Inactive Trojan infestation, antivirus tools not running

G

grizzzzzzly

Posts: 12   +0
Hi, Help appreciated.
Dell Desktop (windows xp) infected with win32.sefbov.b and other malware. Initially MSE running but now blocked, icon disappeared. Tried to run combofix, but Smarrt Fortress 2012 appears to be blocking stating the exe is infected. Tried running Combofix in safe mode, same problem. I can mimise Smart Fortress but can't close it. Have downloaded a copy of OTLPENet.exe to see if I can get an operating system but getting in beyond my depth. I have also isolated the machine from the internet. Any help gladly appreciated. Oh and the data on the system is pretty vital too.
regards
 
OTL Log posted below

Used OTLPE to run OTL (thanks Broni for this).

Ran OTL on the Dell, result below - have had to split into two posts, got error message stating too many characters for one post, sorry.

OTL log reads

OTL logfile created on: 3/16/2012 7:42:44 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): c:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 16.28 Gb Free Space | 21.86% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (ioloSystemService)
SRV - File not found [Disabled] -- -- (ioloFileInfoList)
SRV - File not found [Auto] -- -- (AMService)
SRV - [2012/02/27 17:24:32 | 000,045,056 | ---- | M] (Intuit) [Auto] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2012/02/27 14:37:34 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2012/02/27 14:36:44 | 000,679,936 | ---- | M] (Intuit, Inc.) [On_Demand] -- C:\Program Files\Intuit\QuickBooks 2010\QBDBMgrN.exe -- (QuickBooksDB22)
SRV - [2011/11/03 14:25:09 | 002,358,656 | ---- | M] (TeamViewer GmbH) [Auto] -- C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe -- (TeamViewer6)
SRV - [2011/10/07 10:17:48 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2011/10/07 10:17:33 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2011/04/27 10:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/01/11 14:04:04 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/12/07 16:18:00 | 003,979,632 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2010/07/16 04:05:56 | 000,028,762 | ---- | M] (MyWebSearch.com) [Auto] -- C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE -- (MyWebSearchService)
SRV - [2009/07/07 09:48:44 | 000,647,216 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/06/06 09:03:22 | 000,435,488 | ---- | M] (Pervasive Software Inc.) [Auto] -- C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe -- (psqlWGE)
SRV - [2004/03/18 12:55:48 | 000,065,536 | ---- | M] (HP) [On_Demand] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2012/03/16 12:22:25 | 000,098,992 | ---- | M] (Kaspersky Lab, GERT) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\22892082.sys -- (21103785)
DRV - [2011/10/07 10:17:35 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/01/11 14:04:04 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2011/01/11 14:04:04 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2010/11/26 14:02:52 | 000,014,776 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
DRV - [2010/05/31 11:38:37 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/07/07 09:48:44 | 000,026,672 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2009/07/07 09:48:44 | 000,025,392 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2007/10/08 09:38:48 | 000,174,530 | ---- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ov519vid.sys -- (ovt519)
DRV - [2005/03/31 08:22:16 | 000,180,096 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005/01/04 14:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\npptNT2.sys -- (NPPTNT2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=f401415a00000000000000123f883c0b&tlver=1.4.19.19&ss=1&affID=17978


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Charlie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Charlie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\Charlie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\Charlie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6C 44 43 2B 63 65 CB 01 [binary data]
IE - HKU\Charlie_ON_C\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
IE - HKU\Charlie_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
IE - HKU\Charlie_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackle.com/
IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E0 DA EA 1A 71 65 CB 01 [binary data]
IE - HKU\Matthew_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
IE - HKU\Matthew_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\QBDataServiceUser19_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\QBDataServiceUser22_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@mywebsearch.com/Plugin: C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (MyWebSearch.com)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin [2011/09/02 03:22:16 | 000,000,000 | ---D | M]

[2011/05/27 12:52:32 | 000,002,428 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml

Hosts file not found
O2 - BHO: (MyWebSearch Search Assistant BHO) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
O2 - BHO: (mwsBar BHO) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
O3 - HKLM\..\Toolbar: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
O3 - HKLM\..\Toolbar: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
O3 - HKU\Administrator_ON_C\..\Toolbar\WebBrowser: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
O3 - HKU\Charlie_ON_C\..\Toolbar\WebBrowser: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
O3 - HKU\Matthew_ON_C\..\Toolbar\WebBrowser: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
O3 - HKU\Matthew_ON_C\..\Toolbar\WebBrowser: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (MyWebSearch.com)
O4 - HKLM..\Run: [SmartDefrag] File not found
O4 - HKU\Matthew_ON_C..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil11c_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Limited.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk = C:\Program Files\Intuit\QuickBooks 2010\QBW32.EXE (Intuit Limited.)
O4 - Startup: C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\AutoLogin.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 16730 = C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msdubm.exe (nutre dogana)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Charlie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Charlie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Matthew_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\QBDataServiceUser19_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\QBDataServiceUser22_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} http://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab (cre8tiv 3Di ATL Control (Internet))
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=67633 (Office Genuine Advantage Validation Tool)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/CursorManiaInitialSetup1.0.1.1.cab (Reg Error: Key error.)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1215789021796 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215789386906 (MUWebControl Class)
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab (Battlefield Heroes Updater)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab (Java Plug-in 1.4.1_07)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\intu-help-qb5 {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/11 07:50:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/16 12:59:03 | 004,438,270 | ---- | C] (Swearware) -- C:\Documents and Settings\Charlie\Desktop\f ddd.exe
[2012/03/16 12:22:25 | 000,098,992 | ---- | C] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\22892082.sys
[2012/03/16 12:14:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E
[2012/03/16 11:45:14 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/03/16 11:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\tdsskiller
[2012/03/16 11:43:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Local Settings
[2012/03/16 11:36:19 | 004,438,270 | ---- | C] (Swearware) -- C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
[2012/03/16 08:03:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\My Documents\SDO-HE-30
[2012/03/16 08:00:53 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Charlie\IECompatCache
[2012/03/16 07:09:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/03/16 06:55:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites
[2012/03/16 06:53:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/03/16 06:53:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/03/15 14:05:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\My Documents\Simple Doc Organizer FE 3.0
[2012/03/15 14:00:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SDO
[2012/03/15 14:00:36 | 001,224,704 | ---- | C] (Atalasoft, Inc.) -- C:\WINDOWS\System32\AtalaImaging.dll
[2012/03/15 11:01:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\QBDataServiceUser22\My Documents\My Pictures
[2012/03/15 11:01:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\QBDataServiceUser22\Start Menu\Programs\Administrative Tools
[2012/03/15 11:01:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\QBDataServiceUser22\IETldCache
[2012/03/15 10:47:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\QuickBooks Letter Templates
[2012/03/15 10:47:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Fizz UK Ltd - Images
[2012/03/15 10:43:25 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll
[2012/03/15 10:40:15 | 000,000,000 | --SD | C] -- C:\Documents and Settings\QBDataServiceUser22\Application Data\Microsoft
[2012/03/15 10:40:15 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\QBDataServiceUser22\Application Data
[2012/03/15 10:40:15 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\QBDataServiceUser22\Cookies
[2012/03/15 10:40:15 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\QBDataServiceUser22\Recent
[2012/03/15 10:40:15 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\QBDataServiceUser22\PrintHood
[2012/03/15 10:40:15 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\QBDataServiceUser22\NetHood
[2012/03/15 10:40:15 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\QBDataServiceUser22\Local Settings
[2012/03/15 10:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QBDataServiceUser22\My Documents
[2012/03/15 10:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QBDataServiceUser22\Local Settings\Application Data\Microsoft Help
[2012/03/15 10:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QBDataServiceUser22\Local Settings\Application Data\Microsoft
[2012/03/15 10:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QBDataServiceUser22\Favorites
[2012/03/15 10:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QBDataServiceUser22\Desktop
[2012/03/15 10:40:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\QBDataServiceUser22\SendTo
[2012/03/15 10:40:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\QBDataServiceUser22\Start Menu\Programs\Startup
[2012/03/15 10:40:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\QBDataServiceUser22\Start Menu
[2012/03/15 10:40:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\QBDataServiceUser22\Start Menu\Programs\Accessories
[2012/03/15 10:40:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\QBDataServiceUser22\Templates
[2012/03/15 10:39:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickBooks
[2012/03/15 10:33:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nuance
[2012/03/15 10:33:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2012/03/15 10:32:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 11
[2012/03/15 10:17:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\QuickBooks 2010
[2012/03/15 10:06:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\Intuit
[2012/03/15 09:26:43 | 238,996,824 | ---- | C] (Intuit Inc.) -- C:\Documents and Settings\Charlie\Desktop\Update220r7_1213223_en_STD.exe
[2012/03/15 08:04:11 | 000,000,000 | ---D | C] -- C:\Program Files\Dynamic Ventures
[2012/03/15 08:03:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Local Settings\Application Data\Downloaded Installations
[2012/03/15 07:45:48 | 000,029,016 | ---- | C] (IObit) -- C:\WINDOWS\System32\SmartDefragBootTime.exe
[2012/03/09 13:12:06 | 002,063,920 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Charlie\Desktop\TDSSKiller.exe
[2012/02/27 14:44:14 | 001,721,752 | ---- | C] (Intuit Inc.) -- C:\WINDOWS\System32\InetClnt.dll
[2012/02/27 14:31:46 | 001,694,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VBA6.DLL
[2012/02/27 14:31:32 | 000,741,008 | ---- | C] (FarPoint Technologies, Inc.) -- C:\WINDOWS\System32\SPR32D30.DLL
[2012/02/15 23:34:47 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\IETldCache
[2007/11/28 11:19:48 | 000,184,320 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.MSXML2.dll

