TechSpot

Trojan infestation, antivirus tools not running

Inactive
By grizzzzzzly
Mar 16, 2012
  1. Hi, Help appreciated.
    Dell Desktop (windows xp) infected with win32.sefbov.b and other malware. Initially MSE running but now blocked, icon disappeared. Tried to run combofix, but Smarrt Fortress 2012 appears to be blocking stating the exe is infected. Tried running Combofix in safe mode, same problem. I can mimise Smart Fortress but can't close it. Have downloaded a copy of OTLPENet.exe to see if I can get an operating system but getting in beyond my depth. I have also isolated the machine from the internet. Any help gladly appreciated. Oh and the data on the system is pretty vital too.
    regards
  2. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    OTL Log posted below

    Used OTLPE to run OTL (thanks Broni for this).

    Ran OTL on the Dell, result below - have had to split into two posts, got error message stating too many characters for one post, sorry.

    OTL log reads

    OTL logfile created on: 3/16/2012 7:42:44 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
    Paging file location(s): c:\pagefile.sys 372 744 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.50 Gb Total Space | 16.28 Gb Free Space | 21.86% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled] -- -- (ioloSystemService)
    SRV - File not found [Disabled] -- -- (ioloFileInfoList)
    SRV - File not found [Auto] -- -- (AMService)
    SRV - [2012/02/27 17:24:32 | 000,045,056 | ---- | M] (Intuit) [Auto] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
    SRV - [2012/02/27 14:37:34 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
    SRV - [2012/02/27 14:36:44 | 000,679,936 | ---- | M] (Intuit, Inc.) [On_Demand] -- C:\Program Files\Intuit\QuickBooks 2010\QBDBMgrN.exe -- (QuickBooksDB22)
    SRV - [2011/11/03 14:25:09 | 002,358,656 | ---- | M] (TeamViewer GmbH) [Auto] -- C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe -- (TeamViewer6)
    SRV - [2011/10/07 10:17:48 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
    SRV - [2011/10/07 10:17:33 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
    SRV - [2011/04/27 10:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV - [2011/01/11 14:04:04 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
    SRV - [2010/12/07 16:18:00 | 003,979,632 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
    SRV - [2010/07/16 04:05:56 | 000,028,762 | ---- | M] (MyWebSearch.com) [Auto] -- C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE -- (MyWebSearchService)
    SRV - [2009/07/07 09:48:44 | 000,647,216 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
    SRV - [2008/06/06 09:03:22 | 000,435,488 | ---- | M] (Pervasive Software Inc.) [Auto] -- C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe -- (psqlWGE)
    SRV - [2004/03/18 12:55:48 | 000,065,536 | ---- | M] (HP) [On_Demand] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2012/03/16 12:22:25 | 000,098,992 | ---- | M] (Kaspersky Lab, GERT) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\22892082.sys -- (21103785)
    DRV - [2011/10/07 10:17:35 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV - [2011/01/11 14:04:04 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
    DRV - [2011/01/11 14:04:04 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
    DRV - [2010/11/26 14:02:52 | 000,014,776 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
    DRV - [2010/05/31 11:38:37 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
    DRV - [2009/07/07 09:48:44 | 000,026,672 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
    DRV - [2009/07/07 09:48:44 | 000,025,392 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
    DRV - [2007/10/08 09:38:48 | 000,174,530 | ---- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ov519vid.sys -- (ovt519)
    DRV - [2005/03/31 08:22:16 | 000,180,096 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
    DRV - [2005/01/04 14:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\npptNT2.sys -- (NPPTNT2)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=f401415a00000000000000123f883c0b&tlver=1.4.19.19&ss=1&affID=17978


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Charlie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\Charlie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
    IE - HKU\Charlie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
    IE - HKU\Charlie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6C 44 43 2B 63 65 CB 01 [binary data]
    IE - HKU\Charlie_ON_C\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
    IE - HKU\Charlie_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
    IE - HKU\Charlie_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackle.com/
    IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
    IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
    IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E0 DA EA 1A 71 65 CB 01 [binary data]
    IE - HKU\Matthew_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
    IE - HKU\Matthew_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\QBDataServiceUser19_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\QBDataServiceUser22_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@mywebsearch.com/Plugin: C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (MyWebSearch.com)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin [2011/09/02 03:22:16 | 000,000,000 | ---D | M]

    [2011/05/27 12:52:32 | 000,002,428 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml

    Hosts file not found
    O2 - BHO: (MyWebSearch Search Assistant BHO) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
    O2 - BHO: (mwsBar BHO) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
    O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
    O2 - BHO: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
    O3 - HKLM\..\Toolbar: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
    O3 - HKLM\..\Toolbar: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
    O3 - HKU\Administrator_ON_C\..\Toolbar\WebBrowser: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
    O3 - HKU\Charlie_ON_C\..\Toolbar\WebBrowser: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
    O3 - HKU\Matthew_ON_C\..\Toolbar\WebBrowser: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
    O3 - HKU\Matthew_ON_C\..\Toolbar\WebBrowser: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
    O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (MyWebSearch.com)
    O4 - HKLM..\Run: [SmartDefrag] File not found
    O4 - HKU\Matthew_ON_C..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil11c_ActiveX.exe (Adobe Systems, Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Limited.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk = C:\Program Files\Intuit\QuickBooks 2010\QBW32.EXE (Intuit Limited.)
    O4 - Startup: C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\AutoLogin.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 16730 = C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msdubm.exe (nutre dogana)
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Charlie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Charlie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Matthew_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\QBDataServiceUser19_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\QBDataServiceUser22_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
    O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} http://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab (cre8tiv 3Di ATL Control (Internet))
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=67633 (Office Genuine Advantage Validation Tool)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/CursorManiaInitialSetup1.0.1.1.cab (Reg Error: Key error.)
    O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1215789021796 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215789386906 (MUWebControl Class)
    O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab (Battlefield Heroes Updater)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Value error.)
    O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab (Java Plug-in 1.4.1_07)
    O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O18 - Protocol\Handler\intu-help-qb5 {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
    O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2008/07/11 07:50:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/16 12:59:03 | 004,438,270 | ---- | C] (Swearware) -- C:\Documents and Settings\Charlie\Desktop\f ddd.exe
    [2012/03/16 12:22:25 | 000,098,992 | ---- | C] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\22892082.sys
    [2012/03/16 12:14:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E
    [2012/03/16 11:45:14 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
    [2012/03/16 11:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\tdsskiller
    [2012/03/16 11:43:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Local Settings
    [2012/03/16 11:36:19 | 004,438,270 | ---- | C] (Swearware) -- C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
    [2012/03/16 08:03:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\My Documents\SDO-HE-30
    [2012/03/16 08:00:53 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Charlie\IECompatCache
    [2012/03/16 07:09:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2012/03/16 06:55:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites
    [2012/03/16 06:53:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2012/03/16 06:53:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2012/03/15 14:05:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\My Documents\Simple Doc Organizer FE 3.0
    [2012/03/15 14:00:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SDO
    [2012/03/15 14:00:36 | 001,224,704 | ---- | C] (Atalasoft, Inc.) -- C:\WINDOWS\System32\AtalaImaging.dll
    [2012/03/15 11:01:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\QBDataServiceUser22\My Documents\My Pictures
    [2012/03/15 11:01:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\QBDataServiceUser22\Start Menu\Programs\Administrative Tools
    [2012/03/15 11:01:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\QBDataServiceUser22\IETldCache
    [2012/03/15 10:47:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\QuickBooks Letter Templates
    [2012/03/15 10:47:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Fizz UK Ltd - Images
    [2012/03/15 10:43:25 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll
    [2012/03/15 10:40:15 | 000,000,000 | --SD | C] -- C:\Documents and Settings\QBDataServiceUser22\Application Data\Microsoft
    [2012/03/15 10:40:15 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\QBDataServiceUser22\Application Data
    [2012/03/15 10:40:15 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\QBDataServiceUser22\Cookies
    [2012/03/15 10:40:15 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\QBDataServiceUser22\Recent
    [2012/03/15 10:40:15 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\QBDataServiceUser22\PrintHood
    [2012/03/15 10:40:15 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\QBDataServiceUser22\NetHood
    [2012/03/15 10:40:15 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\QBDataServiceUser22\Local Settings
    [2012/03/15 10:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QBDataServiceUser22\My Documents
    [2012/03/15 10:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QBDataServiceUser22\Local Settings\Application Data\Microsoft Help
    [2012/03/15 10:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QBDataServiceUser22\Local Settings\Application Data\Microsoft
    [2012/03/15 10:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QBDataServiceUser22\Favorites
    [2012/03/15 10:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QBDataServiceUser22\Desktop
    [2012/03/15 10:40:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\QBDataServiceUser22\SendTo
    [2012/03/15 10:40:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\QBDataServiceUser22\Start Menu\Programs\Startup
    [2012/03/15 10:40:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\QBDataServiceUser22\Start Menu
    [2012/03/15 10:40:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\QBDataServiceUser22\Start Menu\Programs\Accessories
    [2012/03/15 10:40:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\QBDataServiceUser22\Templates
    [2012/03/15 10:39:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickBooks
    [2012/03/15 10:33:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nuance
    [2012/03/15 10:33:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nuance
    [2012/03/15 10:32:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 11
    [2012/03/15 10:17:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\QuickBooks 2010
    [2012/03/15 10:06:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\Intuit
    [2012/03/15 09:26:43 | 238,996,824 | ---- | C] (Intuit Inc.) -- C:\Documents and Settings\Charlie\Desktop\Update220r7_1213223_en_STD.exe
    [2012/03/15 08:04:11 | 000,000,000 | ---D | C] -- C:\Program Files\Dynamic Ventures
    [2012/03/15 08:03:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Local Settings\Application Data\Downloaded Installations
    [2012/03/15 07:45:48 | 000,029,016 | ---- | C] (IObit) -- C:\WINDOWS\System32\SmartDefragBootTime.exe
    [2012/03/09 13:12:06 | 002,063,920 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Charlie\Desktop\TDSSKiller.exe
    [2012/02/27 14:44:14 | 001,721,752 | ---- | C] (Intuit Inc.) -- C:\WINDOWS\System32\InetClnt.dll
    [2012/02/27 14:31:46 | 001,694,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VBA6.DLL
    [2012/02/27 14:31:32 | 000,741,008 | ---- | C] (FarPoint Technologies, Inc.) -- C:\WINDOWS\System32\SPR32D30.DLL
    [2012/02/15 23:34:47 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\IETldCache
    [2007/11/28 11:19:48 | 000,184,320 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.MSXML2.dll

