Solved Possible worm

RLK107 · Dec 30, 2010

While attempting to re-install HP printer s/w (Officejet Pro L7590), I rec'd a msg saying that services.exe had failed with the status code 1073741819.
I was attempting to restore scan capability (worked well at one point).
Other than that, system performs normally.

From what I've observed surfing around, there seems to be a history of this malware showing up.

I've done the 8 step procedure and pasted in the four log files.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5420

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/29/2010 10:12:39 PM
mbam-log-2010-12-29 (22-12-39).txt

Scan type: Quick scan
Objects scanned: 152368
Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-29 22:34:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path1Target1Lun0 ST316081 rev.4.AA
Running: dbb4kbc6.exe; Driver: C:\DOCUME~1\DICKKU~1\LOCALS~1\Temp\fwtirpob.sys

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/9/2009 2:52:55 PM
System Uptime: 12/29/2010 9:46:27 PM (1 hours ago)

Motherboard: eMachines | | WMCP61M
Processor: AMD Athlon(tm) Processor 2650e | Socket AM2 | 1607/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 69 GiB total, 47.292 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 70 GiB total, 59.679 GiB free.
F: is Removable
G: is FIXED (NTFS) - 596 GiB total, 504.757 GiB free.
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP280: 12/21/2010 3:53:03 PM - Software Distribution Service 3.0
RP281: 12/22/2010 11:28:46 PM - System Checkpoint
RP282: 12/23/2010 12:53:37 AM - Installed QuickTime
RP283: 12/23/2010 9:13:24 AM - Software Distribution Service 3.0
RP284: 12/23/2010 10:19:46 PM - Paint.NET v3.5.6
RP285: 12/24/2010 9:48:59 AM - Software Distribution Service 3.0
RP286: 12/25/2010 6:42:41 PM - Removed MPM
RP287: 12/25/2010 6:56:09 PM - Software Distribution Service 3.0
RP288: 12/25/2010 7:09:25 PM - Printer Driver HP Officejet Pro L7500 S... fax Installed
RP289: 12/25/2010 7:10:11 PM - Printer Driver HP Officejet Pro L7500 S... fax Installed
RP290: 12/25/2010 8:42:47 PM - Revo Uninstaller's restore point - HP Customer Participation Program 7.0
RP291: 12/25/2010 8:47:22 PM - Revo Uninstaller's restore point - HP Imaging Device Functions 7.0
RP292: 12/25/2010 8:55:00 PM - Revo Uninstaller's restore point - HP Officejet Pro All-In-One Series
RP293: 12/25/2010 9:00:43 PM - Revo Uninstaller's restore point - HP Photosmart Essential
RP294: 12/25/2010 9:01:40 PM - Removed HP Photosmart Essential
RP295: 12/25/2010 9:05:16 PM - Revo Uninstaller's restore point - HP Solution Center 7.0
RP296: 12/25/2010 9:16:51 PM - Revo Uninstaller's restore point - HP Update
RP297: 12/25/2010 9:17:25 PM - Removed HP Update.
RP298: 12/25/2010 9:20:33 PM - Revo Uninstaller's restore point - HPSSupply
RP299: 12/25/2010 9:20:53 PM - Removed HPSSupply
RP300: 12/25/2010 10:01:28 PM - Installed HPSU306Stub
RP301: 12/25/2010 10:54:29 PM - Installed HP Product Detection.
RP302: 12/27/2010 9:17:49 AM - Software Distribution Service 3.0
RP303: 12/28/2010 10:36:41 AM - System Checkpoint
RP304: 12/28/2010 2:25:43 PM - Software Distribution Service 3.0
RP305: 12/28/2010 9:35:56 PM - Software Distribution Service 3.0
RP306: 12/29/2010 2:01:23 AM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
3D Text Commander 3.0.1 by Insofta Development
7-Zip 4.65
Ad-Aware
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Shockwave Player 11.5
Advanced SystemCare 3
Agere Systems PCI-SV92EX Soft Modem
Alleycode HTML Editor 2.2.1
AllMySongs Database
AM-DeadLink 3.3
AnalogX Capture
Aneesoft 3D Flash Gallery GOTD Edition
Apple Application Support
Apple Software Update
Artensoft Photo Mosaic Wizard
Ashampoo Burning Studio 2010 Advanced
Ashampoo MyAutoplay Menu 1.0.3
Ashampoo Photo Commander 7.21
Ashampoo WinOptimizer 6.60
Ask Toolbar
Autoplay Menu Designer 3.4
AVG Anti-Rootkit Free
BPD_Scan
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Celestia 1.6.0
Coupon Printer for Windows
CRON-O-METER 0.9.7
Definition update for Microsoft Office 2010 (KB982726)
Dell Driver Download Manager
Ditto
DS Clock
e-Sword
EASEUS Partition Master 4.0 Home Edition
Easy Family Tree Deluxe®
Easy Macro Recorder 3.75
ERUNT 1.1j
Everything 1.2.1.371
ExifCleaner 1.2
FastStone Image Viewer 4.2
Fax
FileZilla Client 3.3.5.1
FolderIco 1.0
FolderSizes 3.6
FontFrenzy 1.51
Foxit PDF IFilter
Foxit Reader
gBurner
GIMP 2.6.8
Glary Utilities 2.30.0.1066
GnuCash 2.2.9
Google Chrome
Google Earth
Google SketchUp 8
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Product Detection
HP Software Update
Hulu Desktop
IBM Lotus Symphony
Imagicon
Incomedia WebSite X5 Smart
Java Auto Updater
Java(TM) 6 Update 22
JGsoft EditPad Lite 5.3.0
jv16 PowerTools 2009
KeyScrambler
KLS Mail Backup 1.9.7.5
Kyodai Mahjongg
LEGO Digital Designer
LightScribe 1.4.136.1
Ma-Config.com
MailAlert
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft ActiveSync 4.0
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Calculator Plus
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Publisher 2010
Microsoft Security Essentials
Microsoft Software Update for Web Folders (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Miro
Move Media Player
Mozilla Firefox (3.6.13)
Mozilla Thunderbird (3.1.7)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Duplicate Remover 6.0
MyConnection PC Lite Edition
Nero 7 Essentials
Network
novaPDF Pro v5 (novaPDF Professional Desktop 5.5 printer)
NVIDIA Drivers
OpenDNS Updater 2.2.1
OpenOffice.org 3.2
Paint.NET v3.5.6
Panda Cloud Antivirus
Panda USB Vaccine 1.0.1.4
pdfFactory Pro
PDFZilla V1.2.7
Photo Pos Pro
PhotoWipe 1.0
PhotoWorks
Picasa 3
PowerISO
Q-Dir
QFolder
Quick PDF Tools 2.1.5.8
QuickTime
Rainlendar2 (remove only)
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Revo Uninstaller 1.90
Scan
SDFormatter
Secunia PSI (2.0.0.1003)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft Word 2010 (KB2345000)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB972260)
Seesmic Look
Serif PagePlus Essentials
Setup IsoEdit
Shape Collage
SIW version 2010.03.11
Smart Defrag
SoftMaker Office 2010
SoftOrbits Html Web Gallery Generator 1.2
Software Informer 1.0 BETA
Soluto
Sophos Windows Shortcut Exploit Protection Tool
Speccy
Spybot - Search & Destroy
Spyware Terminator
Startup Defender 1.9.5
StartupRun
Static EMail Backup 2.9
SUPERAntiSpyware Free Edition
Titan Backup
Translate.Net
TreeSize Free V2.4
TuneUp Utilities 2009
Tux Paint 0.9.21b
Tux Paint Stamps 2009-06-28
Unity Web Player (All users)
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2413186)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
USB Safely Remove 4.1
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WinDirStat 1.1.2
Windows 7 Upgrade Advisor Beta
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinKey
WinPatrol 2009
WinPcap 4.0.2
WinSnap
WinUtilities 7.0
Wondershare PC Health Check 1.5.2
Wondershare Photo Collage Studio 4.2.10.7
Wondershare Streaming Audio Recorder(Build 1.0.8.52)
WordWeb
Xilisoft HD Video Converter 6
ZoneAlarm
ZoneAlarm Backup Powered by IDrive version 1.0.5 March 11, 2010
Zoner Photo Studio 12