========== Files - Modified Within 30 Days ==========

[2012/03/16 14:27:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/16 13:21:42 | 000,013,668 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/16 13:01:18 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/16 13:01:04 | 000,000,238 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2012/03/16 12:35:24 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2012/03/16 12:35:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2012/03/16 12:22:25 | 000,098,992 | ---- | M] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\22892082.sys
[2012/03/16 12:17:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/16 12:15:46 | 000,001,324 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\Smart Fortress 2012.lnk
[2012/03/16 12:15:20 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\hmDr01.dat
[2012/03/16 12:15:19 | 000,091,136 | ---- | M] () -- C:\WINDOWS\System32\tt7htNPy.com_
[2012/03/16 12:15:19 | 000,091,136 | ---- | M] () -- C:\WINDOWS\System32\tt7htNPy.com
[2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2012/03/16 12:11:28 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\j07odqhh_gamer.exe
[2012/03/16 12:03:38 | 000,002,057 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/03/16 12:00:23 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/03/16 11:47:22 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/03/16 11:46:28 | 000,203,760 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-861567501-1644491937-725345543-1008-0.dat
[2012/03/16 11:46:27 | 000,167,358 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/03/16 11:43:49 | 002,063,920 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Charlie\Desktop\TDSSKiller.exe
[2012/03/16 11:43:03 | 002,044,822 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\tdsskiller.zip
[2012/03/16 11:36:36 | 004,438,270 | ---- | M] (Swearware) -- C:\Documents and Settings\Charlie\Desktop\f ddd.exe
[2012/03/16 11:36:36 | 004,438,270 | ---- | M] (Swearware) -- C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
[2012/03/16 11:32:09 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/16 09:07:24 | 000,001,836 | ---- | M] () -- C:\Documents and Settings\Charlie\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickBooks Pro 2012.lnk
[2012/03/16 08:07:48 | 000,073,940 | ---- | M] () -- C:\WINDOWS\unins000.dat
[2012/03/16 08:07:00 | 000,714,590 | ---- | M] () -- C:\WINDOWS\unins000.exe
[2012/03/16 07:19:23 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
[2012/03/16 07:02:06 | 000,204,054 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\SDO-HE-30.zip
[2012/03/15 23:40:00 | 000,000,432 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack Kay's Outlook.job
[2012/03/15 23:20:00 | 000,000,442 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack Kay's Files Backup.job
[2012/03/15 23:06:43 | 000,526,486 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/15 23:06:43 | 000,096,342 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/15 23:00:00 | 000,000,454 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack FizzOffice2 Shared Files.job
[2012/03/15 14:05:19 | 000,000,098 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\SDOFE_PATH.ini
[2012/03/15 13:58:39 | 000,165,120 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/15 13:55:40 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/15 13:47:12 | 000,204,042 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\SDO-FE-30.zip
[2012/03/15 10:43:28 | 000,001,392 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\XPS Viewer EP.lnk
[2012/03/15 10:40:29 | 000,000,095 | ---- | M] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2012/03/15 10:39:58 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2012/03/15 10:39:34 | 000,002,109 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2012/03/15 10:39:34 | 000,001,761 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
[2012/03/15 10:39:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickBooks
[2012/03/15 09:26:55 | 238,996,824 | ---- | M] (Intuit Inc.) -- C:\Documents and Settings\Charlie\Desktop\Update220r7_1213223_en_STD.exe
[2012/03/15 07:45:46 | 000,000,823 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Smart Defrag 2.lnk
[2012/03/15 07:45:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Smart Defrag 2
[2012/03/14 12:42:17 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\Charlie\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007 (2).lnk
[2012/03/11 14:26:00 | 000,000,494 | ---- | M] () -- C:\hpfr5550.xml
[2012/03/08 14:36:29 | 000,018,821 | ---- | M] () -- C:\Documents and Settings\Charlie\English
[2012/03/08 14:36:26 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\Charlie\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007 (2).lnk
[2012/03/08 09:34:37 | 000,316,664 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\RetrieveAllSignInDetailsForm[2].pdf
[2012/03/07 12:45:02 | 000,001,665 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Basic PAYE Tools.lnk
[2012/03/02 10:16:08 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Charlie\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/02/27 14:44:14 | 001,721,752 | ---- | M] (Intuit Inc.) -- C:\WINDOWS\System32\InetClnt.dll
[2012/02/27 14:31:46 | 001,694,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\VBA6.DLL
[2012/02/27 14:31:32 | 000,741,008 | ---- | M] (FarPoint Technologies, Inc.) -- C:\WINDOWS\System32\SPR32D30.DLL
[2012/02/21 13:13:33 | 000,404,469 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0049.jpg
[2012/02/21 13:13:17 | 000,270,615 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0048.jpg
[2012/02/21 13:12:51 | 000,421,542 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0046.jpg
[2012/02/21 13:12:30 | 000,327,562 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0047.jpg
[2012/02/21 13:12:12 | 000,397,937 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0045.jpg
[2012/02/21 13:11:57 | 000,285,418 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0044.jpg
[2012/02/21 13:11:37 | 000,342,977 | ---- | M] () -- C:\Documents and Settings\Charlie\My Documents\Scan0043.jpg

========== Files Created - No Company Name ==========

[2012/03/16 12:35:02 | 000,091,136 | ---- | C] () -- C:\WINDOWS\System32\tt7htNPy.com
[2012/03/16 12:15:46 | 000,001,324 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\Smart Fortress 2012.lnk
[2012/03/16 12:15:09 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\j07odqhh_gamer.exe
[2012/03/16 12:14:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At48.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2012/03/16 12:14:56 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hmDr01.dat
[2012/03/16 12:14:55 | 000,091,136 | ---- | C] () -- C:\WINDOWS\System32\tt7htNPy.com_
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2012/03/16 11:42:59 | 002,044,822 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\tdsskiller.zip
[2012/03/16 09:07:24 | 000,001,836 | ---- | C] () -- C:\Documents and Settings\Charlie\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickBooks Pro 2012.lnk
[2012/03/16 08:07:46 | 000,714,590 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2012/03/16 07:19:23 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
[2012/03/16 06:53:52 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/16 06:42:56 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/03/15 14:41:44 | 000,204,054 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\SDO-HE-30.zip
[2012/03/15 14:05:19 | 000,000,098 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\SDOFE_PATH.ini
[2012/03/15 14:00:33 | 000,073,940 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2012/03/15 13:57:57 | 000,203,760 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-861567501-1644491937-725345543-1008-0.dat
[2012/03/15 13:57:56 | 000,167,358 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/03/15 13:47:38 | 000,204,042 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\SDO-FE-30.zip
[2012/03/15 10:43:27 | 000,001,392 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\XPS Viewer EP.lnk
[2012/03/15 10:40:15 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\QBDataServiceUser22\Start Menu\Programs\Remote Assistance.lnk
[2012/03/15 10:40:15 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\QBDataServiceUser22\Start Menu\Programs\Windows Media Player.lnk
[2012/03/15 10:39:34 | 000,002,109 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2012/03/15 10:39:34 | 000,001,761 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
[2012/03/15 07:45:48 | 000,014,776 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
[2012/03/15 07:45:46 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Smart Defrag 2.lnk
[2012/03/08 09:34:37 | 000,316,664 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\RetrieveAllSignInDetailsForm[2].pdf
[2012/02/21 13:13:33 | 000,404,469 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0049.jpg
[2012/02/21 13:13:17 | 000,270,615 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0048.jpg
[2012/02/21 13:12:51 | 000,421,542 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0046.jpg
[2012/02/21 13:12:30 | 000,327,562 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0047.jpg
[2012/02/21 13:12:12 | 000,397,937 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0045.jpg
[2012/02/21 13:11:57 | 000,285,418 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0044.jpg
[2012/02/21 13:11:36 | 000,342,977 | ---- | C] () -- C:\Documents and Settings\Charlie\My Documents\Scan0043.jpg
[2012/02/15 17:46:18 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/02/12 08:49:54 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Administrator\hpothb07.tif
[2011/02/12 08:49:54 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Administrator\hpothb07.dat
[2011/01/11 13:05:18 | 000,008,592 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2010/12/15 13:12:52 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\Matthew\jagex_runescape_preferences2.dat
[2010/12/15 13:11:36 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Matthew\jagex_runescape_preferences.dat
[2010/12/15 13:10:17 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\Charlie\jagex_runescape_preferences2.dat
[2010/12/15 13:09:13 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Charlie\jagex_runescape_preferences.dat
[2010/12/01 17:21:38 | 000,000,095 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2010/11/17 13:03:58 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\Charlie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/14 12:40:46 | 000,002,154 | ---- | C] () -- C:\Documents and Settings\Matthew\English
[2010/10/07 04:14:42 | 000,018,821 | ---- | C] () -- C:\Documents and Settings\Charlie\English
[2010/06/24 13:56:40 | 000,026,436 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/03/22 07:11:44 | 000,019,545 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2010/03/22 07:11:44 | 000,016,606 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2010/03/20 09:43:32 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/02/25 18:25:34 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/02/25 17:43:33 | 000,200,704 | ---- | C] () -- C:\WINDOWS\sel3110.exe
[2010/02/25 17:43:33 | 000,032,528 | ---- | C] () -- C:\WINDOWS\amcap.exe
[2009/08/03 10:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 10:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/03/19 08:13:57 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\TASEIRFn.dll
[2009/03/19 08:13:14 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\TASSGLib.dll
[2008/09/30 14:37:30 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
[2008/07/12 01:33:36 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll
[2008/07/11 10:34:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/07/11 08:02:29 | 000,004,633 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/11 08:00:35 | 000,165,120 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/07/11 07:53:24 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/07/11 07:45:56 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/06/06 09:53:26 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\BTRDRVR.SYS
[2008/05/26 16:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 16:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/03/13 04:14:20 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\SgEData.dll
[2008/03/13 04:14:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\SgELauncher.dll
[2008/03/13 04:14:20 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\SgEEncrypt.dll
[2007/09/27 05:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 05:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 05:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/07/09 12:08:52 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\SageFolderBrowser.dll
[2007/07/09 12:07:06 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\SGSTDREG.dll
[2007/07/09 12:07:02 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\SGRegister.dll
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 06:00:00 | 000,526,486 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 06:00:00 | 000,096,342 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/03/09 17:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
 
OTL Log continues

OTL log file continues....