    ========== Files - Modified Within 30 Days ==========

    [2012/03/16 14:27:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/03/16 13:21:42 | 000,013,668 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/03/16 13:01:18 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2012/03/16 13:01:04 | 000,000,238 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
    [2012/03/16 12:35:24 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
    [2012/03/16 12:35:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
    [2012/03/16 12:22:25 | 000,098,992 | ---- | M] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\22892082.sys
    [2012/03/16 12:17:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2012/03/16 12:15:46 | 000,001,324 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\Smart Fortress 2012.lnk
    [2012/03/16 12:15:20 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\hmDr01.dat
    [2012/03/16 12:15:19 | 000,091,136 | ---- | M] () -- C:\WINDOWS\System32\tt7htNPy.com_
    [2012/03/16 12:15:19 | 000,091,136 | ---- | M] () -- C:\WINDOWS\System32\tt7htNPy.com
    [2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
    [2012/03/16 12:11:28 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\j07odqhh_gamer.exe
    [2012/03/16 12:03:38 | 000,002,057 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
    [2012/03/16 12:00:23 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2012/03/16 11:47:22 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
    [2012/03/16 11:46:28 | 000,203,760 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-861567501-1644491937-725345543-1008-0.dat
    [2012/03/16 11:46:27 | 000,167,358 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
    [2012/03/16 11:43:49 | 002,063,920 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Charlie\Desktop\TDSSKiller.exe
    [2012/03/16 11:43:03 | 002,044,822 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\tdsskiller.zip
    [2012/03/16 11:36:36 | 004,438,270 | ---- | M] (Swearware) -- C:\Documents and Settings\Charlie\Desktop\f ddd.exe
    [2012/03/16 11:36:36 | 004,438,270 | ---- | M] (Swearware) -- C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
    [2012/03/16 11:32:09 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/03/16 09:07:24 | 000,001,836 | ---- | M] () -- C:\Documents and Settings\Charlie\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickBooks Pro 2012.lnk
    [2012/03/16 08:07:48 | 000,073,940 | ---- | M] () -- C:\WINDOWS\unins000.dat
    [2012/03/16 08:07:00 | 000,714,590 | ---- | M] () -- C:\WINDOWS\unins000.exe
    [2012/03/16 07:19:23 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
    [2012/03/16 07:02:06 | 000,204,054 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\SDO-HE-30.zip
    [2012/03/15 23:40:00 | 000,000,432 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack Kay's Outlook.job
    [2012/03/15 23:20:00 | 000,000,442 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack Kay's Files Backup.job
    [2012/03/15 23:06:43 | 000,526,486 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/03/15 23:06:43 | 000,096,342 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/03/15 23:00:00 | 000,000,454 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack FizzOffice2 Shared Files.job
    [2012/03/15 14:05:19 | 000,000,098 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\SDOFE_PATH.ini
    [2012/03/15 13:58:39 | 000,165,120 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/03/15 13:55:40 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/03/15 13:47:12 | 000,204,042 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\SDO-FE-30.zip
    [2012/03/15 10:43:28 | 000,001,392 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\XPS Viewer EP.lnk
    [2012/03/15 10:40:29 | 000,000,095 | ---- | M] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
    [2012/03/15 10:39:58 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    [2012/03/15 10:39:34 | 000,002,109 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    [2012/03/15 10:39:34 | 000,001,761 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
    [2012/03/15 10:39:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickBooks
    [2012/03/15 09:26:55 | 238,996,824 | ---- | M] (Intuit Inc.) -- C:\Documents and Settings\Charlie\Desktop\Update220r7_1213223_en_STD.exe
    [2012/03/15 07:45:46 | 000,000,823 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Smart Defrag 2.lnk
    [2012/03/15 07:45:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Smart Defrag 2
    [2012/03/14 12:42:17 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\Charlie\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007 (2).lnk
    [2012/03/11 14:26:00 | 000,000,494 | ---- | M] () -- C:\hpfr5550.xml
    [2012/03/08 14:36:29 | 000,018,821 | ---- | M] () -- C:\Documents and Settings\Charlie\English
    [2012/03/08 14:36:26 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\Charlie\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007 (2).lnk
    [2012/03/08 09:34:37 | 000,316,664 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\RetrieveAllSignInDetailsForm[2].pdf
    [2012/03/07 12:45:02 | 000,001,665 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Basic PAYE Tools.lnk
    [2012/03/02 10:16:08 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Charlie\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
    [2012/02/27 14:44:14 | 001,721,752 | ---- | M] (Intuit Inc.) -- C:\WINDOWS\System32\InetClnt.dll
    [2012/02/27 14:31:46 | 001,694,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\VBA6.DLL
    [2012/02/27 14:31:32 | 000,741,008 | ---- | M] (FarPoint Technologies, Inc.) -- C:\WINDOWS\System32\SPR32D30.DLL
    [2012/02/21 13:13:33 | 000,404,469 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0049.jpg
    [2012/02/21 13:13:17 | 000,270,615 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0048.jpg
    [2012/02/21 13:12:51 | 000,421,542 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0046.jpg
    [2012/02/21 13:12:30 | 000,327,562 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0047.jpg
    [2012/02/21 13:12:12 | 000,397,937 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0045.jpg
    [2012/02/21 13:11:57 | 000,285,418 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0044.jpg
    [2012/02/21 13:11:37 | 000,342,977 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0043.jpg

    ========== Files Created - No Company Name ==========

    [2012/03/16 12:35:02 | 000,091,136 | ---- | C] () -- C:\WINDOWS\System32\tt7htNPy.com
    [2012/03/16 12:15:46 | 000,001,324 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\Smart Fortress 2012.lnk
    [2012/03/16 12:15:09 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\j07odqhh_gamer.exe
    [2012/03/16 12:14:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At48.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
    [2012/03/16 12:14:56 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hmDr01.dat
    [2012/03/16 12:14:55 | 000,091,136 | ---- | C] () -- C:\WINDOWS\System32\tt7htNPy.com_
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
    [2012/03/16 11:42:59 | 002,044,822 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\tdsskiller.zip
    [2012/03/16 09:07:24 | 000,001,836 | ---- | C] () -- C:\Documents and Settings\Charlie\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickBooks Pro 2012.lnk
    [2012/03/16 08:07:46 | 000,714,590 | ---- | C] () -- C:\WINDOWS\unins000.exe
    [2012/03/16 07:19:23 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
    [2012/03/16 06:53:52 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/03/16 06:42:56 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
    [2012/03/15 14:41:44 | 000,204,054 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\SDO-HE-30.zip
    [2012/03/15 14:05:19 | 000,000,098 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\SDOFE_PATH.ini
    [2012/03/15 14:00:33 | 000,073,940 | ---- | C] () -- C:\WINDOWS\unins000.dat
    [2012/03/15 13:57:57 | 000,203,760 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-861567501-1644491937-725345543-1008-0.dat
    [2012/03/15 13:57:56 | 000,167,358 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
    [2012/03/15 13:47:38 | 000,204,042 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\SDO-FE-30.zip
    [2012/03/15 10:43:27 | 000,001,392 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\XPS Viewer EP.lnk
    [2012/03/15 10:40:15 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\QBDataServiceUser22\Start Menu\Programs\Remote Assistance.lnk
    [2012/03/15 10:40:15 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\QBDataServiceUser22\Start Menu\Programs\Windows Media Player.lnk
    [2012/03/15 10:39:34 | 000,002,109 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    [2012/03/15 10:39:34 | 000,001,761 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
    [2012/03/15 07:45:48 | 000,014,776 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
    [2012/03/15 07:45:46 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Smart Defrag 2.lnk
    [2012/03/08 09:34:37 | 000,316,664 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\RetrieveAllSignInDetailsForm[2].pdf
    [2012/02/21 13:13:33 | 000,404,469 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0049.jpg
    [2012/02/21 13:13:17 | 000,270,615 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0048.jpg
    [2012/02/21 13:12:51 | 000,421,542 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0046.jpg
    [2012/02/21 13:12:30 | 000,327,562 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0047.jpg
    [2012/02/21 13:12:12 | 000,397,937 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0045.jpg
    [2012/02/21 13:11:57 | 000,285,418 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0044.jpg
    [2012/02/21 13:11:36 | 000,342,977 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0043.jpg
    [2012/02/15 17:46:18 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2011/02/12 08:49:54 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Administrator\hpothb07.tif
    [2011/02/12 08:49:54 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Administrator\hpothb07.dat
    [2011/01/11 13:05:18 | 000,008,592 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
    [2010/12/15 13:12:52 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\Matthew\jagex_runescape_preferences2.dat
    [2010/12/15 13:11:36 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Matthew\jagex_runescape_preferences.dat
    [2010/12/15 13:10:17 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\Charlie\jagex_runescape_preferences2.dat
    [2010/12/15 13:09:13 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Charlie\jagex_runescape_preferences.dat
    [2010/12/01 17:21:38 | 000,000,095 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
    [2010/11/17 13:03:58 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\Charlie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/10/14 12:40:46 | 000,002,154 | ---- | C] () -- C:\Documents and Settings\Matthew\English
    [2010/10/07 04:14:42 | 000,018,821 | ---- | C] () -- C:\Documents and Settings\Charlie\English
    [2010/06/24 13:56:40 | 000,026,436 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
    [2010/03/22 07:11:44 | 000,019,545 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
    [2010/03/22 07:11:44 | 000,016,606 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
    [2010/03/20 09:43:32 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
    [2010/02/25 18:25:34 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
    [2010/02/25 17:43:33 | 000,200,704 | ---- | C] () -- C:\WINDOWS\sel3110.exe
    [2010/02/25 17:43:33 | 000,032,528 | ---- | C] () -- C:\WINDOWS\amcap.exe
    [2009/08/03 10:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2009/08/03 10:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
    [2009/03/19 08:13:57 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\TASEIRFn.dll
    [2009/03/19 08:13:14 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\TASSGLib.dll
    [2008/09/30 14:37:30 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
    [2008/07/12 01:33:36 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll
    [2008/07/11 10:34:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2008/07/11 08:02:29 | 000,004,633 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2008/07/11 08:00:35 | 000,165,120 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2008/07/11 07:53:24 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2008/07/11 07:45:56 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2008/06/06 09:53:26 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\BTRDRVR.SYS
    [2008/05/26 16:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
    [2008/05/26 16:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
    [2008/03/13 04:14:20 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\SgEData.dll
    [2008/03/13 04:14:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\SgELauncher.dll
    [2008/03/13 04:14:20 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\SgEEncrypt.dll
    [2007/09/27 05:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
    [2007/09/27 05:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
    [2007/09/27 05:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
    [2007/07/09 12:08:52 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\SageFolderBrowser.dll
    [2007/07/09 12:07:06 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\SGSTDREG.dll
    [2007/07/09 12:07:02 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\SGRegister.dll
    [2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 06:00:00 | 000,526,486 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 06:00:00 | 000,096,342 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/03/09 17:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
  3. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    OTL Log continues

    OTL log file continues....