==== Event Viewer Messages From Past Week ========

12/29/2010 9:44:55 PM, error: Service Control Manager [7031] - The Panda Cloud Antivirus Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
12/29/2010 9:44:46 PM, error: Service Control Manager [7034] - The ZoneAlarmBackup WebManager service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 9:44:46 PM, error: Service Control Manager [7034] - The ZoneAlarmBackup Service service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 9:44:46 PM, error: Service Control Manager [7034] - The USB Safely Remove Assistant service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 9:44:46 PM, error: Service Control Manager [7034] - The Spyware Terminator Realtime Shield Service service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 9:44:46 PM, error: Service Control Manager [7034] - The Soluto PCGenome Core Service service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 9:44:46 PM, error: Service Control Manager [7034] - The Secunia PSI Agent service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 9:44:46 PM, error: Service Control Manager [7034] - The NLS Service service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 9:44:46 PM, error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 9:44:46 PM, error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 9:44:46 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
12/28/2010 2:51:27 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NanoServiceMain service.
12/28/2010 2:50:51 PM, error: Service Control Manager [7022] - The Panda Cloud Antivirus Service service hung on starting.
12/28/2010 12:49:26 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCGenFAM
12/27/2010 11:30:49 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
12/27/2010 10:47:14 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
12/27/2010 10:43:52 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
12/26/2010 8:44:41 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
12/25/2010 8:08:00 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL. Reference error message: The operation completed successfully. .
12/25/2010 7:09:49 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
12/25/2010 7:09:49 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80U.DLL. Reference error message: The operation completed successfully. .
12/25/2010 7:09:49 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
12/23/2010 2:44:54 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.

==== End Of File ===========================

DDS (Ver_10-12-12.02) - NTFSx86
Run by **** Kutz at 22:49:33.79 on Wed 12/29/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.623 [GMT -7:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Firewall *Enabled*

============== Running Processes ===============

C:\Program Files\USB Safely Remove\USBSRService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Soluto\SolutoService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ZoneAlarmBackup\ZABackupWebM.exe
C:\Program Files\ZoneAlarmBackup\ZABackup Service.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DS Clock\DSClock.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\**** Kutz\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
C:\PROGRAM FILES\MAILALERT\MAILALERT.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\**** Kutz\Desktop\TechSpot\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DS Clock] "c:\program files\ds clock\DSClock.exe"
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [Google Update] "c:\documents and settings\**** kutz\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [nwiz] nwiz.exe /install
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\dickku~1\startm~1\programs\startup\firefox.exe.lnk - c:\program files\mozilla firefox\firefox.exe
StartupFolder: c:\docume~1\dickku~1\startm~1\programs\startup\startup defender.lnk - c:\program files\zards software\startup defender\Startup Defender.exe
StartupFolder: c:\docume~1\dickku~1\startm~1\programs\startup\disabled\calend~1.lnk - e:\my data\utilities,program installs\software by design\Calendar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secunia psi tray.lnk - c:\program files\secunia\psi\psi_tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\disabled\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\disabled\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: {C800F8A8-08F8-472D-ADF8-4B12E2F782BA} = 208.67.222.222,208.67.220.220
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dickku~1\applic~1\mozilla\firefox\profiles\1s9mnumo.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\documents and settings\**** kutz\application data\mozilla\firefox\profiles\1s9mnumo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\**** kutz\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\**** kutz\application data\mozilla\firefox\profiles\1s9mnumo.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll
FF - plugin: c:\documents and settings\**** kutz\application data\mozilla\firefox\profiles\1s9mnumo.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\**** kutz\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\**** kutz\local settings\application data\huludesktop\instances\0.9.13.1\nphdplg.dll
FF - plugin: c:\progra~1\microsoft office\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\microsoft office\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Flash Video Downloader - Youtube Downloader: artur.dubovoy@gmail.com - %profile%\extensions\artur.dubovoy@gmail.com
FF - Ext: Get Mail Plus: getmail@webdesigns.ms11.net - %profile%\extensions\getmail@webdesigns.ms11.net
FF - Ext: App Tabs: apptabs@frankyan.com - %profile%\extensions\apptabs@frankyan.com
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - %profile%\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
FF - Ext: HP Detect: {ab91efd4-6975-4081-8552-1b3922ed79e2} - %profile%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
FF - Ext: Consumer Input: ConsumerInput@Compete - %profile%\extensions\ConsumerInput@Compete
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-28 64288]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-12-29 3968]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-6-17 129992]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 67656]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-9-11 142592]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-11 532224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1389400]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-8-9 140608]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-7-9 65856]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-7-21 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111624]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-7-21 112456]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2010-12-21 987704]
R2 SolutoService;Soluto PCGenome Core Service;c:\program files\soluto\SolutoService.exe [2010-11-1 331296]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\usb safely remove\USBSRService.exe [2009-10-1 213776]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\zonealarmbackup\ZABackupWebM.exe [2010-11-27 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\zonealarmbackup\ZABackup Service.exe [2010-11-27 149008]
R3 KeyScramblerDrv;KeyScramblerDrv;c:\windows\system32\drivers\keyscrambler.sys [2010-4-12 115312]
R3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2009-9-19 16640]
S0 PCGenFAM;PCGenFAM;c:\windows\system32\drivers\PCGenFAM.sys [2010-12-13 181704]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2010-12-21 399416]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2010-9-7 406016]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-9-14 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-9-14 3072]
S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-12 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-13 15264]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2010-7-19 259440]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasusb.sys --> c:\windows\system32\drivers\SynasUSB.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-12-30 05:35:05 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{19da7bcb-804c-42d9-a298-07f4dd08fbe3}\mpengine.dll
2010-12-30 04:52:01 7232 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-12-29 18:50:21 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-12-29 05:17:08 -------- d-----w- c:\windows\system32\jv16PTPortableBackup
2010-12-24 05:19:47 -------- d-----w- c:\program files\Paint.NET
2010-12-24 05:19:26 -------- d-----w- c:\docume~1\dickku~1\locals~1\applic~1\Paint.NET
2010-12-23 07:58:38 75208 ----a-w- c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
2010-12-23 07:48:47 -------- d-----w- C:\My Music
2010-12-23 07:48:03 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2010-12-23 07:47:40 -------- d-----w- c:\program files\common files\xing shared
2010-12-23 07:47:18 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-12-23 07:46:57 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-12-23 06:37:28 -------- d-----w- c:\docume~1\dickku~1\locals~1\applic~1\Secunia PSI
2010-12-23 06:36:52 -------- d-----w- c:\program files\Secunia
2010-12-13 16:54:17 181704 ----a-w- c:\windows\system32\drivers\PCGenFAM.sys
2010-12-13 16:54:10 -------- d-----w- c:\program files\Soluto
2010-12-13 16:53:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Soluto
2010-12-11 22:03:36 -------- d-----w- c:\docume~1\dickku~1\applic~1\LEGO Company
2010-12-11 22:02:46 -------- d-----w- c:\program files\LEGO Company
2010-12-11 22:02:20 -------- d-----w- c:\program files\Unity
2010-12-10 17:12:54 -------- d-----w- c:\program files\Glary Utilities