========== LOP Check ==========

[2008/09/30 15:58:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\iolo
[2011/06/25 13:57:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\.minecraft
[2011/06/06 16:04:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\BabylonToolbar
[2010/10/07 06:15:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\Bullzip
[2011/04/28 07:35:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\HMRC
[2011/11/05 18:32:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\IObit
[2011/11/28 10:11:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\TeamViewer
[2010/10/07 04:12:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\Windows Desktop Search
[2010/10/14 07:50:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\Windows Search
[2010/10/07 14:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Matthew\Application Data\Windows Desktop Search
[2010/03/21 16:29:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/12/01 17:21:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2010/05/31 11:38:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2012/03/16 12:14:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E
[2008/09/30 15:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2012/03/15 20:00:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2012/03/15 10:33:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2009/03/19 08:14:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pervasive Software
[2009/03/19 08:16:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sage
[2010/12/01 17:32:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10
[2012/03/15 11:45:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 11
[2010/05/31 17:59:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/06/16 08:47:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/06/16 05:04:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
[2012/03/16 12:35:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
[2012/03/16 12:35:24 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
[2012/03/16 12:14:56 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
[2012/03/16 12:14:56 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2012/03/16 12:14:55 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2012/03/16 12:14:55 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2010/03/22 08:49:44 | 000,000,324 | ---- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1269262144.job
[2012/03/16 12:00:23 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2012/03/16 13:01:04 | 000,000,238 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
[2012/03/15 23:00:00 | 000,000,454 | ---- | M] () -- C:\WINDOWS\Tasks\SyncBack FizzOffice2 Shared Files.job
[2012/03/15 23:20:00 | 000,000,442 | ---- | M] () -- C:\WINDOWS\Tasks\SyncBack Kay's Files Backup.job
[2012/03/15 23:40:00 | 000,000,432 | ---- | M] () -- C:\WINDOWS\Tasks\SyncBack Kay's Outlook.job

========== Purity Check ==========


< End of report >
 
Okay, I'm not Broni but he would not have started you out like this. You appear to be following someone else's instructions. There is also a sticky telling you not to run Combofix on your own. So perhaps you can see why we tell everyone NOT to follow instructions given to someone else.
================================
Settings were changed on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
  • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
  • Double click the FixNCR.reg file
  • You should now be able to run the .exe files.
=======================================
I'd like to get some basics please. If you cannot connect to the internet to download the programs, please put the on a flash drive, then run on the problem computer.
================================
Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
====================================
The first scan, Malwarebytes, in our removal thread, will find and remove a great deal of the malware one the system. If you still have a problem running any of the scans-stop- and tell me what the problem is. Please do not try to work around it on your own.
======================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
Threads are closed after 5 days if there is no reply.
 
Thx, message received, patience required, sorry.
Something I wasn't quite clear on was whether I should continue using the REATOGO-X-PE operating environment or reboot back to windows. Having rebooted to windows XP, I double clicked the FixNCR.reg file but immediately got a message stating regedit.exe was infected and couldn't run. Smart Fortress 2012 then took over most of the screen. Wasn't sure if it was ok to run FixNCR.reg under the Reatogo-X-PE environment or not, can you advise please.

I am able to connect to the Internet, just turned it off to prevent the Trojan(s) uploading.
 
Downloaded FixNCR.reg using a flash disk and followed your instructions, but it didn't work running under windows xp. .exe files are prevented from running.
 
Run the following please: Read instructions carefully first.

Boot into Safe Mode with Networking
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
-------------------------------------
Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 3 different versions. If one of them won't run then download and try to run the other one.
(Vista and Win7 users need to right click Rkill and choose Run as Administrator)

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.
  • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
  • A black window should pop up, press any key to close once the fix is completed.
  • A log file called exehelperlog.txt will be created and should open at the end of the scan)
  • A copy of that log will also be saved in the directory where you ran exeHelper.com
  • Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
==================================
Without rebooting, see if you can now run the 3 preliminary scans.
 
No success running Rkill.com, Rkill.scr or Rkill.exe in safe mode. First downloaded Rkill.com to memory stick, copied to infected pc desktop, ran and received the message "the file igfxsrvc.exe is infected. Please activate your antivirus software."

Then Smart Fortress 2012 reappears, "Smart Fortress 2012 Warning" "Intercepting programs that may compromise your privacy and harm your system have been detected on your PC. Click here to remove immediately with Smart Fortress 2012"

Similiar for Rkill.scr and Rkill.exe. On double clicking their icons received similiar messages, "rkill.exe is infected" and "rkill.scr is infected".
 
Haven't been able to get anything to run using safe mode, but rkill.scr did run using another user account on the Dell. Following instructions then ran exehelper, downloaded, updated and ran malwarebytes - lots of malware found. Checked everything and deleted, then ran Gmer and dds. Logs for Malwarebytes, Gmer are below, DDS logs in the following post.

MBam:-

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.18.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Matthew :: FIZZOFFICE2 [administrator]

3/18/2012 20:05:16
mbam-log-2012-03-18 (20-05-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 294043
Time elapsed: 21 minute(s), 17 second(s)

Memory Processes Detected: 1
C:\WINDOWS\system32\tt7htNPy.com (Trojan.Agent) -> 5876 -> Delete on reboot.

Memory Modules Detected: 3
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (PUP.FunWebProducts) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (PUP.MyWebSearch) -> Delete on reboot.

Registry Keys Detected: 145
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (PUP.FunWebProducts) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.HTMLMenu.2 (PUP.FunWebProducts) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.HTMLMenu (PUP.FunWebProducts) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (PUP.FunWebProducts) -> Quarantined and deleted successfully.
HKCR\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D} (PUP.FunWebProducts) -> Quarantined and deleted successfully.
HKCR\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495} (PUP.FunWebProducts) -> Quarantined and deleted successfully.
HKCR\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearchToolBar.SettingsPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearchToolBar.SettingsPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{0F8ECF4F-3646-4C3A-8881-8E138FFCAF70} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{8CA01F0E-987C-49C3-B852-2F1AC4A7094C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{1093995A-BA37-41D2-836E-091067C4AD17} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.IECookiesManager.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.IECookiesManager (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{25560540-9571-4D7B-9389-0F166788785A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.DataControl.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.DataControl (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4D7B-9389-0F166788785A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{3E720452-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{3E720450-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{3E720451-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.HTMLPanel.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.HTMLPanel (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3E720452-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearchToolBar.ToolbarPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearchToolBar.ToolbarPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.PopSwatterSettingsControl.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.PopSwatterSettingsControl (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.PseudoTransparentPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.PseudoTransparentPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473D294-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{84DA4FDF-A1CF-4195-8688-3E961F505983} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{8E6F1832-9607-4440-8530-13BE7C4B1D14} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.PopSwatterBarButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.PopSwatterBarButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{938AA51A-996C-4884-98CE-80DD16A5C9DA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{29D67D3C-509A-4544-903F-C8C1B8236554} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{98D9753D-D73B-42D5-8C85-4469CDA897AB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.HTMLMenu.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98D9753D-D73B-42D5-8C85-4469CDA897AB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{9FF05104-B030-46FC-94B8-81276E4E27DF} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\ScreenSaverControl.ScreenSaverInstaller.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\ScreenSaverControl.ScreenSaverInstaller (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9FF05104-B030-46FC-94B8-81276E4E27DF} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{A9571378-68A1-443d-B082-284F960C6D17} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.OutlookAddin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{B813095C-81C0-4E40-AA14-67520372B987} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.KillerObjManager.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.KillerObjManager (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{C9D7BE3E-141A-4C85-8CD6-32461F3DF2C7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.HistoryKillerScheduler.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.HistoryKillerScheduler (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{CFF4CE82-3AA2-451F-9B77-7165605FB835} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.HistorySwatterControlBar.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProducts.HistorySwatterControlBar (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{D9FFFB27-D62A-4D64-8CEC-1FF006528805} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{E79DFBC0-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.ChatSessionPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.ChatSessionPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E79DFBCA-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Typelib\{F42228FB-E84E-479E-B922-FBBD096E792C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.MultipleButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.MultipleButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.UrlAlertButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.UrlAlertButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\FocusInteractive (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\FunWebProducts (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{819FFE22-35C7-4925-8CDA-4E0E2DB94302} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{819FFE20-35C7-4925-8CDA-4E0E2DB94302} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{819FFE21-35C7-4925-8CDA-4E0E2DB94302} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{67FA02C4-AB30-4e77-A640-78EE8EC8673B} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{799391D3-EB86-4bac-9BD3-CBFEA58A0E15} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{D858DAFC-9573-4811-B323-7011A3AA7E61} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Trojan.BHO) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Detected: 11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|My Web Search Bar Search Scope Monitor (PUP.MyWebSearch) -> Data: "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: ©Ž±#¥aI¶»
äG\Ê -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search| (Adware.Hotbar) -> Data: http://edits.mywebsearch.com/toolba...931YYGB&a=GK.GJNRCe_goUhKIzDJhlw&n=2010071604 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources|f3PopularScreensavers (PUP.MyWebSearch) -> Data: C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform|FunWebProducts (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|16730 (Trojan.Agent) -> Data: C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msdubm.exe -> Delete on reboot.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 20
C:\Program Files\FunWebProducts (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Cache (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\chrome (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Overlay (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\setups (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Files Detected: 115
C:\WINDOWS\system32\tt7htNPy.com_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tt7htNPy.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3FFTBPR.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E\F4D5618A000BDED60126D515D151FC4E.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-861567501-1644491937-725345543-1008\Dc19.exe (Trojan.Agent.RDGen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f3PSSavr.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\Documents and Settings\Charlie\Local Settings\Temp\hki1248.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\prog1.exe (PUP.Dialupass) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f3PSSavr.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Local Settings\Temp\msdubm.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\FunWebProducts\ScreenSaver\Cache\09FD5723.jpg (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Cache\220C01CA.swf (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Cache\files.ini (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\09FC974E.urr (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\09FD558D.urr (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\09FD5DDA.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\220B021D.urr (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\220C17B3.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\0194C94E.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\09F18041.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\21EF9DA9.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\WebfettiBtn.html (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\CHROME.MANIFEST (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\INSTALL.RDF (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3PATCH.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSUABTN.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\07A68C1F (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\09E237E6 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\09E23A09.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\09E23AE4.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\09E23B61.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\09E23BCE.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\2487EE6B.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\2487F1B7.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\2487F3DA.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\2487F476.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\287F091E.bmp (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\33007DDA.bmp (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\4B32517B (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\files.ini (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search3 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\CM.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\WB.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Overlay\COMMON.F3S (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Trojan.BHO) -> Quarantined and deleted successfully.

