.exe]
"TaskbarGroupIcon"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,45,78,70,6c,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons\WordMail]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons\WordMail\IconPath]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons\WordMail\NewExeName]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin.1]
@="Ask Toolbar Settings Plugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.SettingsPlugin.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin.1]
@="Ask Toolbar Plugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AskSBar.ToolbarPlugin.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0010668C-0801-4DA6-A4A4-826522B6D28F}\Containers\{16100D66-8570-4BB9-B92D-FDA4B23ECE67}\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00da2f99-f2a6-40c2-b770-a920f8e44abc}\MergedFolder]
"AttributeMask"="0xffffffff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}\Containers\{22383CF1-ED17-4E2E-AF17-D85B8F6B30D0}\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}\Containers\{BB5ACC38-F216-4CEC-A6C5-5F6E739763A9}\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03012959-F4F6-44D7-9D09-DAA087A9DB57}\Containers\{537396C6-2D8A-4BB6-9BF8-2F0A8E2A3ADF}\0]
"Mask"=hex:ff,ff,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05BDC38E-5493-487a-A7FF-8CF2246ABC13}]
@="IE Background Task Scheduler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}]
@="TaskScheduler.TaskSchedulerApi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32]
"Class"="TaskScheduler.TaskSchedulerApi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32\4.3.15.3]
"Class"="TaskScheduler.TaskSchedulerApi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32\4.3.15.3]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\InprocServer32\4.3.15.3]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{065B50B0-FD55-4713-A5DD-52F3DBF795E6}\ProgId]
@="TaskScheduler.TaskSchedulerApi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}]
@="Taskbar and Start Menu"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD520-A2AB-11CE-B11F-00AA00530503}]
@="Scheduling Agent Task Object Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD520-A2AB-11CE-B11F-00AA00530503}\DefaultIcon]
@="C:\\WINDOWS\\System32\\mstask.dll,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD520-A2AB-11CE-B11F-00AA00530503}\InProcServer32]
@="C:\\WINDOWS\\System32\\mstask.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\DefaultIcon]
@="C:\\WINDOWS\\System32\\mstask.dll,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32]
@="C:\\WINDOWS\\System32\\mstask.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C1EDB47-CE22-4bbb-B608-77B48F83C823}]
@="IE Fade Task"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2183DACA-D0BF-4a31-97F7-B87618A81955}]
@="IE Shared Task Scheduler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}]
@="TaskScheduler.OnLogonTrigger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32]
"Class"="TaskScheduler.OnLogonTrigger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32\4.3.15.3]
"Class"="TaskScheduler.OnLogonTrigger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32\4.3.15.3]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\InprocServer32\4.3.15.3]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24F999AD-C0E2-3136-BB1C-DDB8CAB7C7A1}\ProgId]
@="TaskScheduler.OnLogonTrigger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3697790B-223B-484E-9925-C4869218F17A}\Containers\{537396C6-2D8A-4BB6-9BF8-2F0A8E2A3ADF}\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{381DDA3C-9CE9-4834-A23E-1F98F8FC52BE}\Patterns\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{381DDA3C-9CE9-4834-A23E-1F98F8FC52BE}\Patterns\1]
"Mask"=hex:ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{389EA17B-5078-4CDE-B6EF-25C15175C751}\Patterns\0]
"Mask"=hex:ff,ff,ff,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{395BF287-6477-495f-8427-2C09A23C3248}]
@="WMPlayer TaskCntr Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A04D93B-1EDD-4f3f-A375-A03EC19572C4}]