==================== Find3M ====================

2010-12-29 05:45:58 134 -c--a-w- c:\windows\system32\_WDYSZYG.sys
2010-12-23 07:46:42 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-12-23 07:46:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-12-20 21:27:42 15880 -c--a-w- c:\windows\system32\lsdelete.exe
2010-11-30 00:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-17 06:41:00 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 21:25:59 398744 -c--a-r- c:\windows\system32\cpnprt2.cid
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51:33 222080 -c----w- c:\windows\system32\MpSigStub.exe

============= FINISH: 22:51:56.32 ===============

Bobbye · Dec 30, 2010

Welcome to TechSpot! We should be able to solve this fairly easily.

It's likely that the full message you got was:

c:\windows\system32\services.exe terminated unexpectedly with status code 1073741819. The system will shut down and restart.

But first, you need to resolve the multiple antivirus programs. The system should have only 1 AV program. More actually makes the system more vulnerable, not less. You have 3:

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated*
AV: Panda Cloud Antivirus *Enabled/Updated*
AV: Microsoft Security Essentials *Enabled/Updated*

Decide which you want to keep and remove the others. Reboot the computer after completing the removals.
======================================
Regarding the printer status code: It is an indication that there may be old HP entries still on the system, possibly loading from the Registry. These would prevent the scanner from doing it's job.

I note this in the Restore Points:
RP288: 12/25/2010 7:09:25 PM - Printer Driver HP Officejet Pro L7500 S... fax Installed
RP289: 12/25/2010 7:10:11 PM - Printer Driver HP Officejet Pro L7500 S... fax Installed
RP290: 12/25/2010 8:42:47 PM - Revo Uninstaller's restore point - HP Customer Participation Program 7.0
RP291: 12/25/2010 8:47:22 PM - Revo Uninstaller's restore point - HP Imaging Device Functions 7.0
RP292: 12/25/2010 8:55:00 PM - Revo Uninstaller's restore point - HP Officejet Pro All-In-One Series
RP293: 12/25/2010 9:00:43 PM - Revo Uninstaller's restore point - HP Photosmart Essential
RP294: 12/25/2010 9:01:40 PM - Removed HP Photosmart Essential
RP295: 12/25/2010 9:05:16 PM - Revo Uninstaller's restore point - HP Solution Center 7.0
RP296: 12/25/2010 9:16:51 PM - Revo Uninstaller's restore point - HP Update
RP297: 12/25/2010 9:17:25 PM - Removed HP Update.
RP298: 12/25/2010 9:20:33 PM - Revo Uninstaller's restore point - HPSSupply
RP299: 12/25/2010 9:20:53 PM - Removed HPSSupply
RP300: 12/25/2010 10:01:28 PM - Installed HPSU306Stub
RP301: 12/25/2010 10:54:29 PM - Installed HP Product Detection.

The easiest way to resolve this is to do a complete uninstall of the HP Printer> use Revo after if you want to remove any left over entries. Then reinstall the printer.

A 'status code' isn't a n indication of a Worm, but we can check that.
================================================
After you finish getting the AV programs down to one, please run the following Security Check:

Download Security Check by screen317 from HERE or HERE .

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==========================================
Follow with this:
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the Active X control to install
Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
Click Scan
Wait for the scan to finish
Re-enable your Antivirus software.
A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

You have a lot of duplication of programs for the same functions. I'll be recommending you remove some- I'll give the names later.

RLK107 · Dec 31, 2010

######

In regard to the AV programs:
I have removed the Panda software from my system and disabled the AV function from the Lavasoft Ad-Watch software (Ad-Watch is one of a number of spyware programs that I run).

Computer was rebooted after these actions.

I went back and did a more thorough job of eliminating the HP software from the system using both Revo and deleting the printer from Control Panel.

Printer re-install ran to completion, however one of HP's programs that is installed along with the printer, 'HP Solution Center', gives error msg 'No HP devices have been detected. HP Solution Center will close now.'. (Ctl Panel shows HP printer as being the default printer.)

The Security Check program was run and here is the checkup.txt output:

### start txt output ###

Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG Anti-Rootkit Free
ZoneAlarm
ZoneAlarm Backup Powered by IDrive version 1.0.5 March 11, 2010
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
WinPatrol 2009
Malwarebytes' Anti-Malware
HijackThis 2.0.2
TuneUp Utilities 2009
CCleaner
ExifCleaner 1.2
Java(TM) 6 Update 22
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Mozilla Firefox (3.6.13)
Mozilla Thunderbird (3.1.7)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
WinPatrol winpatrol.exe
Microsoft Security Essentials msseces.exe
Zards software Startup Defender Startup Defender.exe
BillP Studios WinPatrol winpatrol.exe
ZoneAlarmBackup ZABackupWebM.exe
ZoneAlarmBackup ZABackup Service.exe
Zone Labs ZoneAlarm zlclient.exe
``````````End of Log````````````

### End txt output ###

I checked the Java website, and, yes, the current version is 6.23.
I'll wait for your go-ahead before updating to 6.23.

I ran into a situation with the Eset program.
I think it was due to running with Firefox rather than IE.
This lead to Eset providing an 'installer program' and this created problems as I followed the TechSoft instructions.

Step 1: Ticked YES
Step 2: Clicked START
Step 3: No Active X prompt
Step 4: Disabled MS Essentials
Step 5: Clicked START

At this point scan began running before I did the check box reversals as described in Step 6.
Of course, when it finished, it deleted the ten files it had found.
I may be wrong, but it would appear that, under Firefox, step 6 should precede step 5.
I never rec'd a Step 7 'Scan' option.

A number of the infected files contained the wording 'bagle' (perhaps an indication of the intelligence of the average hacker).
This morning when I booted up, I half expected to find the 'bagle' files back on my system.
This was not the case.
Here is the Eset output:

###Start###

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=171f7844f36ef049a8977b1c9538af0c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-31 09:46:39
# local_time=2010-12-31 02:46:39 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 21561198 21561198 0 0
# compatibility_mode=5891 16776869 100 100 0 23277355 0 0
# compatibility_mode=7937 16777213 100 100 253018 40130018 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 13517909 16365655 0 0
# scanned=384343
# found=10
# cleaned=10
# scan_time=15624
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\**** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
G:\BACKUPS\Documents & Settings datasets\Most iles from Doc. & Settings - **** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
G:\BACKUPS\Titan Backups\Full Backup 2-21-10\C\Documents and Settings\All Users\Start Menu\Programs\eBay.url Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\BACKUPS\Titan Backups\Full Backup 2-21-10\C\Documents and Settings\**** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

###End###

I hope the deletion of those files hasn't thrown a wrench in the gears.

Bobbye · Dec 31, 2010

Regarding the Eset scan Directions:
The Eset directions, in part, are:

6 Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7 Click Scan
8 Wait for the scan to finish
9 Re-enable your Antivirus software.
10 A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

You set for 'Unchecked' before you start the scan. The last line, #10 tells you where the logs is. Instructions are fine as given. I prefer to move then using a special program because it will also remove associated files.
======================================
Regarding AdWatch Live:

(Ad-Watch is one of a number of spyware programs that I run).

It's a RealTime program that alerts to attempted Registry changes. I had it for many years- it came with the paid version of AdAware. But I am now seeing the logs clearly describing AdWatch Live as an antivirus program:
AV: Lavasoft Ad-Watch Live! Anti-Virus
==================================================
Regarding HP Error message:

one of HP's programs that is installed along with the printer, 'HP Solution Center', gives error msg 'No HP devices have been detected. HP Solution Center will close now

There is probably an entry still on the Startup meni for this. Unchecking should resolve it.
This message had nothing to do with the 'probablem':

(Ctl Panel shows HP printer as being the default printer.)

========================================
Regarding the Bagel Worm:
The first 6 entries in the Eset log are from Sptbot. The program found and quarantined (the 'zip designation) file that has the bagel Worm:
Spybot - Search & Destroy\Recovery\WinBankerfgv.zip Win32/Bagle.gen.zip and goes through to #6 as in WinBankerfgv5.zip Those entries can be removed from the Spybot quarantine folder
=============================================
Active Entries were:
Win32/RegistryBooster was found on Drive C, which you then bbacked up and infected Drive G doing a full backup.

eBay.url Win32/Adware.ADON was backed up to Titan Backups\Full Backup
Win32/RegistryBooster was backed up again to Drive G.
=================================================
Now let me help you clean this up> stop the backups for now. If Drive G is for the USB, we will need to disinfect that also.

Please open Spybot Search & Destroy. Find the Quarantine folder and delete it's contents.

Run the Eset scan again taking care to make sure the box for Removal is not checked
===========================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

Double click combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Query- Recovery Console image

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Click to expand...

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe

& follow the prompts to run.

When the scan completes it will open a text window. Please paste that log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=========================================
You have too many security-related programs. I will make suggestions for you to remove some of them.

RLK107 · Jan 1, 2011

It looks like the ESET program ran with the wrong settings again. (log file below)
The other thing I noticed was one of the programs mentioning that I did not have the MS Recovery Console. I have had a Recovery Console since early '10. At that time I picked up a Firefox redirect bug and T/S facilitator Broni helped me recover. I assume the Recovery Console was installed at that time. The 2 second option to activate it has come up for every boot since that time although I've never used it.
(I did choose to have it installed again today and it loaded successfully.)

Could both the ESET execution irregularity and the program failure to recognize that I had the MS Recovery Console installed be related to the fact that I run Firefox and not IE?

#### Start ESET log ####

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=171f7844f36ef049a8977b1c9538af0c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-31 09:46:39
# local_time=2010-12-31 02:46:39 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 21561198 21561198 0 0
# compatibility_mode=5891 16776869 100 100 0 23277355 0 0
# compatibility_mode=7937 16777213 100 100 253018 40130018 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 13517909 16365655 0 0
# scanned=384343
# found=10
# cleaned=10
# scan_time=15624
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\**** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
G:\BACKUPS\Documents & Settings datasets\Most iles from Doc. & Settings - **** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
G:\BACKUPS\Titan Backups\Full Backup 2-21-10\C\Documents and Settings\All Users\Start Menu\Programs\eBay.url Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\BACKUPS\Titan Backups\Full Backup 2-21-10\C\Documents and Settings\**** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=171f7844f36ef049a8977b1c9538af0c
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-31 02:53:55
# local_time=2010-12-31 07:53:55 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 21595243 21595243 0 0
# compatibility_mode=5891 16776533 100 100 0 23311400 0 0
# compatibility_mode=7937 16777213 100 100 287063 40164063 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 13551954 16399700 0 0
# scanned=678
# found=0
# cleaned=0
# scan_time=16
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=171f7844f36ef049a8977b1c9538af0c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-01 08:39:22
# local_time=2011-01-01 01:39:22 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 21622623 21622623 0 0
# compatibility_mode=5891 16776869 100 100 0 23338780 0 0
# compatibility_mode=7937 16777213 100 100 314443 40191443 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 13579334 16427080 0 0
# scanned=384543
# found=0
# cleaned=0
# scan_time=36564

#### End ESET log ####

#### Begin Combofix log ####

ComboFix 11-01-01.01 - **** Kutz 01/01/2011 18:23:19.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.874 [GMT -7:00]
Running from: c:\documents and settings\**** Kutz\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\page
c:\documents and settings\All Users\Application Data\page\page.ico
c:\documents and settings\All Users\Application Data\page\page.URL
c:\documents and settings\All Users\Microsoft
c:\documents and settings\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat
c:\documents and settings\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\sqlite3.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-02 to 2011-01-02 )))))))))))))))))))))))))))))))
.