(end)

GMER Log:-

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-03-18 20:40:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e HDS728080PLA380 rev.PF2OA63A
Running: dlydt14y.exe; Driver: C:\DOCUME~1\Matthew\LOCALS~1\Temp\uxtiiaow.sys


---- System - GMER 1.0.15 ----

SSDT spvq.sys ZwEnumerateKey [0xB9ECDDA4]
SSDT spvq.sys ZwEnumerateValueKey [0xB9ECE132]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\agjl5d6o \Device\Scsi\agjl5d6o1Port2Path0Target0Lun0 89B8B1F8
Device \Driver\agjl5d6o \Device\Scsi\agjl5d6o1 89B8B1F8
Device \FileSystem\Ntfs \Ntfs 89E411F8
Device \FileSystem\Fastfat \Fat 89B531F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
 
DDS Logs

DDS Logs:-
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/11/2008 15:21:21
System Uptime: 3/18/2012 20:35:09 (0 hours ago)
.
Motherboard: Dell Inc. | | 0J8885
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 16.192 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_01AB1028&REV_01\4&5855BE9&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_01AB1028&REV_01\4&5855BE9&0&40F0
Service: E100B
.
==== System Restore Points ===================
.
RP1070: 1/29/2012 02:48:54 - Software Distribution Service 3.0
RP1071: 1/29/2012 07:21:02 - Software Distribution Service 3.0
RP1072: 1/30/2012 07:20:59 - Software Distribution Service 3.0
RP1073: 1/31/2012 07:20:22 - Software Distribution Service 3.0
RP1074: 2/1/2012 07:21:10 - Software Distribution Service 3.0
RP1075: 2/2/2012 07:21:17 - Software Distribution Service 3.0
RP1076: 2/3/2012 07:21:16 - Software Distribution Service 3.0
RP1077: 2/4/2012 07:21:15 - Software Distribution Service 3.0
RP1078: 2/5/2012 02:49:31 - Software Distribution Service 3.0
RP1079: 2/5/2012 07:21:04 - Software Distribution Service 3.0
RP1080: 2/6/2012 07:21:07 - Software Distribution Service 3.0
RP1081: 2/7/2012 07:21:06 - Software Distribution Service 3.0
RP1082: 2/8/2012 07:21:08 - Software Distribution Service 3.0
RP1083: 2/9/2012 07:21:06 - Software Distribution Service 3.0
RP1084: 2/10/2012 07:21:09 - Software Distribution Service 3.0
RP1085: 2/11/2012 07:20:34 - Software Distribution Service 3.0
RP1086: 2/12/2012 02:48:29 - Software Distribution Service 3.0
RP1087: 2/12/2012 07:21:19 - Software Distribution Service 3.0
RP1088: 2/13/2012 07:21:25 - Software Distribution Service 3.0
RP1089: 2/14/2012 07:21:37 - Software Distribution Service 3.0
RP1090: 2/15/2012 07:21:30 - Software Distribution Service 3.0
RP1091: 2/16/2012 03:00:18 - Software Distribution Service 3.0
RP1092: 2/17/2012 03:38:12 - System Checkpoint
RP1093: 2/17/2012 03:41:05 - Software Distribution Service 3.0
RP1094: 2/18/2012 03:40:21 - Software Distribution Service 3.0
RP1095: 2/19/2012 02:30:38 - Software Distribution Service 3.0
RP1096: 2/20/2012 02:42:50 - System Checkpoint
RP1097: 2/20/2012 03:40:34 - Software Distribution Service 3.0
RP1098: 2/21/2012 03:40:57 - Software Distribution Service 3.0
RP1099: 2/22/2012 03:40:26 - Software Distribution Service 3.0
RP1100: 2/23/2012 03:40:33 - Software Distribution Service 3.0
RP1101: 2/24/2012 03:40:32 - Software Distribution Service 3.0
RP1102: 2/25/2012 03:40:31 - Software Distribution Service 3.0
RP1103: 2/26/2012 02:31:14 - Software Distribution Service 3.0
RP1104: 2/27/2012 02:43:10 - System Checkpoint
RP1105: 2/27/2012 03:40:48 - Software Distribution Service 3.0
RP1106: 2/28/2012 03:41:02 - Software Distribution Service 3.0
RP1107: 2/29/2012 03:41:01 - Software Distribution Service 3.0
RP1108: 3/1/2012 03:41:06 - Software Distribution Service 3.0
RP1109: 3/2/2012 03:00:20 - Software Distribution Service 3.0
RP1110: 3/3/2012 03:32:00 - System Checkpoint
RP1111: 3/4/2012 02:51:19 - Software Distribution Service 3.0
RP1112: 3/5/2012 03:33:43 - Software Distribution Service 3.0
RP1113: 3/6/2012 03:34:06 - Software Distribution Service 3.0
RP1114: 3/7/2012 03:33:43 - Software Distribution Service 3.0
RP1115: 3/8/2012 03:36:37 - System Checkpoint
RP1116: 3/9/2012 03:33:46 - Software Distribution Service 3.0
RP1117: 3/10/2012 03:33:47 - Software Distribution Service 3.0
RP1118: 3/11/2012 02:51:52 - Software Distribution Service 3.0
RP1119: 3/12/2012 03:34:03 - Software Distribution Service 3.0
RP1120: 3/13/2012 03:34:23 - Software Distribution Service 3.0
RP1121: 3/14/2012 03:50:42 - System Checkpoint
RP1122: 3/14/2012 16:52:56 - Software Distribution Service 3.0
RP1123: 3/15/2012 03:00:17 - Software Distribution Service 3.0
RP1124: 3/15/2012 12:03:24 - Installed QBFC 7.0.
RP1125: 3/15/2012 12:04:09 - Installed Ultimate AppendIT
RP1126: 3/15/2012 12:47:09 - Revo Uninstaller's restore point - Ultimate AppendIT
RP1127: 3/15/2012 12:47:21 - Removed Ultimate AppendIT
RP1128: 3/15/2012 14:13:22 - Pre Qbooks12
RP1129: 3/15/2012 14:41:25 - Installed XPS Essentials Pack
RP1130: 3/15/2012 17:55:28 - Installed Windows XP KB942288-v3.
RP1131: 3/15/2012 17:57:05 - Installed Windows XP KB958655-v2.
RP1132: 3/15/2012 18:00:11 - Printer Driver Microsoft XPS Document Writer Installed
RP1133: 3/15/2012 18:09:34 - Software Distribution Service 3.0
RP1134: 3/15/2012 18:40:35 - Revo Uninstaller's restore point - Simple Doc Organizer Free Edition
RP1135: 3/16/2012 03:00:17 - Software Distribution Service 3.0
RP1136: 3/17/2012 03:23:57 - System Checkpoint
RP1137: 3/18/2012 21:16:19 - System Checkpoint
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.1)
Adobe Shockwave Player 11.6
Advanced SystemCare 3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Basic PAYE Tools
Baxter Stationery
Bonjour
Bullzip PDF Printer 4.0.0.463
Cisco Network Magic
Compatibility Pack for the 2007 Office system
Dell Resource CD
Dragonica(EN)
Ensim Outlook Autologin Configurator
EOCP Drivers 0.9.311007
ERUNT 1.1j
Google Toolbar for Internet Explorer
Google Update Helper
GPL Ghostscript 8.63
GPL Ghostscript Lite 8.64
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958655-v2)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB971276-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 6100 series
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
IRIS Payroll Basics
iTunes
Java 2 Runtime Environment, SE v1.4.1_07
Java Auto Updater
Java Web Start
Java(TM) 6 Update 23
LogMeIn
Mail Merge Toolkit
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft XML Parser
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Network Magic
Nvu 1.0PR
OGA Notifier 2.0.0048.0
Paint Shop Pro 6.02 CD
PasswordViewer 2.0
Pervasive PSQL v10.10 Workgroup (32-bit)
Product Key Explorer 2.4.6
Pure Networks Platform
QBFC 7.0
QFolder
QuickBooks
QuickBooks Pro 2012
QuickTime
Revo Uninstaller 1.92
Sage e-Banking Core Components
Sage e-Banking Payment Service Banks
SageMergeModules
Screen Grab Pro
SDO Framework (Beta)
Search-Results Toolbar
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Skype Toolbars
Skype™ 4.2
Smart Defrag 2
Spelling Dictionaries Support For Adobe Reader 9
SupportSoft Assisted Service
swMSM
SyncBack
TAS Books 2 v8.0
TeamViewer 6
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual Studio 2005 Tools for Office Second Edition Runtime
VLC media player 1.0.5
WebEx Support Manager for Internet Explorer
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
Wizard101
World of Warcraft
XPS Essentials Pack
XPS Essentials Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
3/18/2012 22:08:36, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
3/18/2012 21:58:03, error: Service Control Manager [7034] - The QuickBooksDB22 service terminated unexpectedly. It has done this 1 time(s).
3/17/2012 11:15:21, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/17/2012 05:35:00, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
3/17/2012 01:42:40, error: Print [19] - Sharing printer failed + 1722, Printer hp officejet 6100 series share name hpofficejet6.
3/16/2012 22:25:28, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/16/2012 17:22:23, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss sptd Tcpip
3/16/2012 17:22:23, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/16/2012 17:22:23, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/16/2012 17:22:23, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/16/2012 17:22:23, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/16/2012 17:21:55, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/16/2012 17:21:55, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/16/2012 17:21:29, error: sptd [4] - Driver detected an internal error in its data structures for .
3/16/2012 16:35:00, error: Schedule [7901] - The At33.job command failed to start due to the following error: %%2147942402
3/16/2012 16:15:16, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Microsoft Antimalware Service service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/16/2012 16:15:01, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
3/16/2012 15:55:08, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/16/2012 15:51:39, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
3/16/2012 15:51:38, error: Service Control Manager [7034] - The AMService service terminated unexpectedly. It has done this 1 time(s).
3/16/2012 15:28:10, error: Service Control Manager [7023] - The Ld51ocnucsnp service terminated with the following error: Access is denied.
3/16/2012 11:03:58, error: Service Control Manager [7023] - The Backupexecrpcservice service terminated with the following error: Access is denied.
3/16/2012 10:52:46, error: Print [6161] - The document Scan0053 owned by Charlie failed to print on printer PDF Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\FIZZOFFICE2. Win32 error code returned by the print processor: 259 (0x103).
3/16/2012 10:47:57, error: Service Control Manager [7023] - The Vmnetdhcp service terminated with the following error: Access is denied.
3/16/2012 10:46:57, error: Service Control Manager [7023] - The CrystalSysInfo service terminated with the following error: Access is denied.
3/16/2012 10:42:58, error: Service Control Manager [7023] - The Dwmrcs service terminated with the following error: Access is denied.
3/15/2012 14:09:10, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/15/2012 14:09:03, error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 2 time(s).
3/15/2012 14:08:55, error: Service Control Manager [7031] - The TeamViewer 6 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/15/2012 14:08:38, error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 1 time(s).
3/15/2012 14:08:35, error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 1 time(s).
3/13/2012 18:19:38, error: MRxSmb [8003] - The master browser has received a server announcement from the computer MATTHEW-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{605D3BAA-1F6E-45C. The master browser is stopping or an election is being forced.
3/12/2012 03:35:20, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.121.1330.0).
3/12/2012 03:34:38, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.121.1319.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8101.0 Error code: 0x80070643 Error description: Fatal error during installation.
.
==== End Of File ===========================