@="MaskFilter"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A04D93B-1EDD-4f3f-A375-A03EC19572C4}\ProgID]
@="DXImageTransform.Microsoft.MaskFilter.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A04D93B-1EDD-4f3f-A375-A03EC19572C4}\VersionIndependentProgID]
@="DXImageTransform.Microsoft.MaskFilter"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3D112E22-62B2-11D1-9FEF-00600832DB4A}]
@="MMCTask class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3D112E22-62B2-11D1-9FEF-00600832DB4A}\ProgID]
@="MMCTask.MMCTask.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3D112E22-62B2-11D1-9FEF-00600832DB4A}\VersionIndependentProgID]
@="MMCTask.MMCTask"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43324B33-A78F-480F-9111-9638AACCC832}\Containers\{19E4A5AA-5662-4FC5-A0C0-1758028E1057}\0]
"Mask"=hex:ff,ff,00,00,ff,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44F9A03B-A3EC-4F3B-9364-08E0007F21DF}]
@="TaskSymbol Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44F9A03B-A3EC-4F3B-9364-08E0007F21DF}\ProgID]
@="Control.TaskSymbol.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44F9A03B-A3EC-4F3B-9364-08E0007F21DF}\VersionIndependentProgID]
@="Control.TaskSymbol"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}]
@="TaskScheduler.TaskCollection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32]
"Class"="TaskScheduler.TaskCollection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32\4.3.15.3]
"Class"="TaskScheduler.TaskCollection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32\4.3.15.3]
"Assembly"="TaskScheduler, Version=4.3.15.3, Culture=neutral, PublicKeyToken=9b8afe2c706a1860"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\InprocServer32\4.3.15.3]
"CodeBase"="file:///C:/Program Files/Webroot/Spy Sweeper/Backup/TaskScheduler.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{495BD770-7D54-386E-B50E-8A51E37218A1}\ProgId]
@="TaskScheduler.TaskCollection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B59AFCC-B8C3-408A-B670-89E5FAB6FDA7}\Containers\{1B7CFAF4-713F-473C-BBCD-6137425FAEAF}\0]
"Mask"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C6F940C-3CFE-11D2-9EE7-00C04F797396}]
@="SpTaskManager Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4CB26C03-FF93-11d0-817E-0000F87557DB}]
@="DXTaskManager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50D42F09-ECD1-4B41-B65D-DA1FDAA75663}\Containers\{537396C6-2D8A-4BB6-9BF8-2F0A8E2A3ADF}\0]
"Mask"=hex:ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50D42F09-ECD1-4B41-B65D-DA1FDAA75663}\Containers\{537396C6-2D8A-4BB6-9BF8-2F0A8E2A3ADF}\1]
"Mask"=hex:ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53510d24-57eb-4713-9afb-e6e60530b87e}]
@="IE RSS Feeds Tasks"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55b70dec-4b3b-4e26-ae9c-9e8d131843a1}]
@="Microsoft Feeds Background Task Scheduling"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
@="Task Bar Communication"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3800-BD81-11d0-A3A5-00C04FD706EC}]
@="Background Task Scheduler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}]
@="Shared Task Scheduler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{679E132F-561B-42F8-846C-A70DBDC62999}]
@="WMT Screen Capture Filter Task Page"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B462062-7CBF-400D-9FDB-813DD10F2778}\Patterns\0]
"Mask"=hex:ff,ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BA70EAF-D5FF-4687-829A-A646EEC622F8}]
"LocalizedString"="@C:\\Program Files\\MSN\\Toolbar\\3.0.0311.0\\msntask.exe,-103"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BA70EAF-D5FF-4687-829A-A646EEC622F8}]
@="MSNTaskManager Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BA70EAF-D5FF-4687-829A-A646EEC622F8}\LocalServer32]
@="\"C:\\Program Files\\MSN\\Toolbar\\3.0.0311.0\\msntask.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BA70EAF-D5FF-4687-829A-A646EEC622F8}\LocalServer32]
"ServerExecutable"="C:\\Program Files\\MSN\\Toolbar\\3.0.0311.0\\msntask.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BA70EAF-D5FF-4687-829A-A646EEC622F8}\ProgId]
@="MSNTask.MSNTaskManager.1"


----------



## Cookiegal (Aug 27, 2003)

Open Firefox and click on Tools - Add-ons and delete the Ask Toolbar add-on there.

Then reboot and post a new HijackThis uninstall log please.


----------



## parman (Mar 9, 2007)

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
Apple Software Update
Ask Toolbar
Broadcom 440x 10/100 Integrated Controller
Conexant D850 56K V.9x DFVc Modem
Creative EAX Console
Creative MediaSource
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
Dell Inkjet Printer J740
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Foxit Reader
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.3)
MSN Toolbar
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6.0 Parser (KB933579)
OpenOffice.org 3.0
Paint Shop Pro 7
PE Builder 3.1.10a
QuickTime
Sandboxie 3.32
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster Audigy
SoundMAX
Spy Sweeper Core
Startup Delayer v2.3 (build 130)
The Weather Channel Desktop 6
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VMware Workstation
Webroot AntiVirus with AntiSpyware
Webroot Desktop Firewall
Windows Defender
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
Yahoo! Toolbar for Internet Explorer


----------



## Cookiegal (Aug 27, 2003)

There must be one in IE as well. Go to Tools - Manage add-ons and see if there is and if so delete it there as well.


----------



## parman (Mar 9, 2007)

I disabled the Asktoolbar in IE. What is the Ask toolbar for and why is it giving me problems? Is it something I don't need or won't ever need?
Also, Cookiegal my system clock is still not right. I've gone into the bios and changed the time about every other boot. It's either showing 13:20 or 01:20.


----------



## Cookiegal (Aug 27, 2003)

You should change the time in the Regional settings in the Control Panel.

The Ask Toolbar is considered adware. Did you install it intentionally? It often gets bundled with other programs.


----------



## parman (Mar 9, 2007)

Thanks Cookiegal! I set my time in Regional & Language Options. I should have remembered that in class. As far as did I intentionally install the Ask Toolbar, I think I did. But that was probably a year ago.
Since you are saying that the Ask Toolbar is adware, why would anyone install it?


----------



## parman (Mar 9, 2007)

I checked in add or remove programs and I tried to uninstall the Ask toolbar but got a run dll error loading message. I did disable it in IE.


----------



## parman (Mar 9, 2007)

Here's a new Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:44 PM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193184979609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193186437843
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O24 - Desktop Component 0: (no name) - http://stc.msn.com/br/hp/en-us/css/51/i/bg_b.gif
O24 - Desktop Component 1: YouTube - Broadcast Yourself. - http://www.youtube.com/
O24 - Desktop Component 3: Full Scoring for the PGA, LPGA, Champions, Nationwide, European & Canadian Tour - Golf Channel - http://www.thegolfchannel.com/core.aspx?page=10100&select=10212&x=12&y=4

--
End of file - 7384 bytes


----------



## Cookiegal (Aug 27, 2003)

People install it because they don't realize it's adware. It actually comes bundled with some valid programs like Zone Alarm.

How are things now?


----------



## parman (Mar 9, 2007)

Ask Toolbar has been disabled in both Mozilla Firefox and IE. I can't uninstall in add or remove programs because of a run dll error. Since the program is disabled in both browsers do I need to uninstall? 
As far as marked improvement at startup, maybe alittle. My desktop comes up pretty quick but it is about 2 min. before I can open anything. After I'm on the web I can open multiple applications quick. It's about the same day or night.


----------



## Cookiegal (Aug 27, 2003)

You have too many applications running at startup that aren't necessary.

You should trim those down (these show as the 04 entries in your HijackThis log). You can research them at these sites and if they arent required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php

Also, do you have any hardware connected (other than a printer) such as scanner that is not really needed when booting up as it can be connected when required?


----------



## parman (Mar 9, 2007)

Only a printer. I'll check my startup tab.


----------



## parman (Mar 9, 2007)

I've trimmed my startup applications in half. What did take 2.5 min. to open,now is about 45 sec. I'm pleased with that.
Cookiegal is there any applications in startup that would prevent a web browser from opening. I unchecked some things at startup and when I restarted and tried to open a web browser it would not open. Two or three times that happened!


----------



## Cookiegal (Aug 27, 2003)

There shouldn't be. Which browser are you referring to?


----------



## parman (Mar 9, 2007)

Both Mozilla Firefox & IE!


----------



## Cookiegal (Aug 27, 2003)

You mean just since unchecking things in msconfig they don't work?


----------



## parman (Mar 9, 2007)

I could redo what I unchecked last night again and see what happens. That would take alittle while to do. I think the adobe reader launcher was one that I unchecked and I restarted; tried opening both Mozilla Firefox & IE. Neither opened. I sorta went down the list and unchecked then restarted; tried opening web browser to see how long it took.
I finally got both browsers to open and in about 45 sec. That was last night. Tonight, same result. No problem!
I just wandered why I could not open a web browser last night when all I did was unchecked some of the startup applications.


----------



## Cookiegal (Aug 27, 2003)

So they are opening now though?


----------



## parman (Mar 9, 2007)

Yes!


----------



## parman (Mar 9, 2007)

Merry Christmas Cookiegal! My computer seems to be working much better! 
Aca Candy sent me a message saying that my request for information on being a malware removal trainee was turned over to you.
Will be looking forward to hear from you!


----------



## Cookiegal (Aug 27, 2003)

Sorry. I replied about the malware training but by mistake my reply only went to Candy. 

I just resent it to you.

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------