2011-01-01 15:16 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{34E81A30-9AD9-40E3-8309-2D789591799E}\mpengine.dll
2010-12-31 05:11 . 2010-12-31 05:11 -------- d-----w- c:\program files\ESET
2010-12-31 04:11 . 2010-12-31 04:11 -------- d-----w- c:\program files\Hewlett-Packard
2010-12-30 04:52 . 2011-01-02 00:44 7232 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-12-29 18:50 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-12-29 05:17 . 2010-12-29 05:17 -------- d-----w- c:\windows\system32\jv16PTPortableBackup
2010-12-24 05:19 . 2010-12-24 05:20 -------- d-----w- c:\program files\Paint.NET
2010-12-24 05:19 . 2010-12-24 05:30 -------- d-----w- c:\documents and settings\**** Kutz\Local Settings\Application Data\Paint.NET
2010-12-23 07:58 . 2010-12-23 07:57 75208 ----a-w- c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
2010-12-23 07:54 . 2010-12-23 07:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-12-23 07:48 . 2010-12-23 07:48 -------- d-----w- C:\My Music
2010-12-23 07:48 . 2010-12-23 07:48 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2010-12-23 07:47 . 2010-12-23 07:47 -------- d-----w- c:\program files\Common Files\xing shared
2010-12-23 07:47 . 2010-12-23 07:47 151776 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2010-12-23 07:46 . 2010-12-23 07:46 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-23 06:37 . 2010-12-23 06:37 -------- d-----w- c:\documents and settings\**** Kutz\Local Settings\Application Data\Secunia PSI
2010-12-23 06:36 . 2010-12-23 06:36 -------- d-----w- c:\program files\Secunia
2010-12-13 16:54 . 2010-11-02 03:50 181704 ----a-w- c:\windows\system32\drivers\PCGenFAM.sys
2010-12-13 16:54 . 2010-12-13 16:54 -------- d-----w- c:\program files\Soluto
2010-12-13 16:53 . 2010-12-13 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Soluto
2010-12-11 22:03 . 2010-12-11 22:03 -------- d-----w- c:\documents and settings\**** Kutz\Application Data\LEGO Company
2010-12-11 22:02 . 2010-12-11 22:02 -------- d-----w- c:\program files\LEGO Company
2010-12-11 22:02 . 2010-12-11 22:02 -------- d-----w- c:\program files\Unity
2010-12-10 17:12 . 2010-12-10 17:13 -------- d-----w- c:\program files\Glary Utilities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-23 07:46 . 2004-12-30 18:00 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-12-23 07:46 . 2003-03-19 02:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-12-21 01:09 . 2010-03-16 01:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 01:08 . 2010-03-16 01:12 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 21:27 . 2010-06-13 07:16 15880 -c--a-w- c:\windows\system32\lsdelete.exe
2010-11-30 00:38 . 2010-11-30 00:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38 . 2010-11-30 00:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2009-09-09 20:48 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-17 06:41 . 2010-11-17 06:41 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-11-10 04:33 . 2009-10-22 14:53 6273872 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-05 16:27 . 2010-02-16 17:14 98392 -c--a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 21:25 . 2010-10-28 21:25 398744 -c--a-r- c:\windows\system32\cpnprt2.cid
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2009-10-21 00:03 222080 -c----w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DS Clock"="c:\program files\DS Clock\DSClock.exe" [2008-06-21 577606]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2009-09-11 1591808]
"Google Update"="c:\documents and settings\**** Kutz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-04 133104]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-12 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-16 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"nwiz"="nwiz.exe" [2008-09-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\**** Kutz\Start Menu\Programs\Startup\
Firefox.exe.lnk - c:\program files\Mozilla Firefox\firefox.exe [2010-11-2 912344]
Startup Defender.lnk - c:\program files\Zards software\Startup Defender\Startup Defender.exe [2009-1-25 1045504]

c:\documents and settings\**** Kutz\Start Menu\Programs\Startup\Disabled
Calendar 2000.lnk - e:\my data\Utilities,program installs\Software by Design\Calendar.exe [2009-1-26 274432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2010-12-21 291896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\Disabled
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-11 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^**** Kutz^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 09:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\Miro_Downloader.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\gnucash\\bin\\gnucash-bin.exe"=
"c:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Soluto\\Soluto.exe"=
"c:\\Program Files\\Soluto\\SolutoService.exe"=
"c:\\Program Files\\Soluto\\SolutoConsole.exe"=
"c:\\Program Files\\Soluto\\SolutoUpdateService.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/28/2010 1:35 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 67656]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9/11/2009 7:12 PM 142592]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [7/9/2010 11:40 AM 65856]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [12/21/2010 5:04 AM 987704]
R2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [11/1/2010 8:59 PM 331296]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [10/1/2009 10:57 PM 213776]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [11/27/2010 12:08 PM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [11/27/2010 12:08 PM 149008]
R3 KeyScramblerDrv;KeyScramblerDrv;c:\windows\system32\drivers\keyscrambler.sys [4/12/2010 4:30 PM 115312]
R3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [9/19/2009 11:55 AM 16640]
S0 PCGenFAM;PCGenFAM;c:\windows\system32\drivers\PCGenFAM.sys [12/13/2010 9:54 AM 181704]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [12/21/2010 5:04 AM 399416]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [9/7/2010 11:51 PM 406016]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [9/14/2009 8:46 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [9/14/2009 8:46 PM 3072]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/12/2009 12:21 PM 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/6/2010 10:28 AM 1389400]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/13/2010 9:02 AM 15264]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [7/19/2010 1:59 PM 259440]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys --> c:\windows\system32\drivers\SynasUSB.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
HPService REG_MULTI_SZ HPSLPSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2011-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-11-16 22:54]

2011-01-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 21:26]

2010-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-12-10 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-12-10 17:47]

2011-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 19:20]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 19:20]

2011-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-573735546-839522115-1003Core.job
- c:\documents and settings\**** Kutz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-04 14:48]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-573735546-839522115-1003UA.job
- c:\documents and settings\**** Kutz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-04 14:48]

2011-01-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-573735546-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 18:33]

2011-01-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-573735546-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 18:33]

2011-01-02 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 22:50]

2010-12-20 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-08-24 00:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {C800F8A8-08F8-472D-ADF8-4B12E2F782BA} = 208.67.222.222,208.67.220.220
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\**** Kutz\Application Data\Mozilla\Firefox\Profiles\1s9mnumo.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Flash Video Downloader - Youtube Downloader: artur.dubovoy@gmail.com - %profile%\extensions\artur.dubovoy@gmail.com
FF - Ext: Get Mail Plus: getmail@webdesigns.ms11.net - %profile%\extensions\getmail@webdesigns.ms11.net
FF - Ext: App Tabs: apptabs@frankyan.com - %profile%\extensions\apptabs@frankyan.com
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - %profile%\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
FF - Ext: HP Detect: {ab91efd4-6975-4081-8552-1b3922ed79e2} - %profile%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
FF - Ext: Consumer Input: ConsumerInput@Compete - %profile%\extensions\ConsumerInput@Compete
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-01 18:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-20\Software\AppDataLow\ISWVolatile]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-329068152-573735546-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2011-01-01 18:32:00
ComboFix-quarantined-files.txt 2011-01-02 01:31
ComboFix2.txt 2010-04-20 01:58

Pre-Run: 51,522,732,032 bytes free
Post-Run: 51,652,038,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 4B7C90A69BECD70EF039808996CB1D5D

Bobbye · Jan 2, 2011

I'd like to make a recommendation for you: remove most if not all of the 'system optimizer' programs. You will find that most use more resources than overall benefit you may get:
Advanced SystemCare 3>> Program not good, download site not recommended.
Glary Utilities>> System optimizer & Registry cleaner
FreeRAM XP Pro
MyConnection PC Lite Edition
TuneUp Utilities 2009

This program and other similar programs of same type will bring adware. Suggest removal:
Coupon Printer for Windows

You have way too much security. Advise thin it down to one antivirus, one firewall, and two antimalware programs:
Ad-Aware
AVG Anti-Rootkit Free
KeyScrambler Drv>> Protect against keyloggers
Microsoft Antimalware
Microsoft Security Essentials
Panda Cloud Antivirus
Secunia PSI (2.0.0.1003)
Sophos Windows Shortcut Exploit Protection Tool
Spybot - Search & Destroy
Spyware Terminator
SUPERAntiSpyware Free Edition
WinPatrol 2009
Windows Defender
ZoneAlarm

Stop all the auto-updates. These can be a vulnerability and well as use resources to access internet numerous times each day:
Real Player
Java
Google
OpenDNS
HP Update
and any others

Remove the Askbar for the scheduled update:
2011-01-02 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 22:50]

I don't know of anyone who downloads and installs the Ask.com toolbars, media players, et al. IT is called Foistware because it installs without the permission or knowledge of the user.

You're carrying all of the above around when you surf and yet here you are, with malware! Take control of your system! You don't need to get programs to clean it, optimize it and run it>> you do that! Put a reasonable amount of security programs on the system.

Keep in mind: You, the user, are the first line of security. It only takes one click on the wrong thing or accessing an unsafe site!
=================================================
I'd like you to run a different online virus scan just to be sure all is removed:
Run Kaspersky Online Scanner
The scan is done with Internet Explorer (v6 or +above),Firefox (version 2, 3 and older) and in Opera (version 9 or +abover).
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click Accept and the web scanner will begin to load
If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
You will be prompted to install an ActiveX component from Kaspersky, click Install
If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT and then Scan Settings
In the scan settings make that the following are selected:
[o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
[o] Scan Options: Scan Archives> Scan Mail Bases
Click OK
Now under select a target to scan:
[o] Select My Computer
The program will start to scan your system.
Once the scan is complete, click on the Save as Text button and save the file to your desktop

Include log in next reply.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

RLK107 · Jan 3, 2011

Ran into problem after attempting to run Kapersky scan (on IE 8).

MS-Essentials – off
Ad-Watch in Ad-Aware - off (permanently)

*** Cut from the Kapersky display after starting the scan ***

Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.

*** End Kapersky text

*** From Java console after above message ***

Java Plug-in 1.6.0_23
Using JRE version 1.6.0_23-b05 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\**** Kutz
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------

=> ReportApplet.ReportApplet <=
=> MainApplet.MainApplet !!!!!<=
=> ReportApplet.start <=
=> MainApplet.init <=
=> ReportApplet.init <=
=> MainApplet.start <=
Exception in thread "thread applet-com.kaspersky.kosp.MainApplet.class-2" java.lang.ExceptionInInitializerError
at com.kaspersky.kosp.MainApplet.start(MainApplet.java:94)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission user.name read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at com.kaspersky.kosp.common.Common.<clinit>(Common.java:35)
... 3 more
=> ReportApplet.stop <=
=> ReportApplet.destroy <=
=> MainApplet.MainApplet !!!!!<=
=> MainApplet.init <=
=> ReportApplet.ReportApplet <=
=> MainApplet.start <=
Exception in thread "thread applet-com.kaspersky.kosp.MainApplet.class-5" java.lang.NoClassDefFoundError: Could not initialize class com.kaspersky.kosp.common.Common
at com.kaspersky.kosp.MainApplet.start(MainApplet.java:94)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
=> ReportApplet.start <=
=> ReportApplet.init <=

Bobbye · Jan 4, 2011

Strange error! But it appears there may have been an interruption at a critical point:

Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.

Please go ahead and get the v6u23 Java update. Reboot the computer when finished.

Try the Kaspersky scan again. The scan is done with Internet Explorer (v6 or +above),Firefox (version 2, 3 and older) and in Opera (version 9 or +abover).
(Note: I modified the Kaspersky dorections in my post to show it can be run in any of three browsers.)

If that problem persist, run the Eset scan again without checking for removals

RLK107 · Jan 5, 2011

I had installed the 6.23 Java update just prior to the IE/Kaspersky run.

In making the Firefox/Kaspersky run, I thought we were home free.
Their database downloaded, but then the run erred out again.
This is a screen shot of the error.

After that, I re-ran ESET which appears to be a clean run. The cumulative log file is pasted below.

Are we finished at this point?
If so, I'd like to thank you for your help.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=171f7844f36ef049a8977b1c9538af0c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-31 09:46:39
# local_time=2010-12-31 02:46:39 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 21561198 21561198 0 0
# compatibility_mode=5891 16776869 100 100 0 23277355 0 0
# compatibility_mode=7937 16777213 100 100 253018 40130018 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 13517909 16365655 0 0
# scanned=384343
# found=10
# cleaned=10
# scan_time=15624
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\**** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
G:\BACKUPS\Documents & Settings datasets\Most iles from Doc. & Settings - **** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
G:\BACKUPS\Titan Backups\Full Backup 2-21-10\C\Documents and Settings\All Users\Start Menu\Programs\eBay.url Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\BACKUPS\Titan Backups\Full Backup 2-21-10\C\Documents and Settings\**** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=171f7844f36ef049a8977b1c9538af0c
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-31 02:53:55
# local_time=2010-12-31 07:53:55 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 21595243 21595243 0 0
# compatibility_mode=5891 16776533 100 100 0 23311400 0 0
# compatibility_mode=7937 16777213 100 100 287063 40164063 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 13551954 16399700 0 0
# scanned=678
# found=0
# cleaned=0
# scan_time=16
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=171f7844f36ef049a8977b1c9538af0c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-01 08:39:22
# local_time=2011-01-01 01:39:22 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 21622623 21622623 0 0
# compatibility_mode=5891 16776869 100 100 0 23338780 0 0
# compatibility_mode=7937 16777213 100 100 314443 40191443 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 13579334 16427080 0 0
# scanned=384543
# found=0
# cleaned=0
# scan_time=36564
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=171f7844f36ef049a8977b1c9538af0c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-05 01:57:10
# local_time=2011-01-05 06:57:10 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 21998836 21998836 0 0
# compatibility_mode=5891 16776869 100 100 0 23714993 0 0
# compatibility_mode=7937 16777213 100 100 690656 40567656 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 13955547 16803293 0 0
# scanned=385726
# found=0
# cleaned=0
# scan_time=25022

Bobbye · Jan 5, 2011

Others are getting the same 'license' message for Kaspersky. Every once in a while, either Eset or Kaspersky gets tempramental and we have to switch to the other!

Please download OTMovit by Old Timer and save to your desktop.

Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes	
:Files  
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip 
C:\Documents and Settings\**** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe 
G:\BACKUPS\Documents & Settings datasets\Most iles from Doc. & Settings - **** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe 
G:\BACKUPS\Titan Backups\Full Backup 2-21-10\C\Documents and Settings\All Users\Start Menu\Programs\eBay.url 
G:\BACKUPS\Titan Backups\Full Backup 2-21-10\C\Documents and Settings\**** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
================================================
Empty the Spybot quarantine folder. Then you will be clean.
===============================================
Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted
Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
Go to Start > All Programs > Accessories > System Tools
Click "System Restore".
Choose "Create a Restore Point" on the first screen then click "Next".
Give the Restore Point a name> click "Create".
Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

RLK107 · Jan 5, 2011

Regarding the:
================================================
*Empty the Spybot quarantine folder. Then you will be clean.*
===============================================
instruction, 'Program Files/Spybot' did not have a Quarantine folder and I could find neither a quarantine folder or file relating to Spybot on my system.

*** OTC log start ***
All processes killed
========== PROCESSES ==========