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Matthew at 20:43:04 on 2012-03-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1547 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2010\QBW32.EXE
svchost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.blackle.com/
mSearchAssistant = hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=f401415a00000000000000123f883c0b&tlver=1.4.19.19&ss=1&affID=17978
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Search-Results Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Search-Results Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [<NO NAME>]
mRun: [SmartDefrag] "c:\program files\iobit\iobit smartdefrag\IObit SmartDefrag.exe" /StartUp
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2010\QBW32.EXE
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} - hxxp://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215789021796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215789386906
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-3-15 14776]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-6-8 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-1-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-7-11 47640]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2008-6-6 435488]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-11-24 2358656]
R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb22 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
S2 AMService;AMService;c:\windows\temp\ivcrrr\setup.exe run --> c:\windows\temp\ivcrrr\setup.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-14 136176]
S3 21103785;21103785;c:\windows\system32\drivers\22892082.sys [2012-3-16 98992]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-14 136176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2012-03-18 22:14:35 -------- d-----w- c:\documents and settings\matthew\application data\Malwarebytes
2012-03-18 20:49:54 -------- d-----w- c:\documents and settings\matthew\local settings\application data\Intuit
2012-03-16 16:22:25 98992 ----a-w- c:\windows\system32\drivers\22892082.sys
2012-03-16 16:14:53 -------- d-----w- c:\documents and settings\all users\application data\F4D5618A000BDED60126D515D151FC4E
2012-03-16 15:56:57 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{51fa9118-c98d-413d-bb0a-86b20251afb3}\offreg.dll
2012-03-16 15:45:59 6552120 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{51fa9118-c98d-413d-bb0a-86b20251afb3}\mpengine.dll
2012-03-16 15:45:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-16 12:07:46 714590 ----a-w- c:\windows\unins000.exe
2012-03-16 10:42:56 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-15 18:00:37 -------- d-----w- c:\program files\common files\SDO
2012-03-15 18:00:36 3907584 ----a-w- c:\program files\common files\microsoft shared\vfp9\VFP9t.dll
2012-03-15 18:00:36 1224704 ----a-w- c:\windows\system32\AtalaImaging.dll
2012-03-15 18:00:36 1187840 ----a-w- c:\program files\common files\microsoft shared\vfp9\VFP9renu.dll
2012-03-15 18:00:35 4734976 ----a-w- c:\program files\common files\microsoft shared\vfp9\VFP9r.dll
2012-03-15 18:00:34 1645320 ----a-w- c:\program files\common files\microsoft shared\vfp9\gdiplus.dll
2012-03-15 18:00:34 16384 ----a-w- c:\program files\common files\microsoft shared\vfp9\foxhhelpps9.dll
2012-03-15 18:00:33 73728 ----a-w- c:\program files\common files\microsoft shared\vfp9\foxhhelp9.exe
2012-03-15 18:00:33 348160 ----a-w- c:\program files\common files\microsoft shared\vfp9\msvcr71.dll
2012-03-15 14:43:33 -------- d-----w- C:\$NtUninstallXPSEP$
2012-03-15 14:43:25 14048 ------w- c:\windows\system32\spmsg2.dll
2012-03-15 14:33:40 -------- d-----w- c:\program files\common files\Nuance
2012-03-15 14:33:12 -------- d-----w- c:\documents and settings\all users\application data\Nuance
2012-03-15 14:32:34 -------- d-----w- c:\documents and settings\all users\application data\SQL Anywhere 11
2012-03-15 14:06:04 -------- d-----w- c:\windows\Intuit
2012-03-15 12:04:11 -------- d-----w- c:\program files\Dynamic Ventures
2012-03-15 11:45:48 29016 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2012-03-15 11:45:48 14776 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2012-02-27 18:44:14 1721752 ----a-w- c:\windows\system32\InetClnt.dll
2012-02-27 18:31:46 1694992 ----a-w- c:\windows\system32\VBA6.DLL
2012-02-27 18:31:32 741008 ----a-w- c:\windows\system32\SPR32D30.DLL
.
==================== Find3M ====================
.
2012-03-16 15:54:38 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-22 07:17:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 20:44:04.73 ===============
 
You have been using FunWebProducts site and their partner sites to get screenvers, cursor, wallpaper, Smilies and other 'cute' things to put on the system.

Uninstall the My Web Search option from Add/Remove Programs

1) Click on Start, Settings, Control Panel
2) Double click on Add/Remove Programs
3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

FunWebProducts
My Web Search (Smiley Central or FWP product as applicable)
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way
Click to expand...

4) Reboot your Computer.
5) Right click on Start> Choose Explore.
6) My Computer> Local Drive (C)> double-click on the Program Files folder
7) ]Right-click and delete the folders for:

* FunWebProducts
* MyWebSearch
8) If you have FunWebProducts saved as a Bookmark or Favorite, delete it

Stay away from: Other FunWebProducts
Smiley Central
Cursor Mania
FunBuddyIcons
My Mail Stationery
My Mail Signature
My Mail Stamps
Popular Screensavers
Webfetti
Click to expand...
============================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=======================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=======================================
First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
  • Extract it to the directory on your hard drive you created C:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
ComboFix, Eset and Hijackfix logs:follow:-




ComboFix 12-03-20.02 - Charlie 21/03/2012 7:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1540 [GMT 0:00]
Running from: c:\documents and settings\Charlie\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Charlie\Local Settings\Temporary Internet Files\English
C:\install.exe
c:\windows\$NtUninstallKB24571$
c:\windows\$NtUninstallKB24571$\3451071241
c:\windows\$NtUninstallKB24571$\687240973\@
c:\windows\$NtUninstallKB24571$\687240973\cfg.ini
c:\windows\$NtUninstallKB24571$\687240973\Desktop.ini
c:\windows\$NtUninstallKB24571$\687240973\L\tamybiac
c:\windows\$NtUninstallKB24571$\687240973\oemid
c:\windows\$NtUninstallKB24571$\687240973\U\00000001.@
c:\windows\$NtUninstallKB24571$\687240973\U\00000002.@
c:\windows\$NtUninstallKB24571$\687240973\U\00000004.@
c:\windows\$NtUninstallKB24571$\687240973\U\80000000.@
c:\windows\$NtUninstallKB24571$\687240973\U\80000004.@
c:\windows\$NtUninstallKB24571$\687240973\U\80000032.@
c:\windows\$NtUninstallKB24571$\687240973\version
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSERVICE
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_AMService
.
.
((((((((((((((((((((((((( Files Created from 2012-02-21 to 2012-03-21 )))))))))))))))))))))))))))))))
.
.
2012-03-21 07:06 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B61A112C-AB3F-40FD-B4D6-78960F98508B}\mpengine.dll
2012-03-20 15:00 . 2012-03-20 15:00 -------- d-----w- C:\My Documents
2012-03-19 21:45 . 2002-12-29 01:14 81920 ----a-w- c:\windows\system32\Startup.cpl
2012-03-19 09:18 . 2012-03-19 09:18 -------- d-----w- c:\documents and settings\Charlie\Application Data\Malwarebytes
2012-03-16 16:22 . 2012-03-16 16:22 98992 ----a-w- c:\windows\system32\drivers\22892082.sys
2012-03-16 16:14 . 2012-03-16 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E
2012-03-16 15:45 . 2012-03-16 15:57 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-16 12:00 . 2012-03-16 12:00 -------- d-sh--w- c:\documents and settings\Charlie\IECompatCache
2012-03-15 14:43 . 2012-03-15 14:43 -------- d-----w- C:\$NtUninstallXPSEP$
2012-03-15 14:43 . 2010-10-05 13:56 14048 ------w- c:\windows\system32\spmsg2.dll
2012-03-15 14:40 . 2012-03-15 15:01 -------- d-----w- c:\documents and settings\QBDataServiceUser22
2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\program files\Common Files\Nuance
2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2012-03-15 14:32 . 2012-03-15 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2012-03-15 14:06 . 2012-03-15 14:06 -------- d-----w- c:\windows\Intuit
2012-03-15 12:04 . 2012-03-15 12:48 -------- d-----w- c:\program files\Dynamic Ventures
2012-03-15 12:03 . 2012-03-15 12:03 -------- d-----w- c:\documents and settings\Charlie\Local Settings\Application Data\Downloaded Installations
2012-03-15 11:45 . 2011-12-16 17:21 29016 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2012-03-15 11:45 . 2010-11-26 18:02 14776 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2012-02-27 18:44 . 2012-02-27 18:44 1721752 ----a-w- c:\windows\system32\InetClnt.dll
2012-02-27 18:31 . 2012-02-27 18:31 1694992 ----a-w- c:\windows\system32\VBA6.DLL
2012-02-27 18:31 . 2012-02-27 18:31 741008 ----a-w- c:\windows\system32\SPR32D30.DLL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-16 15:54 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-08 06:03 . 2010-07-10 02:30 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-07-08 17:12 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-22 07:17 . 2011-08-18 09:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-11 19:06 . 2012-02-15 21:46 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-07-11 11:43 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-02-27 2215768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\Charlie\Start Menu\Programs\Startup\
AutoLogin.exe [2010-10-6 106496]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-2-28 1175384]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2010\QBW32.EXE [2012-2-28 1178456]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-07 14:17 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2011-01-11 18:04 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
"4979:UDP"= 4979:UDP:Windows Media Format SDK (ping.exe)
"4978:UDP"= 4978:UDP:Windows Media Format SDK (ping.exe)
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [15/03/2012 11:45 14776]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/05/2010 15:38 691696]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [08/06/2011 12:04 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/01/2011 18:04 12856]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [06/06/2008 13:03 435488]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [24/11/2011 13:37 2358656]
R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 11:53 136176]
S3 21103785;21103785;c:\windows\system32\drivers\22892082.sys [16/03/2012 16:22 98992]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 11:53 136176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-03-22 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p officejet 6100 series272A572217594EBCF1CEE215E352B92AD073FDE4269262144.job
- c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
.
2012-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
.
2012-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
.
2012-03-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
2012-03-16 c:\windows\Tasks\SyncBack FizzOffice2 Shared Files.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
.
2012-03-16 c:\windows\Tasks\SyncBack Kay's Files Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
.
2012-03-16 c:\windows\Tasks\SyncBack Kay's Outlook.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 158.152.1.58 158.152.1.43
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} - hxxp://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SmartDefrag - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
SafeBoot-45754051.sys
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Ensim Outlook AutoLogin - c:\documents and settings\Kay\Start Menu\Programs\Startup\AutoLogin.exe
AddRemove-Smart Fortress 2012 - c:\documents and settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E\F4D5618A000BDED60126D515D151FC4E.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-21 07:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
.
[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3684)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\documents and settings\Charlie\Start Menu\Programs\Startup\AutoLogin.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-03-21 07:49:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-21 07:49
.
Pre-Run: 17,883,344,896 bytes free
Post-Run: 20,522,291,200 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8959FC06C88461B3AD70D50538D1DDEC


ESET...........................................

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\19604ed6-7829dbd7 Java/Exploit.Blacole.AN trojan
C:\System Volume Information\_restore{2B74D659-4B42-4C04-BB54-8ED7AE2A73DA}\RP1135\A0071527.sys a variant of Win32/Rootkit.Kryptik.KD trojan
C:\System Volume Information\_restore{2B74D659-4B42-4C04-BB54-8ED7AE2A73DA}\RP1149\A0072082.exe a variant of Win32/InstallCore.D application
C:\System Volume Information\_restore{2B74D659-4B42-4C04-BB54-8ED7AE2A73DA}\RP1149\A0072083.exe a variant of Win32/InstallCore.D application
C:\System Volume Information\_restore{2B74D659-4B42-4C04-BB54-8ED7AE2A73DA}\RP1149\A0072093.exe a variant of Win32/InstallCore.D application
C:\TDSSKiller_Quarantine\16.03.2012_15.44.30\susp0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.KD trojan
C:\TDSSKiller_Quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.KD trojan




HijackThis.......................

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:37:35, on 21/03/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2010\QBW32.EXE
C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\AutoLogin.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-861567501-1644491937-725345543-1011\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'QBDataServiceUser22')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: AutoLogin.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks_Standard_21.lnk = C:\Program Files\Intuit\QuickBooks 2010\QBW32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1215789021796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215789386906
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-help-qb5 - {867FCB77-9823-4CD6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB22 - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe

--
End of file - 8247 bytes
 
Questions:
1.Why are you running both AutoLogin.exe and LogMeIn on Startup?
2. Are you aware that when a process is set to Global Startup that it will start up no matter who logs on?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks_Standard
3. Your start page is blackie.com. Is this intentional? Are you aware that it intentionally loads a black screen' to save energy'?
======================================
Let's try to send Smart Fortress 2012 packing: Everything following can be caused by the malware. Please try to complete all in the order I've given:

1. Boot into Safe Mode with Networking
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.

2. Please login as the user that is infected with Smart Fortress 2012.
  • Right-click on your browser> select Run As or Run as Administrator
    [o]If Windows prompts you for the Administrator password, please enter for browser to launch.

3. Go to http://www.bleepingcomputer.com/download/windows/utilities/fixexec
  • On above page> click on the Download Renamed Version and save file to C:\ drive
    [o]Note: If you can't log on as Administrator> put the download on a flash drive from a clean computer> hold there for now.
  • Once FixExec has been downloaded to your computer or is stored on a flash drive/CDROM, log off from the Administrator account, but stay in Safe Mode.
  • At the Safe Mode logon prompt> logon as your normal, but now infected, user.
    [o]If FixExec is on a flash drive, connect to infected computer and copy to C:\folder on infected computer

4. Running the file
  • If Smart Fortress in running, minimize so desktop is visible
  • Navigate to C:\ and double click on FixExec,com to run
    [o]Note: If you received a message that FixExec was not able to extract a file, then please move the FixExec.com file to your desktop and try again.
  • When completed, executables should run again.

5. Reset your browser Proxy
  • For Firefox:
    o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
    o Click on the "Network" tab, and then on the "Settings" button.
    o Please make sure that the "No Proxy" option is selected.
  • For Internet Explorer:
    o Open Internet Explorer.
    o Click on "Tools" and then select "Internet Options".
    o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
    o Uncheck "Use a Proxy server for your LAN".
    o Click OK to close the Local Area Network (LAN) Settings window.
    o Click OK to close the Internet Options window.

6. End the processes that belong to the rogue program:
  • Please click on RKill
  • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
  • Double click on the iExplore.exe icon
    [o] Please be patient- it may take a bit.
  • The black Window will close when through and you can continue.
[o]Note: If you get a message that RKilll is malware, ignore it> it's from the malware.[/list]
=======================================
Do not reboot your computer after running RKill as the malware programs will start again.
=======================================
7.Full Scan Mbam
  • Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    [o]When scan has finished, you will see this image:
    scan-finished.jpg

    [o]Click on OK to close box and continue.
    [o]Click on the Show Results button.
    [o]Click on the Remove Selected button to remove all the listed malware.
    [o]At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
====================================
Now reboot your computer back to normal mode.
===================================
This malware is frequently found on systems that don't have programs updated:
Please update the following:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader > Adobe Reader Update
Java(TM) > Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.
=====================================
See how this goes. We'll continue when above has been done
 
Mbam log below, nothing found. Thank you for your help, breathing again.

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.22.05

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Charlie :: FIZZOFFICE2 [administrator]

23/03/2012 06:26:54
mbam-log-2012-03-23 (06-26-54).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 373042
Time elapsed: 42 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
Okay, so is it safe to say that Smart Fortress 2012 is no longer around?
---------------------------------------
Please update the following:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader> Current is vX(10.xx)> Adobe Reader Update
Java(TM) > Current is v6u31> Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.
-----------------------------------------
The new Eset entry is in the Java cache. I have removed it with the script in Combofix
===========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\system32\drivers\22892082.sys
Folder::
C:\TDSSKiller_Quarantine
c:\documents and settings\Charlie\IECompatCache
C:\$NtUninstallXPSEP$
c:\documents and settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=-
"AntiVirusOverride"=-
"FirewallDisableNotify"=-
"FirewallOverride"=-
"UpdatesDisableNotify"=-

Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
=====================================
Please let me know what-if any-problems remain.

I may have you run OTL to update as there were asome entries in the original log that should be removed. Don't act on that yet.

I am still left with the questions about registry entries running for both AutoLogon and LogmeIn.
 
Smart Fortress 2012 is gone, big relief. Adobe reader and Java updated and earlier versions removed. Combofix with custom CF script has run and log posted below. System appears virus free, thank you.

Autologon - script logging users outlook system onto remote mail server, not malicious. Logmein - think this is a leftover and not required, have removed.

ComboFix 12-03-26.04 - Charlie 26/03/2012 23:23.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1398 Running from: c:\documents and settings\Charlie\Desktop\Utilities\AntiVirus\ComboFix.exe
Command switches used :: c:\documents and settings\Charlie\Desktop\Utilities\AntiVirus\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\drivers\22892082.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\$NtUninstallXPSEP$
c:\documents and settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E
c:\documents and settings\All Users\Application Data\F4D5618A000BDED60126D515D151FC4E\F4D5618A000BDED60126D515D151FC4E
c:\documents and settings\Charlie\IECompatCache
c:\documents and settings\Charlie\IECompatCache\index.dat
c:\documents and settings\Charlie\Local Settings\Temporary Internet Files\English
C:\TDSSKiller_Quarantine
c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\object.ini
c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\svc0000\object.ini
c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\svc0000\tsk0000.ini
c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\svc0000\tsk0001.dta
c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0000\svc0000\tsk0001.ini
c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0001\object.ini
c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0001\svc0000\object.ini
c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0001\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\16.03.2012_15.44.30\susp0001\svc0000\tsk0000.ini
c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\object.ini
c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\object.ini
c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\tsk0000.ini
c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\tsk0001.dta
c:\tdsskiller_quarantine\16.03.2012_15.53.22\rtkt0000\svc0000\tsk0001.ini
c:\tdsskiller_quarantine\16.03.2012_15.57.12\susp0000\object.ini
c:\tdsskiller_quarantine\16.03.2012_15.57.12\susp0000\svc0000\object.ini
c:\tdsskiller_quarantine\16.03.2012_15.57.12\susp0000\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\16.03.2012_15.57.12\susp0000\svc0000\tsk0000.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-02-27 to 2012-03-27 )))))))))))))))))))))))))))))))
.
.
2012-03-27 06:49 . 2012-03-27 06:49 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8024BE1A-FC0E-471B-B4E2-DC1791D5E040}\MpKsl685d9d65.sys
2012-03-26 15:13 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8024BE1A-FC0E-471B-B4E2-DC1791D5E040}\mpengine.dll
2012-03-23 08:57 . 2012-03-23 08:57 -------- d-----w- c:\program files\Common Files\Java
2012-03-23 06:20 . 2012-03-23 06:19 883616 ----a-w- C:\FixExec.scr
2012-03-21 08:48 . 2012-03-23 09:07 -------- d-----w- C:\HijackThis
2012-03-21 08:45 . 2012-03-21 08:45 -------- d-----w- c:\program files\ESET
2012-03-20 15:00 . 2012-03-20 15:00 -------- d-----w- C:\My Documents
2012-03-19 21:45 . 2002-12-29 01:14 81920 ----a-w- c:\windows\system32\Startup.cpl
2012-03-19 09:18 . 2012-03-19 09:18 -------- d-----w- c:\documents and settings\Charlie\Application Data\Malwarebytes
2012-03-16 16:22 . 2012-03-16 16:22 98992 ----a-w- c:\windows\system32\drivers\22892082.sys
2012-03-15 14:43 . 2010-10-05 13:56 14048 ------w- c:\windows\system32\spmsg2.dll
2012-03-15 14:40 . 2012-03-15 15:01 -------- d-----w- c:\documents and settings\QBDataServiceUser22
2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\program files\Common Files\Nuance
2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2012-03-15 14:32 . 2012-03-15 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2012-03-15 14:06 . 2012-03-15 14:06 -------- d-----w- c:\windows\Intuit
2012-03-15 12:04 . 2012-03-15 12:48 -------- d-----w- c:\program files\Dynamic Ventures
2012-03-15 12:03 . 2012-03-15 12:03 -------- d-----w- c:\documents and settings\Charlie\Local Settings\Application Data\Downloaded Installations
2012-03-15 11:45 . 2011-12-16 17:21 29016 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2012-03-15 11:45 . 2010-11-26 18:02 14776 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2012-02-27 18:44 . 2012-02-27 18:44 1721752 ----a-w- c:\windows\system32\InetClnt.dll
2012-02-27 18:31 . 2012-02-27 18:31 1694992 ----a-w- c:\windows\system32\VBA6.DLL
2012-02-27 18:31 . 2012-02-27 18:31 741008 ----a-w- c:\windows\system32\SPR32D30.DLL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-23 07:46 . 2010-12-15 17:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-23 07:46 . 2010-12-15 17:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-23 07:38 . 2011-08-18 09:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-16 15:54 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-14 02:15 . 2010-07-10 02:30 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-07-08 17:12 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06 . 2012-02-15 21:46 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-07-11 11:43 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-21_07.44.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-26 15:03 . 2012-03-26 15:03 16384 c:\windows\Temp\Perflib_Perfdata_cc.dat
+ 2004-08-04 10:00 . 2012-03-26 15:05 96342 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2012-03-16 03:06 96342 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2012-03-26 15:05 526486 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2012-03-16 03:06 526486 c:\windows\system32\perfh009.dat
+ 2012-03-23 07:38 . 2012-03-23 07:38 250528 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
+ 2012-03-23 07:38 . 2012-03-23 07:38 335520 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.dll
+ 2012-03-23 07:47 . 2012-03-23 07:46 157472 c:\windows\system32\javaws.exe
- 2010-12-15 17:07 . 2010-12-15 17:06 157472 c:\windows\system32\javaws.exe
+ 2012-03-23 07:47 . 2012-03-23 07:46 149280 c:\windows\system32\javaw.exe
+ 2012-03-23 07:47 . 2012-03-23 07:46 149280 c:\windows\system32\java.exe
+ 2012-03-23 07:46 . 2012-03-23 07:46 902656 c:\windows\Installer\94f20.msi
+ 2012-03-23 08:57 . 2012-03-23 08:57 203776 c:\windows\Installer\4ae95b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\Charlie\Start Menu\Programs\Startup\
AutoLogin.exe [2010-10-6 106496]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-07 14:17 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
"4979:UDP"= 4979:UDP:Windows Media Format SDK (ping.exe)
"4978:UDP"= 4978:UDP:Windows Media Format SDK (ping.exe)
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [15/03/2012 12:45 14776]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/05/2010 16:38 691696]
R1 MpKsl685d9d65;MpKsl685d9d65;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8024BE1A-FC0E-471B-B4E2-DC1791D5E040}\MpKsl685d9d65.sys [27/03/2012 07:49 29904]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/01/2011 19:04 12856]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [06/06/2008 14:03 435488]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 12:53 136176]
S3 21103785;21103785;c:\windows\system32\drivers\22892082.sys [16/03/2012 17:22 98992]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 12:53 136176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [08/06/2011 13:04 374152]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL685D9D65
.
Contents of the 'Scheduled Tasks' folder
.
2010-03-22 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p officejet 6100 series272A572217594EBCF1CEE215E352B92AD073FDE4269262144.job
- c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
.
2012-03-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
2012-03-24 c:\windows\Tasks\SyncBack FizzOffice2 Shared Files.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
.
2012-03-23 c:\windows\Tasks\SyncBack Kay's Files Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
.
2012-03-23 c:\windows\Tasks\SyncBack Kay's Outlook.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} - hxxp://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-27 08:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
.
[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-03-27 08:30:52
ComboFix-quarantined-files.txt 2012-03-27 07:30
ComboFix2.txt 2012-03-27 07:01
ComboFix3.txt 2012-03-21 07:49
.
Pre-Run: 26,015,399,936 bytes free
Post-Run: 26,018,045,952 bytes free
.
- - End Of File - - B3E25E17E81AEED8069ECB859052C070
 
I was going through my threads and it appears I somehow missed your reply. My apology.

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\19604ed6-7829dbd7
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========================================
Please be sure you update Java as instructed. The new entry in Eset is in the Java cache and that is usually because there is outdated Java on the system.
=========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\system32\drivers\22892082.sys
c:\windows\system32\SmartDefragBootTime.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-
Clearjavacache::

DEL /A/F/O "%TASKS%\AT*.job"::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Since you have OTL on the desktop, please do a new scan with it and leave the log. I see many entries in the original scan you ran that I want to make sure are gone. The entries do not show in Combofix.
 
Followed instructions running Oldtimer then Combofix and then a final Oldtimer scan and have copied logs below:-


All processes killed
========== FILES ==========
File/Folder C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\19604ed6-7829dbd7 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 20365 bytes

User: All Users
->Temp folder emptied: 0 bytes

User: Charlie
->Temp folder emptied: 245597362 bytes
->Temporary Internet Files folder emptied: 16223954 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 96905627 bytes
->Flash cache emptied: 3131283 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Matthew
->Temp folder emptied: 72470680 bytes
->Temporary Internet Files folder emptied: 2404370030 bytes
->Java cache emptied: 1020991 bytes
->Flash cache emptied: 7145 bytes

User: NetworkService
->Temp folder emptied: 30932 bytes
->Temporary Internet Files folder emptied: 8044678 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 6421 bytes

User: QBDataServiceUser19
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: QBDataServiceUser22
->Temp folder emptied: 774656 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 108577 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 96552187 bytes

Total Files Cleaned = 2,809.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 04032012_175225

Files moved on Reboot...

Registry entries deleted on Reboot...



ComboFix 12-04-03.02 - Charlie 03/04/2012 18:17:33.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1500 [GMT 1:00]
Running from: c:\documents and settings\Charlie\Desktop\Utilities\AntiVirus\ComboFix.exe
Command switches used :: c:\documents and settings\Charlie\Desktop\Utilities\AntiVirus\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\drivers\22892082.sys"
"c:\windows\system32\SmartDefragBootTime.exe"
.
.
((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))
.
.
2012-04-03 17:11 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{929516C1-D55B-4FCE-866B-D04473847F1C}\mpengine.dll
2012-04-03 16:52 . 2012-04-03 16:52 -------- d-----w- C:\_OTM
2012-03-29 14:43 . 2012-03-29 14:43 -------- d-----w- c:\windows\system32\NtmsData
2012-03-29 10:01 . 2012-03-29 10:02 -------- d-----w- c:\documents and settings\Charlie\Local Settings\Application Data\ABBYY
2012-03-29 09:57 . 2012-03-29 10:02 -------- d-----w- c:\program files\ABBYY FineReader 9.0 Express Edition
2012-03-29 09:57 . 2012-03-29 09:57 -------- d-----w- c:\program files\Common Files\ABBYY
2012-03-29 09:57 . 2012-03-29 09:57 -------- d-----w- c:\documents and settings\All Users\Application Data\ABBYY
2012-03-29 09:54 . 2012-03-29 09:55 -------- d-----w- c:\program files\ABBYY
2012-03-23 08:57 . 2012-03-23 08:57 -------- d-----w- c:\program files\Common Files\Java
2012-03-23 06:20 . 2012-03-23 06:19 883616 ----a-w- C:\FixExec.scr
2012-03-21 08:48 . 2012-03-23 09:07 -------- d-----w- C:\HijackThis
2012-03-21 08:45 . 2012-03-21 08:45 -------- d-----w- c:\program files\ESET
2012-03-20 15:00 . 2012-03-20 15:00 -------- d-----w- C:\My Documents
2012-03-19 21:45 . 2002-12-29 01:14 81920 ----a-w- c:\windows\system32\Startup.cpl
2012-03-19 09:18 . 2012-03-19 09:18 -------- d-----w- c:\documents and settings\Charlie\Application Data\Malwarebytes
2012-03-18 22:14 . 2012-03-18 22:14 -------- d-----w- c:\documents and settings\Matthew\Application Data\Malwarebytes
2012-03-18 20:49 . 2012-03-18 20:49 -------- d-----w- c:\documents and settings\Matthew\Local Settings\Application Data\Intuit
2012-03-16 16:22 . 2012-03-16 16:22 98992 ----a-w- c:\windows\system32\drivers\22892082.sys
2012-03-15 14:43 . 2010-10-05 13:56 14048 ------w- c:\windows\system32\spmsg2.dll
2012-03-15 14:40 . 2012-03-15 15:01 -------- d-----w- c:\documents and settings\QBDataServiceUser22
2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\program files\Common Files\Nuance
2012-03-15 14:33 . 2012-03-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2012-03-15 14:32 . 2012-03-15 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2012-03-15 14:06 . 2012-03-15 14:06 -------- d-----w- c:\windows\Intuit
2012-03-15 12:04 . 2012-03-15 12:48 -------- d-----w- c:\program files\Dynamic Ventures
2012-03-15 12:03 . 2012-03-15 12:03 -------- d-----w- c:\documents and settings\Charlie\Local Settings\Application Data\Downloaded Installations
2012-03-15 11:45 . 2011-12-16 17:21 29016 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2012-03-15 11:45 . 2010-11-26 18:02 14776 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-23 07:46 . 2010-12-15 17:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-23 07:46 . 2010-12-15 17:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-23 07:38 . 2011-08-18 09:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-16 15:54 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-14 02:15 . 2010-07-10 02:30 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-27 18:44 . 2012-02-27 18:44 1721752 ----a-w- c:\windows\system32\InetClnt.dll
2012-02-27 18:31 . 2012-02-27 18:31 1694992 ----a-w- c:\windows\system32\VBA6.DLL
2012-02-27 18:31 . 2012-02-27 18:31 741008 ----a-w- c:\windows\system32\SPR32D30.DLL
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-07-08 17:12 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06 . 2012-02-15 21:46 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-07-11 11:43 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-21_07.44.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-03 17:00 . 2012-04-03 17:00 16384 c:\windows\Temp\Perflib_Perfdata_7a4.dat
+ 2004-08-04 10:00 . 2012-03-26 15:05 96342 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2012-03-16 03:06 96342 c:\windows\system32\perfc009.dat
+ 2012-03-28 21:17 . 2012-03-28 21:17 22016 c:\windows\Installer\8163bd2.msi
+ 2012-03-29 10:01 . 2012-03-29 10:01 25214 c:\windows\Installer\{F9000000-0013-0000-0000-074957833700}\ICON_Sprint.exe
+ 2012-03-29 10:01 . 2012-03-29 10:01 25214 c:\windows\Installer\{F9000000-0013-0000-0000-074957833700}\ICON_Bonus.ScreenshotReader.exe
+ 2012-03-29 10:01 . 2012-03-29 10:01 25214 c:\windows\Installer\{F9000000-0013-0000-0000-074957833700}\ARPPRODUCTICON.exe
+ 2004-08-04 10:00 . 2012-03-26 15:05 526486 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2012-03-16 03:06 526486 c:\windows\system32\perfh009.dat
+ 2012-03-23 07:38 . 2012-03-23 07:38 250528 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
+ 2012-03-23 07:38 . 2012-03-23 07:38 335520 c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.dll
- 2010-12-15 17:07 . 2010-12-15 17:06 157472 c:\windows\system32\javaws.exe
+ 2012-03-23 07:47 . 2012-03-23 07:46 157472 c:\windows\system32\javaws.exe
+ 2012-03-23 07:47 . 2012-03-23 07:46 149280 c:\windows\system32\javaw.exe
+ 2012-03-23 07:47 . 2012-03-23 07:46 149280 c:\windows\system32\java.exe
+ 2012-03-23 07:46 . 2012-03-23 07:46 902656 c:\windows\Installer\94f20.msi
+ 2012-03-23 08:57 . 2012-03-23 08:57 203776 c:\windows\Installer\4ae95b.msi
+ 2012-03-29 10:01 . 2012-03-29 10:01 3994624 c:\windows\Installer\4cf95.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\Charlie\Start Menu\Programs\Startup\
AutoLogin.exe [2010-10-6 106496]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-07 14:17 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
"4979:UDP"= 4979:UDP:Windows Media Format SDK (ping.exe)
"4978:UDP"= 4978:UDP:Windows Media Format SDK (ping.exe)
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [15/03/2012 12:45 14776]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/05/2010 16:38 691696]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [13/04/2009 20:07 759072]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/01/2011 19:04 12856]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [06/06/2008 14:03 435488]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 12:53 136176]
S3 21103785;21103785;c:\windows\system32\drivers\22892082.sys [16/03/2012 17:22 98992]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2011 12:53 136176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [08/06/2011 13:04 374152]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 11:53]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1644491937-725345543-1008Core.job
- c:\documents and settings\Charlie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-27 22:12]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1644491937-725345543-1008UA.job
- c:\documents and settings\Charlie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-27 22:12]
.
2012-04-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
2012-03-31 c:\windows\Tasks\SyncBack FizzOffice2 Shared Files.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
.
2012-03-30 c:\windows\Tasks\SyncBack Kay's Files Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
.
2012-03-30 c:\windows\Tasks\SyncBack Kay's Outlook.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-22 15:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} - hxxp://download.cre8tiv.com/cre8tiv3dix/cre8tiv3dix.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-03 18:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,64,72,65,97,01,04,46,95,b5,2a,\
.
[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3924)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2012-04-03 18:26:36
ComboFix-quarantined-files.txt 2012-04-03 17:26
ComboFix2.txt 2012-03-27 07:30
ComboFix3.txt 2012-03-27 07:01
ComboFix4.txt 2012-03-21 07:49
.
Pre-Run: 26,875,838,464 bytes free
Post-Run: 26,848,169,984 bytes free
.
- - End Of File - - 6826D2CF0A7A4039B5B7FFA27C701096



All processes killed
========== FILES ==========
File/Folder C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\19604ed6-7829dbd7 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users
->Temp folder emptied: 0 bytes

User: Charlie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 46190908 bytes
->Flash cache emptied: 730 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: Matthew
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: QBDataServiceUser19
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: QBDataServiceUser22
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 44.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 04032012_183100

Files moved on Reboot...

Registry entries deleted on Reboot...
 
Okay, I removed a file and it came back, so you will need to submit it for identification:

Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)
VirusTotal
Jotti

  • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

    Code: 
    c:\windows\system32\drivers\22892082.sys
    [2]. At the upload site, click once inside the window next to Browse.
    [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
    [4]. Click on the Upload button.
    This will perform a scan across multiple different virus scanning engines.
    Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    Important: Wait for all of the scanning engines to complete.
    [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
    [6]. Paste the contents of the Clipboard in your next reply.
====================================
Oh my word! From OTM>>Total Files Cleaned = 2,809.00 - that is a lot of files!
====================================
I think you misunderstood- I didn't want you to run OTM again, after the above. You started the thread with OTL>> that's what I'd like you to repeat.
 
You must log in or register to reply here.

Similar threads

C
Windows Activation Blocking Login on Win XP and Vista PCs
Replies
3
Views
1K
Macho
Macho
Dadair
Not sure what is normal computer behavior for dllhost.exe
Replies
2
Views
2K
Dadair
Dadair
D
  • Locked
Inactive-A Infomercials constantly playing on my computer-virusware not picking anything up
2
Replies
36
Views
6K
Broni
Broni

Latest posts

Back