    ========== LOP Check ==========

    [2008/09/30 15:58:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\iolo
    [2011/06/25 13:57:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\.minecraft
    [2011/06/06 16:04:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\BabylonToolbar
    [2010/10/07 06:15:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\Bullzip
    [2011/04/28 07:35:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\HMRC
    [2011/11/05 18:32:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\IObit
    [2011/11/28 10:11:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\TeamViewer
    [2010/10/07 04:12:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\Windows Desktop Search
    [2010/10/14 07:50:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\Windows Search
    [2010/10/07 14:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Matthew\Application Data\Windows Desktop Search
    [2010/03/21 16:29:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/12/01 17:21:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
    [2010/05/31 11:38:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
    [2012/03/16 12:14:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E
    [2008/09/30 15:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
    [2012/03/15 20:00:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
    [2012/03/15 10:33:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
    [2009/03/19 08:14:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pervasive Software
    [2009/03/19 08:16:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sage
    [2010/12/01 17:32:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10
    [2012/03/15 11:45:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 11
    [2010/05/31 17:59:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/06/16 08:47:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2010/06/16 05:04:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
    [2012/03/16 12:35:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
    [2012/03/16 12:35:24 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
    [2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
    [2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
    [2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
    [2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
    [2010/03/22 08:49:44 | 000,000,324 | ---- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1269262144.job
    [2012/03/16 12:00:23 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
    [2012/03/16 13:01:04 | 000,000,238 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
    [2012/03/15 23:00:00 | 000,000,454 | ---- | M] () -- C:\WINDOWS\Tasks\SyncBack FizzOffice2 Shared Files.job
    [2012/03/15 23:20:00 | 000,000,442 | ---- | M] () -- C:\WINDOWS\Tasks\SyncBack Kay's Files Backup.job
    [2012/03/15 23:40:00 | 000,000,432 | ---- | M] () -- C:\WINDOWS\Tasks\SyncBack Kay's Outlook.job

    ========== Purity Check ==========


    < End of report >
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I'm not Broni but he would not have started you out like this. You appear to be following someone else's instructions. There is also a sticky telling you not to run Combofix on your own. So perhaps you can see why we tell everyone NOT to follow instructions given to someone else.
    ================================
    Settings were changed on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

    Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
    • Double click the FixNCR.reg file
    • You should now be able to run the .exe files.
    =======================================
    I'd like to get some basics please. If you cannot connect to the internet to download the programs, please put the on a flash drive, then run on the problem computer.
    ================================
    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ====================================
    The first scan, Malwarebytes, in our removal thread, will find and remove a great deal of the malware one the system. If you still have a problem running any of the scans-stop- and tell me what the problem is. Please do not try to work around it on your own.
    ======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
  5. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    Thx, message received, patience required, sorry.
    Something I wasn't quite clear on was whether I should continue using the REATOGO-X-PE operating environment or reboot back to windows. Having rebooted to windows XP, I double clicked the FixNCR.reg file but immediately got a message stating regedit.exe was infected and couldn't run. Smart Fortress 2012 then took over most of the screen. Wasn't sure if it was ok to run FixNCR.reg under the Reatogo-X-PE environment or not, can you advise please.

    I am able to connect to the Internet, just turned it off to prevent the Trojan(s) uploading.
  6. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    Downloaded FixNCR.reg using a flash disk and followed your instructions, but it didn't work running under windows xp. .exe files are prevented from running.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Run the following please: Read instructions carefully first.

    Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
    -------------------------------------
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one.
    (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    ==================================
    Without rebooting, see if you can now run the 3 preliminary scans.
  8. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    No success running Rkill.com, Rkill.scr or Rkill.exe in safe mode. First downloaded Rkill.com to memory stick, copied to infected pc desktop, ran and received the message "the file igfxsrvc.exe is infected. Please activate your antivirus software."

    Then Smart Fortress 2012 reappears, "Smart Fortress 2012 Warning" "Intercepting programs that may compromise your privacy and harm your system have been detected on your PC. Click here to remove immediately with Smart Fortress 2012"

    Similiar for Rkill.scr and Rkill.exe. On double clicking their icons received similiar messages, "rkill.exe is infected" and "rkill.scr is infected".
  9. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    Haven't been able to get anything to run using safe mode, but rkill.scr did run using another user account on the Dell. Following instructions then ran exehelper, downloaded, updated and ran malwarebytes - lots of malware found. Checked everything and deleted, then ran Gmer and dds. Logs for Malwarebytes, Gmer are below, DDS logs in the following post.

    MBam:-

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.18.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Matthew :: FIZZOFFICE2 [administrator]

    3/18/2012 20:05:16
    mbam-log-2012-03-18 (20-05-16).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 294043
    Time elapsed: 21 minute(s), 17 second(s)

    Memory Processes Detected: 1
    C:\WINDOWS\system32\tt7htNPy.com (Trojan.Agent) -> 5876 -> Delete on reboot.

    Memory Modules Detected: 3
    C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (PUP.MyWebSearch) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (PUP.FunWebProducts) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (PUP.MyWebSearch) -> Delete on reboot.

    Registry Keys Detected: 145
    HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.HTMLMenu.2 (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.HTMLMenu (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D} (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    HKCR\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495} (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    HKCR\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearchToolBar.SettingsPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearchToolBar.SettingsPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{0F8ECF4F-3646-4C3A-8881-8E138FFCAF70} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{8CA01F0E-987C-49C3-B852-2F1AC4A7094C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{1093995A-BA37-41D2-836E-091067C4AD17} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.IECookiesManager.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.IECookiesManager (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{25560540-9571-4D7B-9389-0F166788785A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.DataControl.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.DataControl (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4D7B-9389-0F166788785A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{3E720452-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{3E720450-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{3E720451-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.HTMLPanel.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.HTMLPanel (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3E720452-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearchToolBar.ToolbarPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearchToolBar.ToolbarPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.PopSwatterSettingsControl.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.PopSwatterSettingsControl (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.PseudoTransparentPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.PseudoTransparentPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473D294-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{84DA4FDF-A1CF-4195-8688-3E961F505983} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{8E6F1832-9607-4440-8530-13BE7C4B1D14} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.PopSwatterBarButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.PopSwatterBarButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{938AA51A-996C-4884-98CE-80DD16A5C9DA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{29D67D3C-509A-4544-903F-C8C1B8236554} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{98D9753D-D73B-42D5-8C85-4469CDA897AB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.HTMLMenu.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98D9753D-D73B-42D5-8C85-4469CDA897AB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{9FF05104-B030-46FC-94B8-81276E4E27DF} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\ScreenSaverControl.ScreenSaverInstaller.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\ScreenSaverControl.ScreenSaverInstaller (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9FF05104-B030-46FC-94B8-81276E4E27DF} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{A9571378-68A1-443d-B082-284F960C6D17} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.OutlookAddin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{B813095C-81C0-4E40-AA14-67520372B987} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.KillerObjManager.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.KillerObjManager (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{C9D7BE3E-141A-4C85-8CD6-32461F3DF2C7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.HistoryKillerScheduler.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.HistoryKillerScheduler (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{CFF4CE82-3AA2-451F-9B77-7165605FB835} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.HistorySwatterControlBar.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\FunWebProducts.HistorySwatterControlBar (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{D9FFFB27-D62A-4D64-8CEC-1FF006528805} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{E79DFBC0-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.ChatSessionPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.ChatSessionPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E79DFBCA-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Typelib\{F42228FB-E84E-479E-B922-FBBD096E792C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.MultipleButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.MultipleButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.UrlAlertButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\MyWebSearch.UrlAlertButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\FocusInteractive (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\FunWebProducts (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{819FFE22-35C7-4925-8CDA-4E0E2DB94302} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{819FFE20-35C7-4925-8CDA-4E0E2DB94302} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\Interface\{819FFE21-35C7-4925-8CDA-4E0E2DB94302} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{67FA02C4-AB30-4e77-A640-78EE8EC8673B} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{799391D3-EB86-4bac-9BD3-CBFEA58A0E15} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCR\CLSID\{D858DAFC-9573-4811-B323-7011A3AA7E61} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCR\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCR\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Detected: 11
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|My Web Search Bar Search Scope Monitor (PUP.MyWebSearch) -> Data: "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: ©Ž±#¥aI¶»
    äG\Ê -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search| (Adware.Hotbar) -> Data: http://edits.mywebsearch.com/toolba...931YYGB&a=GK.GJNRCe_goUhKIzDJhlw&n=2010071604 -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources|f3PopularScreensavers (PUP.MyWebSearch) -> Data: C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform|FunWebProducts (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|16730 (Trojan.Agent) -> Data: C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msdubm.exe -> Delete on reboot.

    Registry Data Items Detected: 3
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 20
    C:\Program Files\FunWebProducts (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Cache (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Images (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared\Cache (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\chrome (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Avatar (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Game (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\History (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Overlay (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\setups (PUP.MyWebSearch) -> Quarantined and deleted successfully.

    Files Detected: 115
    C:\WINDOWS\system32\tt7htNPy.com_ (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tt7htNPy.com (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3FFTBPR.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E\F4D5618A000BDED60126D515D151FC4E.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-861567501-1644491937-725345543-1008\Dc19.exe (Trojan.Agent.RDGen) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\f3PSSavr.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Charlie\Local Settings\Temp\hki1248.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\prog1.exe (PUP.Dialupass) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\f3PSSavr.scr (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Local Settings\Temp\msdubm.exe (Trojan.Agent) -> Delete on reboot.
    C:\Program Files\FunWebProducts\ScreenSaver\Cache\09FD5723.jpg (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Cache\220C01CA.swf (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Cache\files.ini (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Images\09FC974E.urr (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Images\09FD558D.urr (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Images\09FD5DDA.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Images\220B021D.urr (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Images\220C17B3.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared\0194C94E.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared\09F18041.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared\21EF9DA9.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared\Cache\WebfettiBtn.html (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\CHROME.MANIFEST (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\INSTALL.RDF (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3PATCH.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSUABTN.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\07A68C1F (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\09E237E6 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\09E23A09.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\09E23AE4.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\09E23B61.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\09E23BCE.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\2487EE6B.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\2487F1B7.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\2487F3DA.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\2487F476.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\287F091E.bmp (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\33007DDA.bmp (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\4B32517B (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\files.ini (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\History\search3 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\CM.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\MFC.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\PSS.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\WB.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Overlay\COMMON.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings\settings.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Trojan.BHO) -> Quarantined and deleted successfully.

    (end)

    GMER Log:-

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-03-18 20:40:17
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e HDS728080PLA380 rev.PF2OA63A
    Running: dlydt14y.exe; Driver: C:\DOCUME~1\Matthew\LOCALS~1\Temp\uxtiiaow.sys


    ---- System - GMER 1.0.15 ----

    SSDT spvq.sys ZwEnumerateKey [0xB9ECDDA4]
    SSDT spvq.sys ZwEnumerateValueKey [0xB9ECE132]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\agjl5d6o \Device\Scsi\agjl5d6o1Port2Path0Target0Lun0 89B8B1F8
    Device \Driver\agjl5d6o \Device\Scsi\agjl5d6o1 89B8B1F8
    Device \FileSystem\Ntfs \Ntfs 89E411F8
    Device \FileSystem\Fastfat \Fat 89B531F8

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
  10. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    DDS Logs

    DDS Logs:-
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/11/2008 15:21:21
    System Uptime: 3/18/2012 20:35:09 (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0J8885
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 74 GiB total, 16.192 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) PRO/100 VE Network Connection
    Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_01AB1028&REV_01\4&5855BE9&0&40F0
    Manufacturer: Intel
    Name: Intel(R) PRO/100 VE Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_01AB1028&REV_01\4&5855BE9&0&40F0
    Service: E100B
    .
    ==== System Restore Points ===================
    .
    RP1070: 1/29/2012 02:48:54 - Software Distribution Service 3.0
    RP1071: 1/29/2012 07:21:02 - Software Distribution Service 3.0
    RP1072: 1/30/2012 07:20:59 - Software Distribution Service 3.0
    RP1073: 1/31/2012 07:20:22 - Software Distribution Service 3.0
    RP1074: 2/1/2012 07:21:10 - Software Distribution Service 3.0
    RP1075: 2/2/2012 07:21:17 - Software Distribution Service 3.0
    RP1076: 2/3/2012 07:21:16 - Software Distribution Service 3.0
    RP1077: 2/4/2012 07:21:15 - Software Distribution Service 3.0
    RP1078: 2/5/2012 02:49:31 - Software Distribution Service 3.0
    RP1079: 2/5/2012 07:21:04 - Software Distribution Service 3.0
    RP1080: 2/6/2012 07:21:07 - Software Distribution Service 3.0
    RP1081: 2/7/2012 07:21:06 - Software Distribution Service 3.0
    RP1082: 2/8/2012 07:21:08 - Software Distribution Service 3.0
    RP1083: 2/9/2012 07:21:06 - Software Distribution Service 3.0
    RP1084: 2/10/2012 07:21:09 - Software Distribution Service 3.0
    RP1085: 2/11/2012 07:20:34 - Software Distribution Service 3.0
    RP1086: 2/12/2012 02:48:29 - Software Distribution Service 3.0
    RP1087: 2/12/2012 07:21:19 - Software Distribution Service 3.0
    RP1088: 2/13/2012 07:21:25 - Software Distribution Service 3.0
    RP1089: 2/14/2012 07:21:37 - Software Distribution Service 3.0
    RP1090: 2/15/2012 07:21:30 - Software Distribution Service 3.0
    RP1091: 2/16/2012 03:00:18 - Software Distribution Service 3.0
    RP1092: 2/17/2012 03:38:12 - System Checkpoint
    RP1093: 2/17/2012 03:41:05 - Software Distribution Service 3.0
    RP1094: 2/18/2012 03:40:21 - Software Distribution Service 3.0
    RP1095: 2/19/2012 02:30:38 - Software Distribution Service 3.0
    RP1096: 2/20/2012 02:42:50 - System Checkpoint
    RP1097: 2/20/2012 03:40:34 - Software Distribution Service 3.0
    RP1098: 2/21/2012 03:40:57 - Software Distribution Service 3.0
    RP1099: 2/22/2012 03:40:26 - Software Distribution Service 3.0
    RP1100: 2/23/2012 03:40:33 - Software Distribution Service 3.0
    RP1101: 2/24/2012 03:40:32 - Software Distribution Service 3.0
    RP1102: 2/25/2012 03:40:31 - Software Distribution Service 3.0
    RP1103: 2/26/2012 02:31:14 - Software Distribution Service 3.0
    RP1104: 2/27/2012 02:43:10 - System Checkpoint
    RP1105: 2/27/2012 03:40:48 - Software Distribution Service 3.0
    RP1106: 2/28/2012 03:41:02 - Software Distribution Service 3.0
    RP1107: 2/29/2012 03:41:01 - Software Distribution Service 3.0
    RP1108: 3/1/2012 03:41:06 - Software Distribution Service 3.0
    RP1109: 3/2/2012 03:00:20 - Software Distribution Service 3.0
    RP1110: 3/3/2012 03:32:00 - System Checkpoint
    RP1111: 3/4/2012 02:51:19 - Software Distribution Service 3.0
    RP1112: 3/5/2012 03:33:43 - Software Distribution Service 3.0
    RP1113: 3/6/2012 03:34:06 - Software Distribution Service 3.0
    RP1114: 3/7/2012 03:33:43 - Software Distribution Service 3.0
    RP1115: 3/8/2012 03:36:37 - System Checkpoint
    RP1116: 3/9/2012 03:33:46 - Software Distribution Service 3.0
    RP1117: 3/10/2012 03:33:47 - Software Distribution Service 3.0
    RP1118: 3/11/2012 02:51:52 - Software Distribution Service 3.0
    RP1119: 3/12/2012 03:34:03 - Software Distribution Service 3.0
    RP1120: 3/13/2012 03:34:23 - Software Distribution Service 3.0
    RP1121: 3/14/2012 03:50:42 - System Checkpoint
    RP1122: 3/14/2012 16:52:56 - Software Distribution Service 3.0
    RP1123: 3/15/2012 03:00:17 - Software Distribution Service 3.0
    RP1124: 3/15/2012 12:03:24 - Installed QBFC 7.0.
    RP1125: 3/15/2012 12:04:09 - Installed Ultimate AppendIT
    RP1126: 3/15/2012 12:47:09 - Revo Uninstaller's restore point - Ultimate AppendIT
    RP1127: 3/15/2012 12:47:21 - Removed Ultimate AppendIT
    RP1128: 3/15/2012 14:13:22 - Pre Qbooks12
    RP1129: 3/15/2012 14:41:25 - Installed XPS Essentials Pack
    RP1130: 3/15/2012 17:55:28 - Installed Windows XP KB942288-v3.
    RP1131: 3/15/2012 17:57:05 - Installed Windows XP KB958655-v2.
    RP1132: 3/15/2012 18:00:11 - Printer Driver Microsoft XPS Document Writer Installed
    RP1133: 3/15/2012 18:09:34 - Software Distribution Service 3.0
    RP1134: 3/15/2012 18:40:35 - Revo Uninstaller's restore point - Simple Doc Organizer Free Edition
    RP1135: 3/16/2012 03:00:17 - Software Distribution Service 3.0
    RP1136: 3/17/2012 03:23:57 - System Checkpoint
    RP1137: 3/18/2012 21:16:19 - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.1)
    Adobe Shockwave Player 11.6
    Advanced SystemCare 3
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Basic PAYE Tools
    Baxter Stationery
    Bonjour
    Bullzip PDF Printer 4.0.0.463
    Cisco Network Magic
    Compatibility Pack for the 2007 Office system
    Dell Resource CD
    Dragonica(EN)
    Ensim Outlook Autologin Configurator
    EOCP Drivers 0.9.311007
    ERUNT 1.1j
    Google Toolbar for Internet Explorer
    Google Update Helper
    GPL Ghostscript 8.63
    GPL Ghostscript Lite 8.64
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB958655-v2)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB971276-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB981793)
    hp officejet 6100 series
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    HP Photo and Imaging 2.0 - hp officejet 6100 series
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    IRIS Payroll Basics
    iTunes
    Java 2 Runtime Environment, SE v1.4.1_07
    Java Auto Updater
    Java Web Start
    Java(TM) 6 Update 23
    LogMeIn
    Mail Merge Toolkit
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual Studio 2005 Tools for Office Runtime
    Microsoft XML Parser
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Network Magic
    Nvu 1.0PR
    OGA Notifier 2.0.0048.0
    Paint Shop Pro 6.02 CD
    PasswordViewer 2.0
    Pervasive PSQL v10.10 Workgroup (32-bit)
    Product Key Explorer 2.4.6
    Pure Networks Platform
    QBFC 7.0
    QFolder
    QuickBooks
    QuickBooks Pro 2012
    QuickTime
    Revo Uninstaller 1.92
    Sage e-Banking Core Components
    Sage e-Banking Payment Service Banks
    SageMergeModules
    Screen Grab Pro
    SDO Framework (Beta)
    Search-Results Toolbar
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SigmaTel Audio
    Skype Toolbars
    Skype™ 4.2
    Smart Defrag 2
    Spelling Dictionaries Support For Adobe Reader 9
    SupportSoft Assisted Service
    swMSM
    SyncBack
    TAS Books 2 v8.0
    TeamViewer 6
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual Studio 2005 Tools for Office Second Edition Runtime
    VLC media player 1.0.5
    WebEx Support Manager for Internet Explorer
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows XP Service Pack 3
    Wizard101
    World of Warcraft
    XPS Essentials Pack
    XPS Essentials Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/18/2012 22:08:36, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
    3/18/2012 21:58:03, error: Service Control Manager [7034] - The QuickBooksDB22 service terminated unexpectedly. It has done this 1 time(s).
    3/17/2012 11:15:21, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    3/17/2012 05:35:00, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
    3/17/2012 01:42:40, error: Print [19] - Sharing printer failed + 1722, Printer hp officejet 6100 series share name hpofficejet6.
    3/16/2012 22:25:28, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    3/16/2012 17:22:23, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss sptd Tcpip
    3/16/2012 17:22:23, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/16/2012 17:22:23, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    3/16/2012 17:22:23, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/16/2012 17:22:23, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/16/2012 17:21:55, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    3/16/2012 17:21:55, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/16/2012 17:21:29, error: sptd [4] - Driver detected an internal error in its data structures for .
    3/16/2012 16:35:00, error: Schedule [7901] - The At33.job command failed to start due to the following error: %%2147942402
    3/16/2012 16:15:16, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Microsoft Antimalware Service service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    3/16/2012 16:15:01, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    3/16/2012 15:55:08, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    3/16/2012 15:51:39, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    3/16/2012 15:51:38, error: Service Control Manager [7034] - The AMService service terminated unexpectedly. It has done this 1 time(s).
    3/16/2012 15:28:10, error: Service Control Manager [7023] - The Ld51ocnucsnp service terminated with the following error: Access is denied.
    3/16/2012 11:03:58, error: Service Control Manager [7023] - The Backupexecrpcservice service terminated with the following error: Access is denied.
    3/16/2012 10:52:46, error: Print [6161] - The document Scan0053 owned by Charlie failed to print on printer PDF Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\FIZZOFFICE2. Win32 error code returned by the print processor: 259 (0x103).
    3/16/2012 10:47:57, error: Service Control Manager [7023] - The Vmnetdhcp service terminated with the following error: Access is denied.
    3/16/2012 10:46:57, error: Service Control Manager [7023] - The CrystalSysInfo service terminated with the following error: Access is denied.
    3/16/2012 10:42:58, error: Service Control Manager [7023] - The Dwmrcs service terminated with the following error: Access is denied.
    3/15/2012 14:09:10, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/15/2012 14:09:03, error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 2 time(s).
    3/15/2012 14:08:55, error: Service Control Manager [7031] - The TeamViewer 6 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/15/2012 14:08:38, error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 1 time(s).
    3/15/2012 14:08:35, error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 1 time(s).
    3/13/2012 18:19:38, error: MRxSmb [8003] - The master browser has received a server announcement from the computer MATTHEW-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{605D3BAA-1F6E-45C. The master browser is stopping or an election is being forced.
    3/12/2012 03:35:20, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.121.1330.0).
    3/12/2012 03:34:38, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.121.1319.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8101.0 Error code: 0x80070643 Error description: Fatal error during installation.
    .
    ==== End Of File ===========================

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Matthew at 20:43:04 on 2012-03-18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1547 [GMT 0:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Intuit\QuickBooks 2010\QBW32.EXE
    svchost.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.blackle.com/
    mSearchAssistant = hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=f401415a00000000000000123f883c0b&tlver=1.4.19.19&ss=1&affID=17978
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Search-Results Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Search-Results Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [<NO NAME>]
    mRun: [SmartDefrag] "c:\program files\iobit\iobit smartdefrag\IObit SmartDefrag.exe" /StartUp
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2010\QBW32.EXE
    IE: &Search
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} - hxxp://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215789021796
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215789386906
    DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
    Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: LMIinit - LMIinit.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-3-15 14776]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-6-8 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-1-11 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-7-11 47640]
    R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2008-6-6 435488]
    R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-11-24 2358656]
    R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb22 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
    S2 AMService;AMService;c:\windows\temp\ivcrrr\setup.exe run --> c:\windows\temp\ivcrrr\setup.exe run [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-14 136176]
    S3 21103785;21103785;c:\windows\system32\drivers\22892082.sys [2012-3-16 98992]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-14 136176]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
    S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    =============== File Associations ===============
    .
    JSEFile=NOTEPAD.EXE %1
    VBEFile=NOTEPAD.EXE %1
    VBSFile=NOTEPAD.EXE %1
    .
    =============== Created Last 30 ================
    .
    2012-03-18 22:14:35 -------- d-----w- c:\documents and settings\matthew\application data\Malwarebytes
    2012-03-18 20:49:54 -------- d-----w- c:\documents and settings\matthew\local settings\application data\Intuit
    2012-03-16 16:22:25 98992 ----a-w- c:\windows\system32\drivers\22892082.sys
    2012-03-16 16:14:53 -------- d-----w- c:\documents and settings\all users\application data\F4D5618A000BDED60126D515D151FC4E
    2012-03-16 15:56:57 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{51fa9118-c98d-413d-bb0a-86b20251afb3}\offreg.dll
    2012-03-16 15:45:59 6552120 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{51fa9118-c98d-413d-bb0a-86b20251afb3}\mpengine.dll
    2012-03-16 15:45:14 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-03-16 12:07:46 714590 ----a-w- c:\windows\unins000.exe
    2012-03-16 10:42:56 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-03-15 18:00:37 -------- d-----w- c:\program files\common files\SDO
    2012-03-15 18:00:36 3907584 ----a-w- c:\program files\common files\microsoft shared\vfp9\VFP9t.dll
    2012-03-15 18:00:36 1224704 ----a-w- c:\windows\system32\AtalaImaging.dll
    2012-03-15 18:00:36 1187840 ----a-w- c:\program files\common files\microsoft shared\vfp9\VFP9renu.dll
    2012-03-15 18:00:35 4734976 ----a-w- c:\program files\common files\microsoft shared\vfp9\VFP9r.dll
    2012-03-15 18:00:34 1645320 ----a-w- c:\program files\common files\microsoft shared\vfp9\gdiplus.dll
    2012-03-15 18:00:34 16384 ----a-w- c:\program files\common files\microsoft shared\vfp9\foxhhelpps9.dll
    2012-03-15 18:00:33 73728 ----a-w- c:\program files\common files\microsoft shared\vfp9\foxhhelp9.exe
    2012-03-15 18:00:33 348160 ----a-w- c:\program files\common files\microsoft shared\vfp9\msvcr71.dll
    2012-03-15 14:43:33 -------- d-----w- C:\$NtUninstallXPSEP$
    2012-03-15 14:43:25 14048 ------w- c:\windows\system32\spmsg2.dll
    2012-03-15 14:33:40 -------- d-----w- c:\program files\common files\Nuance
    2012-03-15 14:33:12 -------- d-----w- c:\documents and settings\all users\application data\Nuance
    2012-03-15 14:32:34 -------- d-----w- c:\documents and settings\all users\application data\SQL Anywhere 11
    2012-03-15 14:06:04 -------- d-----w- c:\windows\Intuit
    2012-03-15 12:04:11 -------- d-----w- c:\program files\Dynamic Ventures
    2012-03-15 11:45:48 29016 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2012-03-15 11:45:48 14776 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2012-02-27 18:44:14 1721752 ----a-w- c:\windows\system32\InetClnt.dll
    2012-02-27 18:31:46 1694992 ----a-w- c:\windows\system32\VBA6.DLL
    2012-02-27 18:31:32 741008 ----a-w- c:\windows\system32\SPR32D30.DLL
    .
    ==================== Find3M ====================
    .
    2012-03-16 15:54:38 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-22 07:17:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    ============= FINISH: 20:44:04.73 ===============
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have been using FunWebProducts site and their partner sites to get screenvers, cursor, wallpaper, Smilies and other 'cute' things to put on the system.

    Uninstall the My Web Search option from Add/Remove Programs

    1) Click on Start, Settings, Control Panel
    2) Double click on Add/Remove Programs
    3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

    4) Reboot your Computer.
    5) Right click on Start> Choose Explore.
    6) My Computer> Local Drive (C)> double-click on the Program Files folder
    7) ]Right-click and delete the folders for:

    * FunWebProducts
    * MyWebSearch

    8) If you have FunWebProducts saved as a Bookmark or Favorite, delete it

    Stay away from: Other FunWebProducts
    ============================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================
    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  12. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    ComboFix, Eset and Hijackfix logs:follow:-




    ComboFix 12-03-20.02 - Charlie 21/03/2012 7:25.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1540 [GMT 0:00]
    Running from: c:\documents and settings\Charlie\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Charlie\Local Settings\Temporary Internet Files\English
    C:\install.exe
    c:\windows\$NtUninstallKB24571$
    c:\windows\$NtUninstallKB24571$\3451071241
    c:\windows\$NtUninstallKB24571$\687240973\@
    c:\windows\$NtUninstallKB24571$\687240973\cfg.ini
    c:\windows\$NtUninstallKB24571$\687240973\Desktop.ini
    c:\windows\$NtUninstallKB24571$\687240973\L\tamybiac
    c:\windows\$NtUninstallKB24571$\687240973\oemid
    c:\windows\$NtUninstallKB24571$\687240973\U\00000001.@
    c:\windows\$NtUninstallKB24571$\687240973\U\00000002.@
    c:\windows\$NtUninstallKB24571$\687240973\U\00000004.@
    c:\windows\$NtUninstallKB24571$\687240973\U\80000000.@
    c:\windows\$NtUninstallKB24571$\687240973\U\80000004.@
    c:\windows\$NtUninstallKB24571$\687240973\U\80000032.@
    c:\windows\$NtUninstallKB24571$\687240973\version
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
    c:\windows\system32\dds_trash_log.cmd
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_AMSERVICE
    -------\Legacy_MYWEBSEARCHSERVICE
    -------\Service_AMService
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-21 to 2012-03-21 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-21 07:06 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B61A112C-AB3F-40FD-B4D6-78960F98508B}\mpengine.dll
    2012-03-20 15:00 . 2012-03-20 15:00 -------- d-----w- C:\My Documents
    2012-03-19 21:45 . 2002-12-29 01:14 81920 ----a-w- c:\windows\system32\Startup.cpl
    2012-03-19 09:18 . 2012-03-19 09:18 -------- d-----w- c:\documents and settings\Charlie\Application Data\Malwarebytes
    2012-03-16 16:22 . 2012-03-16 16:22 98992 ----a-w- c:\windows\system32\drivers\22892082.sys
    2012-03-16 16:14 . 2012-03-16 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E
    2012-03-16 15:45 . 2012-03-16 15:57 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-03-16 12:00 . 2012-03-16 12:00 -------- d-sh--w- c:\documents and settings\Charlie\IECompatCache
    2012-03-15 14:43 . 2012-03-15 14:43 -------- d-----w- C:\$NtUninstallXPSEP$
    2012-03-15 14:43 . 2010-10-05 13:56 14048 ------w- c:\windows\system32\spmsg2.dll
    2012-03-15 14:40 . 2012-03-15 15:01 -------- d-----w- c:\documents and settings\QBDataServiceUser22
    2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\program files\Common Files\Nuance
    2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
    2012-03-15 14:32 . 2012-03-15 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
    2012-03-15 14:06 . 2012-03-15 14:06 -------- d-----w- c:\windows\Intuit
    2012-03-15 12:04 . 2012-03-15 12:48 -------- d-----w- c:\program files\Dynamic Ventures
    2012-03-15 12:03 . 2012-03-15 12:03 -------- d-----w- c:\documents and settings\Charlie\Local Settings\Application Data\Downloaded Installations
    2012-03-15 11:45 . 2011-12-16 17:21 29016 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2012-03-15 11:45 . 2010-11-26 18:02 14776 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2012-02-27 18:44 . 2012-02-27 18:44 1721752 ----a-w- c:\windows\system32\InetClnt.dll
    2012-02-27 18:31 . 2012-02-27 18:31 1694992 ----a-w- c:\windows\system32\VBA6.DLL
    2012-02-27 18:31 . 2012-02-27 18:31 741008 ----a-w- c:\windows\system32\SPR32D30.DLL
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-16 15:54 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-08 06:03 . 2010-07-10 02:30 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2010-07-08 17:12 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-22 07:17 . 2011-08-18 09:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-11 19:06 . 2012-02-15 21:46 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20 . 2008-07-11 11:43 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-02-27 2215768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
    .
    c:\documents and settings\Charlie\Start Menu\Programs\Startup\
    AutoLogin.exe [2010-10-6 106496]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-2-28 1175384]
    QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2010\QBW32.EXE [2012-2-28 1178456]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-10-07 14:17 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
    2011-01-11 18:04 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
    "AntiVirusDisableNotify"=dword:00000001
    "AntiVirusOverride"=dword:00000001
    "FirewallDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
    "4979:UDP"= 4979:UDP:Windows Media Format SDK (ping.exe)
    "4978:UDP"= 4978:UDP:Windows Media Format SDK (ping.exe)
    .
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [15/03/2012 11:45 14776]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/05/2010 15:38 691696]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [08/06/2011 12:04 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/01/2011 18:04 12856]
    R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [06/06/2008 13:03 435488]
    R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [24/11/2011 13:37 2358656]
    R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 11:53 136176]
    S3 21103785;21103785;c:\windows\system32\drivers\22892082.sys [16/03/2012 16:22 98992]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 11:53 136176]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
    S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
    S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2010-03-22 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p officejet 6100 series272A572217594EBCF1CEE215E352B92AD073FDE4269262144.job
    - c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
    .
    2012-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
    .
    2012-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
    .
    2012-03-21 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
    .
    2012-03-16 c:\windows\Tasks\SyncBack FizzOffice2 Shared Files.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
    .
    2012-03-16 c:\windows\Tasks\SyncBack Kay's Files Backup.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
    .
    2012-03-16 c:\windows\Tasks\SyncBack Kay's Outlook.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 158.152.1.58 158.152.1.43
    Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
    DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} - hxxp://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab
    .
    .
    ------- File Associations -------
    .
    JSEFile=NOTEPAD.EXE %1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-SmartDefrag - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
    SafeBoot-45754051.sys
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    AddRemove-Ensim Outlook AutoLogin - c:\documents and settings\Kay\Start Menu\Programs\Startup\AutoLogin.exe
    AddRemove-Smart Fortress 2012 - c:\documents and settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E\F4D5618A000BDED60126D515D151FC4E.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-21 07:44
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
    .
    [HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
    @Denied: ) (Everyone)
    @=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(680)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'lsass.exe'(736)
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'explorer.exe'(3684)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\LogMeIn\x86\RaMaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
    c:\program files\TeamViewer\Version6\TeamViewer.exe
    c:\documents and settings\Charlie\Start Menu\Programs\Startup\AutoLogin.exe
    c:\windows\system32\SearchProtocolHost.exe
    c:\windows\system32\SearchFilterHost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-21 07:49:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-21 07:49
    .
    Pre-Run: 17,883,344,896 bytes free
    Post-Run: 20,522,291,200 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 8959FC06C88461B3AD70D50538D1DDEC


    ESET...........................................

    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\19604ed6-7829dbd7 Java/Exploit.Blacole.AN trojan
    C:\System Volume Information\_restore{2B74D659-4B42-4C04-BB54-8ED7AE2A73DA}\RP1135\A0071527.sys a variant of Win32/Rootkit.Kryptik.KD trojan
    C:\System Volume Information\_restore{2B74D659-4B42-4C04-BB54-8ED7AE2A73DA}\RP1149\A0072082.exe a variant of Win32/InstallCore.D application
    C:\System Volume Information\_restore{2B74D659-4B42-4C04-BB54-8ED7AE2A73DA}\RP1149\A0072083.exe a variant of Win32/InstallCore.D application
    C:\System Volume Information\_restore{2B74D659-4B42-4C04-BB54-8ED7AE2A73DA}\RP1149\A0072093.exe a variant of Win32/InstallCore.D application
    C:\TDSSKiller_Quarantine\16.03.2012_15.44.30\susp0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.KD trojan
    C:\TDSSKiller_Quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.KD trojan




    HijackThis.......................

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:37:35, on 21/03/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Intuit\QuickBooks 2010\QBW32.EXE
    C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\AutoLogin.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-21-861567501-1644491937-725345543-1011\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'QBDataServiceUser22')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: AutoLogin.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: QuickBooks_Standard_21.lnk = C:\Program Files\Intuit\QuickBooks 2010\QBW32.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1215789021796
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215789386906
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: intu-help-qb5 - {867FCB77-9823-4CD6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: QuickBooksDB22 - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
    O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe

    --
    End of file - 8247 bytes
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Questions:
    1.Why are you running both AutoLogin.exe and LogMeIn on Startup?
    2. Are you aware that when a process is set to Global Startup that it will start up no matter who logs on?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: QuickBooks_Standard
    3. Your start page is blackie.com. Is this intentional? Are you aware that it intentionally loads a black screen' to save energy'?
    ======================================
    Let's try to send Smart Fortress 2012 packing: Everything following can be caused by the malware. Please try to complete all in the order I've given:

    1. Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.

    2. Please login as the user that is infected with Smart Fortress 2012.
    • Right-click on your browser> select Run As or Run as Administrator
      [o]If Windows prompts you for the Administrator password, please enter for browser to launch.

    3. Go to http://www.bleepingcomputer.com/download/windows/utilities/fixexec
    • On above page> click on the Download Renamed Version and save file to C:\ drive
      [o]Note: If you can't log on as Administrator> put the download on a flash drive from a clean computer> hold there for now.
    • Once FixExec has been downloaded to your computer or is stored on a flash drive/CDROM, log off from the Administrator account, but stay in Safe Mode.
    • At the Safe Mode logon prompt> logon as your normal, but now infected, user.
      [o]If FixExec is on a flash drive, connect to infected computer and copy to C:\folder on infected computer

    4. Running the file
    • If Smart Fortress in running, minimize so desktop is visible
    • Navigate to C:\ and double click on FixExec,com to run
      [o]Note: If you received a message that FixExec was not able to extract a file, then please move the FixExec.com file to your desktop and try again.
    • When completed, executables should run again.

    5. Reset your browser Proxy
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click OK to close the Local Area Network (LAN) Settings window.
      o Click OK to close the Internet Options window.

    6. End the processes that belong to the rogue program:
    • Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
      [o] Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    [o]Note: If you get a message that RKilll is malware, ignore it> it's from the malware.[/list]
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    =======================================
    7.Full Scan Mbam
    • Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
      [o]When scan has finished, you will see this image:
      [​IMG]
      [o]Click on OK to close box and continue.
      [o]Click on the Show Results button.
      [o]Click on the Remove Selected button to remove all the listed malware.
      [o]At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ====================================
    Now reboot your computer back to normal mode.
    ===================================
    This malware is frequently found on systems that don't have programs updated:
    Please update the following:
    Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
    Adobe Reader > Adobe Reader Update
    Java(TM) > Java Updates .
    Uninstall any earlier versions in of both as they are vulnerabilities for the system.
    =====================================
    See how this goes. We'll continue when above has been done
  14. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    Mbam log below, nothing found. Thank you for your help, breathing again.

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.22.05

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Charlie :: FIZZOFFICE2 [administrator]

    23/03/2012 06:26:54
    mbam-log-2012-03-23 (06-26-54).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 373042
    Time elapsed: 42 minute(s), 47 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, so is it safe to say that Smart Fortress 2012 is no longer around?
    ---------------------------------------
    Please update the following:
    Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
    Adobe Reader> Current is vX(10.xx)> Adobe Reader Update
    Java(TM) > Current is v6u31> Java Updates .
    Uninstall any earlier versions in of both as they are vulnerabilities for the system.
    -----------------------------------------
    The new Eset entry is in the Java cache. I have removed it with the script in Combofix
    ===========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\22892082.sys
    Folder::
    C:\TDSSKiller_Quarantine
    c:\documents and settings\Charlie\IECompatCache
    C:\$NtUninstallXPSEP$
    c:\documents and settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-.
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
    "AntiVirusDisableNotify"=-
    "AntiVirusOverride"=-
    "FirewallDisableNotify"=-
    "FirewallOverride"=-
    "UpdatesDisableNotify"=-
    
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    =====================================
    Please let me know what-if any-problems remain.

    I may have you run OTL to update as there were asome entries in the original log that should be removed. Don't act on that yet.

    I am still left with the questions about registry entries running for both AutoLogon and LogmeIn.
  16. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    Smart Fortress 2012 is gone, big relief. Adobe reader and Java updated and earlier versions removed. Combofix with custom CF script has run and log posted below. System appears virus free, thank you.

    Autologon - script logging users outlook system onto remote mail server, not malicious. Logmein - think this is a leftover and not required, have removed.

    ComboFix 12-03-26.04 - Charlie 26/03/2012 23:23.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1398 Running from: c:\documents and settings\Charlie\Desktop\Utilities\AntiVirus\ComboFix.exe
    Command switches used :: c:\documents and settings\Charlie\Desktop\Utilities\AntiVirus\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    FILE ::
    "c:\windows\system32\drivers\22892082.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\$NtUninstallXPSEP$
    c:\documents and settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E
    c:\documents and settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E\F4D5618A000BDED60126D515D151FC4E
    c:\documents and settings\Charlie\IECompatCache
    c:\documents and settings\Charlie\IECompatCache\index.dat
    c:\documents and settings\Charlie\Local Settings\Temporary Internet Files\English
    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\object.ini
    c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\svc0000\object.ini
    c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\svc0000\tsk0000.ini
    c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\svc0000\tsk0001.dta
    c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\svc0000\tsk0001.ini
    c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0001\object.ini
    c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0001\svc0000\object.ini
    c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0001\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0001\svc0000\tsk0000.ini
    c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\object.ini
    c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\object.ini
    c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\tsk0000.ini
    c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\tsk0001.dta
    c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\tsk0001.ini
    c:\tdsskiller_quarantine\16.03.2012_15.57.12\susp0000\object.ini
    c:\tdsskiller_quarantine\16.03.2012_15.57.12\susp0000\svc0000\object.ini
    c:\tdsskiller_quarantine\16.03.2012_15.57.12\susp0000\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\16.03.2012_15.57.12\susp0000\svc0000\tsk0000.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-27 to 2012-03-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-27 06:49 . 2012-03-27 06:49 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8024BE1A-FC0E-471B-B4E2-DC1791D5E040}\MpKsl685d9d65.sys
    2012-03-26 15:13 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8024BE1A-FC0E-471B-B4E2-DC1791D5E040}\mpengine.dll
    2012-03-23 08:57 . 2012-03-23 08:57 -------- d-----w- c:\program files\Common Files\Java
    2012-03-23 06:20 . 2012-03-23 06:19 883616 ----a-w- C:\FixExec.scr
    2012-03-21 08:48 . 2012-03-23 09:07 -------- d-----w- C:\HijackThis
    2012-03-21 08:45 . 2012-03-21 08:45 -------- d-----w- c:\program files\ESET
    2012-03-20 15:00 . 2012-03-20 15:00 -------- d-----w- C:\My Documents
    2012-03-19 21:45 . 2002-12-29 01:14 81920 ----a-w- c:\windows\system32\Startup.cpl
    2012-03-19 09:18 . 2012-03-19 09:18 -------- d-----w- c:\documents and settings\Charlie\Application Data\Malwarebytes
    2012-03-16 16:22 . 2012-03-16 16:22 98992 ----a-w- c:\windows\system32\drivers\22892082.sys
    2012-03-15 14:43 . 2010-10-05 13:56 14048 ------w- c:\windows\system32\spmsg2.dll
    2012-03-15 14:40 . 2012-03-15 15:01 -------- d-----w- c:\documents and settings\QBDataServiceUser22
    2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\program files\Common Files\Nuance
    2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
    2012-03-15 14:32 . 2012-03-15 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
    2012-03-15 14:06 . 2012-03-15 14:06 -------- d-----w- c:\windows\Intuit
    2012-03-15 12:04 . 2012-03-15 12:48 -------- d-----w- c:\program files\Dynamic Ventures
    2012-03-15 12:03 . 2012-03-15 12:03 -------- d-----w- c:\documents and settings\Charlie\Local Settings\Application Data\Downloaded Installations
    2012-03-15 11:45 . 2011-12-16 17:21 29016 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2012-03-15 11:45 . 2010-11-26 18:02 14776 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2012-02-27 18:44 . 2012-02-27 18:44 1721752 ----a-w- c:\windows\system32\InetClnt.dll
    2012-02-27 18:31 . 2012-02-27 18:31 1694992 ----a-w- c:\windows\system32\VBA6.DLL
    2012-02-27 18:31 . 2012-02-27 18:31 741008 ----a-w- c:\windows\system32\SPR32D30.DLL
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-23 07:46 . 2010-12-15 17:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-03-23 07:46 . 2010-12-15 17:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-03-23 07:38 . 2011-08-18 09:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-16 15:54 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-03-14 02:15 . 2010-07-10 02:30 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2010-07-08 17:12 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-11 19:06 . 2012-02-15 21:46 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20 . 2008-07-11 11:43 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-03-21_07.44.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-03-26 15:03 . 2012-03-26 15:03 16384 c:\windows\Temp\Perflib_Perfdata_cc.dat
    + 2004-08-04 10:00 . 2012-03-26 15:05 96342 c:\windows\system32\perfc009.dat
    - 2004-08-04 10:00 . 2012-03-16 03:06 96342 c:\windows\system32\perfc009.dat
    + 2004-08-04 10:00 . 2012-03-26 15:05 526486 c:\windows\system32\perfh009.dat
    - 2004-08-04 10:00 . 2012-03-16 03:06 526486 c:\windows\system32\perfh009.dat
    + 2012-03-23 07:38 . 2012-03-23 07:38 250528 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
    + 2012-03-23 07:38 . 2012-03-23 07:38 335520 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.dll
    + 2012-03-23 07:47 . 2012-03-23 07:46 157472 c:\windows\system32\javaws.exe
    - 2010-12-15 17:07 . 2010-12-15 17:06 157472 c:\windows\system32\javaws.exe
    + 2012-03-23 07:47 . 2012-03-23 07:46 149280 c:\windows\system32\javaw.exe
    + 2012-03-23 07:47 . 2012-03-23 07:46 149280 c:\windows\system32\java.exe
    + 2012-03-23 07:46 . 2012-03-23 07:46 902656 c:\windows\Installer\94f20.msi
    + 2012-03-23 08:57 . 2012-03-23 08:57 203776 c:\windows\Installer\4ae95b.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
    .
    c:\documents and settings\Charlie\Start Menu\Programs\Startup\
    AutoLogin.exe [2010-10-6 106496]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-10-07 14:17 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
    "4979:UDP"= 4979:UDP:Windows Media Format SDK (ping.exe)
    "4978:UDP"= 4978:UDP:Windows Media Format SDK (ping.exe)
    .
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [15/03/2012 12:45 14776]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/05/2010 16:38 691696]
    R1 MpKsl685d9d65;MpKsl685d9d65;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8024BE1A-FC0E-471B-B4E2-DC1791D5E040}\MpKsl685d9d65.sys [27/03/2012 07:49 29904]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/01/2011 19:04 12856]
    R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [06/06/2008 14:03 435488]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 12:53 136176]
    S3 21103785;21103785;c:\windows\system32\drivers\22892082.sys [16/03/2012 17:22 98992]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 12:53 136176]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
    S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
    S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
    S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [08/06/2011 13:04 374152]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL685D9D65
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2010-03-22 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p officejet 6100 series272A572217594EBCF1CEE215E352B92AD073FDE4269262144.job
    - c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
    .
    2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
    .
    2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
    .
    2012-03-26 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
    .
    2012-03-24 c:\windows\Tasks\SyncBack FizzOffice2 Shared Files.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
    .
    2012-03-23 c:\windows\Tasks\SyncBack Kay's Files Backup.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
    .
    2012-03-23 c:\windows\Tasks\SyncBack Kay's Outlook.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
    DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} - hxxp://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-27 08:28
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
    .
    [HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
    @Denied: ) (Everyone)
    @=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(676)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'lsass.exe'(732)
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2012-03-27 08:30:52
    ComboFix-quarantined-files.txt 2012-03-27 07:30
    ComboFix2.txt 2012-03-27 07:01
    ComboFix3.txt 2012-03-21 07:49
    .
    Pre-Run: 26,015,399,936 bytes free
    Post-Run: 26,018,045,952 bytes free
    .
    - - End Of File - - B3E25E17E81AEED8069ECB859052C070
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I was going through my threads and it appears I somehow missed your reply. My apology.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\19604ed6-7829dbd7
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===========================================
    Please be sure you update Java as instructed. The new entry in Eset is in the Java cache and that is usually because there is outdated Java on the system.
    =========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\22892082.sys
    c:\windows\system32\SmartDefragBootTime.exe
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=-
    Clearjavacache::
    
    DEL /A/F/O "%TASKS%\AT*.job"::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Since you have OTL on the desktop, please do a new scan with it and leave the log. I see many entries in the original scan you ran that I want to make sure are gone. The entries do not show in Combofix.
  18. grizzzzzzly

    grizzzzzzly Newcomer, in training Topic Starter

    Followed instructions running Oldtimer then Combofix and then a final Oldtimer scan and have copied logs below:-


    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\19604ed6-7829dbd7 not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 20365 bytes

    User: All Users
    ->Temp folder emptied: 0 bytes

    User: Charlie
    ->Temp folder emptied: 245597362 bytes
    ->Temporary Internet Files folder emptied: 16223954 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 96905627 bytes
    ->Flash cache emptied: 3131283 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Matthew
    ->Temp folder emptied: 72470680 bytes
    ->Temporary Internet Files folder emptied: 2404370030 bytes
    ->Java cache emptied: 1020991 bytes
    ->Flash cache emptied: 7145 bytes

    User: NetworkService
    ->Temp folder emptied: 30932 bytes
    ->Temporary Internet Files folder emptied: 8044678 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 6421 bytes

    User: QBDataServiceUser19
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: QBDataServiceUser22
    ->Temp folder emptied: 774656 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 108577 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 96552187 bytes

    Total Files Cleaned = 2,809.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 04032012_175225

    Files moved on Reboot...

    Registry entries deleted on Reboot...



    ComboFix 12-04-03.02 - Charlie 03/04/2012 18:17:33.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1500 [GMT 1:00]
    Running from: c:\documents and settings\Charlie\Desktop\Utilities\AntiVirus\ComboFix.exe
    Command switches used :: c:\documents and settings\Charlie\Desktop\Utilities\AntiVirus\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    FILE ::
    "c:\windows\system32\drivers\22892082.sys"
    "c:\windows\system32\SmartDefragBootTime.exe"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-03 17:11 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{929516C1-D55B-4FCE-866B-D04473847F1C}\mpengine.dll
    2012-04-03 16:52 . 2012-04-03 16:52 -------- d-----w- C:\_OTM
    2012-03-29 14:43 . 2012-03-29 14:43 -------- d-----w- c:\windows\system32\NtmsData
    2012-03-29 10:01 . 2012-03-29 10:02 -------- d-----w- c:\documents and settings\Charlie\Local Settings\Application Data\ABBYY
    2012-03-29 09:57 . 2012-03-29 10:02 -------- d-----w- c:\program files\ABBYY FineReader 9.0 Express Edition
    2012-03-29 09:57 . 2012-03-29 09:57 -------- d-----w- c:\program files\Common Files\ABBYY
    2012-03-29 09:57 . 2012-03-29 09:57 -------- d-----w- c:\documents and settings\All Users\Application Data\ABBYY
    2012-03-29 09:54 . 2012-03-29 09:55 -------- d-----w- c:\program files\ABBYY
    2012-03-23 08:57 . 2012-03-23 08:57 -------- d-----w- c:\program files\Common Files\Java
    2012-03-23 06:20 . 2012-03-23 06:19 883616 ----a-w- C:\FixExec.scr
    2012-03-21 08:48 . 2012-03-23 09:07 -------- d-----w- C:\HijackThis
    2012-03-21 08:45 . 2012-03-21 08:45 -------- d-----w- c:\program files\ESET
    2012-03-20 15:00 . 2012-03-20 15:00 -------- d-----w- C:\My Documents
    2012-03-19 21:45 . 2002-12-29 01:14 81920 ----a-w- c:\windows\system32\Startup.cpl
    2012-03-19 09:18 . 2012-03-19 09:18 -------- d-----w- c:\documents and settings\Charlie\Application Data\Malwarebytes
    2012-03-18 22:14 . 2012-03-18 22:14 -------- d-----w- c:\documents and settings\Matthew\Application Data\Malwarebytes
    2012-03-18 20:49 . 2012-03-18 20:49 -------- d-----w- c:\documents and settings\Matthew\Local Settings\Application Data\Intuit
    2012-03-16 16:22 . 2012-03-16 16:22 98992 ----a-w- c:\windows\system32\drivers\22892082.sys
    2012-03-15 14:43 . 2010-10-05 13:56 14048 ------w- c:\windows\system32\spmsg2.dll
    2012-03-15 14:40 . 2012-03-15 15:01 -------- d-----w- c:\documents and settings\QBDataServiceUser22
    2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\program files\Common Files\Nuance
    2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
    2012-03-15 14:32 . 2012-03-15 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
    2012-03-15 14:06 . 2012-03-15 14:06 -------- d-----w- c:\windows\Intuit
    2012-03-15 12:04 . 2012-03-15 12:48 -------- d-----w- c:\program files\Dynamic Ventures
    2012-03-15 12:03 . 2012-03-15 12:03 -------- d-----w- c:\documents and settings\Charlie\Local Settings\Application Data\Downloaded Installations
    2012-03-15 11:45 . 2011-12-16 17:21 29016 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2012-03-15 11:45 . 2010-11-26 18:02 14776 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-23 07:46 . 2010-12-15 17:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-03-23 07:46 . 2010-12-15 17:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-03-23 07:38 . 2011-08-18 09:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-16 15:54 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-03-14 02:15 . 2010-07-10 02:30 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-02-27 18:44 . 2012-02-27 18:44 1721752 ----a-w- c:\windows\system32\InetClnt.dll
    2012-02-27 18:31 . 2012-02-27 18:31 1694992 ----a-w- c:\windows\system32\VBA6.DLL
    2012-02-27 18:31 . 2012-02-27 18:31 741008 ----a-w- c:\windows\system32\SPR32D30.DLL
    2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2010-07-08 17:12 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-11 19:06 . 2012-02-15 21:46 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20 . 2008-07-11 11:43 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-03-21_07.44.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-03 17:00 . 2012-04-03 17:00 16384 c:\windows\Temp\Perflib_Perfdata_7a4.dat
    + 2004-08-04 10:00 . 2012-03-26 15:05 96342 c:\windows\system32\perfc009.dat
    - 2004-08-04 10:00 . 2012-03-16 03:06 96342 c:\windows\system32\perfc009.dat
    + 2012-03-28 21:17 . 2012-03-28 21:17 22016 c:\windows\Installer\8163bd2.msi
    + 2012-03-29 10:01 . 2012-03-29 10:01 25214 c:\windows\Installer\{F9000000-0013-0000-0000-074957833700}\ICON_Sprint.exe
    + 2012-03-29 10:01 . 2012-03-29 10:01 25214 c:\windows\Installer\{F9000000-0013-0000-0000-074957833700}\ICON_Bonus.ScreenshotReader.exe
    + 2012-03-29 10:01 . 2012-03-29 10:01 25214 c:\windows\Installer\{F9000000-0013-0000-0000-074957833700}\ARPPRODUCTICON.exe
    + 2004-08-04 10:00 . 2012-03-26 15:05 526486 c:\windows\system32\perfh009.dat
    - 2004-08-04 10:00 . 2012-03-16 03:06 526486 c:\windows\system32\perfh009.dat
    + 2012-03-23 07:38 . 2012-03-23 07:38 250528 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
    + 2012-03-23 07:38 . 2012-03-23 07:38 335520 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.dll
    - 2010-12-15 17:07 . 2010-12-15 17:06 157472 c:\windows\system32\javaws.exe
    + 2012-03-23 07:47 . 2012-03-23 07:46 157472 c:\windows\system32\javaws.exe
    + 2012-03-23 07:47 . 2012-03-23 07:46 149280 c:\windows\system32\javaw.exe
    + 2012-03-23 07:47 . 2012-03-23 07:46 149280 c:\windows\system32\java.exe
    + 2012-03-23 07:46 . 2012-03-23 07:46 902656 c:\windows\Installer\94f20.msi
    + 2012-03-23 08:57 . 2012-03-23 08:57 203776 c:\windows\Installer\4ae95b.msi
    + 2012-03-29 10:01 . 2012-03-29 10:01 3994624 c:\windows\Installer\4cf95.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
    .
    c:\documents and settings\Charlie\Start Menu\Programs\Startup\
    AutoLogin.exe [2010-10-6 106496]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-10-07 14:17 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
    "4979:UDP"= 4979:UDP:Windows Media Format SDK (ping.exe)
    "4978:UDP"= 4978:UDP:Windows Media Format SDK (ping.exe)
    .
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [15/03/2012 12:45 14776]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/05/2010 16:38 691696]
    R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [13/04/2009 20:07 759072]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/01/2011 19:04 12856]
    R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [06/06/2008 14:03 435488]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 12:53 136176]
    S3 21103785;21103785;c:\windows\system32\drivers\22892082.sys [16/03/2012 17:22 98992]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 12:53 136176]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
    S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
    S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
    S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [08/06/2011 13:04 374152]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
    .
    2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
    .
    2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1644491937-725345543-1008Core.job
    - c:\documents and settings\Charlie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-27 22:12]
    .
    2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1644491937-725345543-1008UA.job
    - c:\documents and settings\Charlie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-27 22:12]
    .
    2012-04-03 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
    .
    2012-03-31 c:\windows\Tasks\SyncBack FizzOffice2 Shared Files.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
    .
    2012-03-30 c:\windows\Tasks\SyncBack Kay's Files Backup.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
    .
    2012-03-30 c:\windows\Tasks\SyncBack Kay's Outlook.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
    DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} - hxxp://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-03 18:24
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
    .
    [HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
    @Denied: ) (Everyone)
    @=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(676)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'lsass.exe'(732)
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'explorer.exe'(3924)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
    c:\windows\system32\LMIRfsClientNP.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    .
    Completion time: 2012-04-03 18:26:36
    ComboFix-quarantined-files.txt 2012-04-03 17:26
    ComboFix2.txt 2012-03-27 07:30
    ComboFix3.txt 2012-03-27 07:01
    ComboFix4.txt 2012-03-21 07:49
    .
    Pre-Run: 26,875,838,464 bytes free
    Post-Run: 26,848,169,984 bytes free
    .
    - - End Of File - - 6826D2CF0A7A4039B5B7FFA27C701096



    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\19604ed6-7829dbd7 not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users
    ->Temp folder emptied: 0 bytes

    User: Charlie
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 46190908 bytes
    ->Flash cache emptied: 730 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes

    User: Matthew
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: QBDataServiceUser19
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: QBDataServiceUser22
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 44.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 04032012_183100

    Files moved on Reboot...

    Registry entries deleted on Reboot...
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I removed a file and it came back, so you will need to submit it for identification:

    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

      Code:
      c:\windows\system32\drivers\22892082.sys
      
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.
    ====================================
    Oh my word! From OTM>>Total Files Cleaned = 2,809.00 - that is a lot of files!
    ====================================
    I think you misunderstood- I didn't want you to run OTM again, after the above. You started the thread with OTL>> that's what I'd like you to repeat.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.