========== FILES ==========
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip not found.
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip not found.
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip not found.
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip not found.
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip not found.
File/Folder C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip not found.
File/Folder C:\Documents and Settings\**** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe not found.
File/Folder G:\BACKUPS\Documents & Settings datasets\Most iles from Doc. & Settings - **** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe not found.
File/Folder G:\BACKUPS\Titan Backups\Full Backup 2-21-10\C\Documents and Settings\All Users\Start Menu\Programs\eBay.url not found.
File/Folder G:\BACKUPS\Titan Backups\Full Backup 2-21-10\C\Documents and Settings\**** Kutz\My Documents\Downloads\Earlier downloads\registrybooster.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: **** Kutz
->Temp folder emptied: 134233506 bytes
->Temporary Internet Files folder emptied: 680744 bytes
->Java cache emptied: 130116 bytes
->FireFox cache emptied: 101296665 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 4884 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 31790 bytes
->Temporary Internet Files folder emptied: 575588 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 7232 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 80049 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 201128376 bytes

Total Files Cleaned = 418.00 mb

OTM by OldTimer - Version 3.1.17.2 log created on 01052011_124833

Files moved on Reboot...
C:\Documents and Settings\**** Kutz\Local Settings\Temp\~DF122E.tmp moved successfully.
File C:\WINDOWS\temp\ZLT00542.TMP not found!

Registry entries deleted on Reboot...

*** OTC log end ***

*** Combofix log start ***
ComboFix 11-01-05.01 - **** Kutz 01/05/2011 13:12:14.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1176 [GMT -7:00]
Running from: c:\docume~1\DICKKU~1\Desktop\TechSpot\ComboFix.exe
Command switches used :: .Uninstall
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\**** Kutz\x.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2011-01-05 19:55 . 2011-01-05 19:55 7232 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-01-05 19:48 . 2011-01-05 19:48 -------- d-----w- C:\_OTM
2011-01-05 15:29 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C0166673-511E-4FD4-8282-706FD7543F84}\mpengine.dll
2011-01-03 19:50 . 2010-02-11 15:03 114952 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2011-01-03 19:50 . 2011-01-03 19:50 -------- d-----w- c:\program files\KeyScrambler
2010-12-31 05:11 . 2010-12-31 05:11 -------- d-----w- c:\program files\ESET
2010-12-31 04:11 . 2010-12-31 04:11 -------- d-----w- c:\program files\Hewlett-Packard
2010-12-29 05:17 . 2010-12-29 05:17 -------- d-----w- c:\windows\system32\jv16PTPortableBackup
2010-12-24 05:19 . 2010-12-24 05:20 -------- d-----w- c:\program files\Paint.NET
2010-12-24 05:19 . 2010-12-24 05:30 -------- d-----w- c:\documents and settings\**** Kutz\Local Settings\Application Data\Paint.NET
2010-12-23 07:58 . 2010-12-23 07:57 75208 ----a-w- c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
2010-12-23 07:54 . 2010-12-23 07:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-12-23 07:48 . 2010-12-23 07:48 -------- d-----w- C:\My Music
2010-12-23 07:48 . 2010-12-23 07:48 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2010-12-23 07:47 . 2010-12-23 07:47 -------- d-----w- c:\program files\Common Files\xing shared
2010-12-23 07:47 . 2010-12-23 07:47 151776 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2010-12-23 07:46 . 2010-12-23 07:46 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-23 06:37 . 2010-12-23 06:37 -------- d-----w- c:\documents and settings\**** Kutz\Local Settings\Application Data\Secunia PSI
2010-12-23 06:36 . 2010-12-23 06:36 -------- d-----w- c:\program files\Secunia
2010-12-13 16:54 . 2010-11-02 03:50 181704 ----a-w- c:\windows\system32\drivers\PCGenFAM.sys
2010-12-13 16:54 . 2010-12-13 16:54 -------- d-----w- c:\program files\Soluto
2010-12-13 16:53 . 2010-12-13 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Soluto
2010-12-11 22:03 . 2010-12-11 22:03 -------- d-----w- c:\documents and settings\**** Kutz\Application Data\LEGO Company
2010-12-11 22:02 . 2010-12-11 22:02 -------- d-----w- c:\program files\LEGO Company
2010-12-11 22:02 . 2010-12-11 22:02 -------- d-----w- c:\program files\Unity
2010-12-10 17:12 . 2010-12-10 17:13 -------- d-----w- c:\program files\Glary Utilities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-23 07:46 . 2004-12-30 18:00 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-12-23 07:46 . 2003-03-19 02:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-12-21 01:09 . 2010-03-16 01:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 01:08 . 2010-03-16 01:12 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 21:27 . 2010-06-13 07:16 15880 -c--a-w- c:\windows\system32\lsdelete.exe
2010-11-30 00:38 . 2010-11-30 00:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38 . 2010-11-30 00:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2009-09-09 20:48 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-17 06:41 . 2010-11-17 06:41 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-11-13 01:53 . 2010-04-15 19:55 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2010-11-12 23:34 . 2010-04-15 19:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-10 04:33 . 2009-10-22 14:53 6273872 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-05 16:27 . 2010-02-16 17:14 98392 -c--a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2009-10-21 00:03 222080 -c----w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((( SnapShot@2011-01-02_01.28.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-05 19:50 . 2011-01-05 19:50 16384 c:\windows\Temp\Perflib_Perfdata_660.dat
+ 2011-01-03 08:17 . 2010-11-13 01:53 157472 c:\windows\system32\javaws.exe
+ 2011-01-03 08:17 . 2010-11-13 01:53 145184 c:\windows\system32\javaw.exe
- 2010-11-03 01:32 . 2010-09-15 10:50 145184 c:\windows\system32\javaw.exe
+ 2011-01-03 08:17 . 2010-11-13 01:53 145184 c:\windows\system32\java.exe
- 2010-11-03 01:32 . 2010-09-15 10:50 145184 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DS Clock"="c:\program files\DS Clock\DSClock.exe" [2008-06-21 577606]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2009-09-11 1591808]
"Google Update"="c:\documents and settings\**** Kutz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-04 133104]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-12 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-16 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"nwiz"="nwiz.exe" [2008-09-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\**** Kutz\Start Menu\Programs\Startup\
Firefox.exe.lnk - c:\program files\Mozilla Firefox\firefox.exe [2010-11-2 912344]
Startup Defender.lnk - c:\program files\Zards software\Startup Defender\Startup Defender.exe [2009-1-25 1045504]

c:\documents and settings\**** Kutz\Start Menu\Programs\Startup\Disabled
Calendar 2000.lnk - e:\my data\Utilities,program installs\Software by Design\Calendar.exe [2009-1-26 274432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2010-12-21 291896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\Disabled
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-11 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^**** Kutz^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 09:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\Miro_Downloader.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\gnucash\\bin\\gnucash-bin.exe"=
"c:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Soluto\\Soluto.exe"=
"c:\\Program Files\\Soluto\\SolutoService.exe"=
"c:\\Program Files\\Soluto\\SolutoConsole.exe"=
"c:\\Program Files\\Soluto\\SolutoUpdateService.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/28/2010 1:35 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 67656]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9/11/2009 7:12 PM 142592]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [7/9/2010 11:40 AM 65856]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [12/21/2010 5:04 AM 987704]
R2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [11/1/2010 8:59 PM 331296]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [10/1/2009 10:57 PM 213776]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [11/27/2010 12:08 PM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [11/27/2010 12:08 PM 149008]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [1/3/2011 12:50 PM 114952]
R3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [9/19/2009 11:55 AM 16640]
S0 PCGenFAM;PCGenFAM;c:\windows\system32\drivers\PCGenFAM.sys [12/13/2010 9:54 AM 181704]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [12/21/2010 5:04 AM 399416]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [9/7/2010 11:51 PM 406016]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [9/14/2009 8:46 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [9/14/2009 8:46 PM 3072]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/12/2009 12:21 PM 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/6/2010 10:28 AM 1389400]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/13/2010 9:02 AM 15264]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [7/19/2010 1:59 PM 259440]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys --> c:\windows\system32\drivers\SynasUSB.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 21:26]

2011-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2011-01-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-12-10 17:47]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 19:20]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 19:20]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-573735546-839522115-1003Core.job
- c:\documents and settings\**** Kutz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-04 14:48]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-573735546-839522115-1003UA.job
- c:\documents and settings\**** Kutz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-04 14:48]

2011-01-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-573735546-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 18:33]

2011-01-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-573735546-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 18:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {C800F8A8-08F8-472D-ADF8-4B12E2F782BA} = 208.67.222.222,208.67.220.220
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\**** Kutz\Application Data\Mozilla\Firefox\Profiles\1s9mnumo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pandora.com/#/stations/create/|https://www.techspot.com/vb/topic158919.html#post986691|http://workflowy.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Flash Video Downloader - Youtube Downloader: artur.dubovoy@gmail.com - %profile%\extensions\artur.dubovoy@gmail.com
FF - Ext: Get Mail Plus: getmail@webdesigns.ms11.net - %profile%\extensions\getmail@webdesigns.ms11.net
FF - Ext: App Tabs: apptabs@frankyan.com - %profile%\extensions\apptabs@frankyan.com
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - %profile%\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
FF - Ext: HP Detect: {ab91efd4-6975-4081-8552-1b3922ed79e2} - %profile%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
FF - Ext: Consumer Input: ConsumerInput@Compete - %profile%\extensions\ConsumerInput@Compete
FF - Ext: KeyScrambler: keyscrambler@qfx.software.corporation - %profile%\extensions\keyscrambler@qfx.software.corporation
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-05 13:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-20\Software\AppDataLow\ISWVolatile]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-329068152-573735546-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1168)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2011-01-05 13:20:37
ComboFix-quarantined-files.txt 2011-01-05 20:20
ComboFix2.txt 2011-01-02 01:32
ComboFix3.txt 2010-04-20 01:58

Pre-Run: 51,823,017,984 bytes free
Post-Run: 51,805,577,216 bytes free

- - End Of File - - 35389361F3C78FF916101DCD1D143DD9

*** Combofix log end ***

Bobbye · Jan 7, 2011

*Empty the Spybot quarantine folder. Then you will be clean.*
===============================================
instruction, 'Program Files/Spybot' did not have a Quarantine folder and I could find neither a quarantine folder or file relating to Spybot on my system.

This is a hidden file:
Using Windows Explorer: Windows key + E> Show Hidden Folders/Files

Open My Computer.
Go to Tools > Folder Options.
Select the View tab.
Scroll down to Hidden files and folders.
Select Show hidden files and folders.
Uncheck (untick) Hide extensions of known file types.
Uncheck (untick) Hide protected operating system files (Recommended).
Click Yes when prompted.
Click OK.

My Computer> Local Drive> Documents and Settings> All Users> Application Data>Spybot - Search & Destroy\> Delete all these entries:

Recovery\WinBankerfgv3.zip Win32/Bagle.gen.zip

Reset Hidden/System Files & Folders
Exit Winddows Explorer.
========================================
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

Extract it to a directory on your hard drive called c:\HijackThis.
Then navigate to that directory and double-click on the hijackthis.exe file.
When started click on the Scan button and then the Save Log button to create a log of your information.
The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

I'll give this log a check and then you can follow the Removing all of the tools we used and the files and folders they created in Reply #10.

RLK107 · Jan 7, 2011

HijackThis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:41:10, on 1/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\USB Safely Remove\USBSRService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ZoneAlarmBackup\ZABackupWebM.exe
C:\Program Files\ZoneAlarmBackup\ZABackup Service.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DS Clock\DSClock.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Documents and Settings\**** Kutz\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
C:\PROGRAM FILES\MAILALERT\MAILALERT.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\Microsoft Office\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKCU\..\Run: [DS Clock] "C:\Program Files\DS Clock\DSClock.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\**** Kutz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [OpenDNS Updater] "C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Disabled
O4 - Startup: Firefox.exe.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Startup: Startup Defender.lnk = C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
O4 - Global Startup: Disabled
O4 - Global Startup: Secunia PSI Tray.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C800F8A8-08F8-472D-ADF8-4B12E2F782BA}: NameServer = 208.67.222.222,208.67.220.220
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Ma-Config Service (maconfservice) - Unknown owner - C:\Program Files\ma-config.com\maconfservice.exe
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: USB Safely Remove Assistant (USBSafelyRemoveService) - Unknown owner - C:\Program Files\USB Safely Remove\USBSRService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: ZoneAlarmBackup WebManager (ZABackupWebM) - Pro-Softnet - C:\Program Files\ZoneAlarmBackup\ZABackupWebM.exe
O23 - Service: ZoneAlarmBackup Service - Pro Softnet Corporation - C:\Program Files\ZoneAlarmBackup\ZABackup Service.exe

--
End of file - 9401 bytes

Bobbye · Jan 9, 2011

Did you remove the programs we used as instructed? I'm not sure what you did here:
You ran the second Combofix from this: Combofix 2>>1/5 Command switches used :: .Uninstall instead of this: Combofix 1> 1/1/>> Running from: c:\documents and settings\**** Kutz\Desktop\ComboFix.exe

But you can do the uninstall now as instructed. The HJT log is okay- I would have you reopen it to system scan only and check these 2 entries:
O4 - Startup: Disabled
O4 - Global Startup: Disabled
Close all Windows except HJT and click Fix Checked.

Finish any removals of the cleaning tools you still have. The computer is clean.

Let me know if you have any more questions.

RLK107 · Jan 10, 2011

HJT ran with no problems.

Bobbye, thank you again for your help. You guys do a tremendous job.
Techspot.com is definitely one of the 'net's shining stars.

Bobbye · Jan 10, 2011

You're very welcome. I appreciate your patience. Stay safe>>>
Tips for added security and safer browsing:

Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
Have layered Security:
- Antivirus Software(only one):Both of the following programs are free and known to be good:
  [o]Avira Free
  [o]Avast Home
- Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
  [o]Comodo
  [o]Zone Alarm
- Antispyware: I recommend all of the following:
  [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
[o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
[o]Replace the Host Files
MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
[o]Google Toolbar Get the free google toolbar to help stop pop up windows.
Stay current on updates:
[o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
[o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
[o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
Reset Cookies to prevent Tracking Cookies:
[o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
[o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List
Do regular Maintenance
Remove Temporary Internet Files regularly:
[o]ATF Cleaner by Atribune
OR
[o]TFC
Disable and Enable System Restore:
[o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
Practice Safe Email Handling
[o] Don't open email from anyone you don't know.
[o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
[o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Use a Site Advisor: know what you're clicking on before you click!
The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Every time to do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

If you want to link to another site from the page you're on, WOT will give you an Alert that the site is known for fraudulent entries, unreliable or other and the site won't load. Don't worry- those Alerts don't happen if you still to the green rating.

Give it a try- it does exactly what you want:http://www.mywot.com/en/download

Solved Possible worm

RLK107

Posts: 37 +0

Bobbye

Posts: 16,313 +36

RLK107

Posts: 37 +0

Bobbye

Posts: 16,313 +36

RLK107

Posts: 37 +0

Bobbye

Posts: 16,313 +36

RLK107

Posts: 37 +0

Bobbye

Posts: 16,313 +36

RLK107

Posts: 37 +0

Bobbye

Posts: 16,313 +36

RLK107

Posts: 37 +0

Bobbye

Posts: 16,313 +36

RLK107

Posts: 37 +0

Bobbye

Posts: 16,313 +36

RLK107

Posts: 37 +0

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts