[Resolved] Rogue.installer, Adware.popcap

cda25 · 3rd November 2009

DDS (Ver_09-10-26.01) - NTFSx86
Run by Bonnie at 23:13:52.36 on Mon 11/02/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1966 [GMT -5:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k yksvcs
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.e xe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\LAlarm\LAlarmService.exe
C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
C:\Windows\system32\rpcnet.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.ex e
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\LAlarm\LAlarmSub.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Mediafour\XPlay 3\XPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\AOL\1243376702\ee\aolsoftware.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Bonnie\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrospect.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Users\Bonnie\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=13739&l=dir
uSearch Bar = Preserve
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Mediafour XPlay Explorer notifications: {4907c0ad-874d-44d9-b13e-7b0a4d8b9d3e} - c:\program files\mediafour\xplay 3\XPBHO.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SansaDispatch] c:\users\bonnie\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiafa.exe /fu "c:\windows\temp\E_S561F.tmp" /EF "HKCU"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LAlarmSubProgram] c:\program files\lalarm\LAlarmSub.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [TheLaptopLock] c:\program files\the laptoplock\LaptopLock.exe /startup
mRun: [{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}] "c:\program files\mediafour\xplay 3\XPlay.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.5\RetroExpress.exe /h
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HostManager] c:\program files\common files\aol\1243376702\ee\AOLSoftware.exe
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking10\Ereg.ini
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
Trusted Zone: netlibrary.com\www
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\bonnie\appdata\roaming\mozilla\firefox\profiles\tv9nvaeb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\bonnie\appdata\roaming\mozilla\firefox\profiles\tv9nvaeb.default\e xtensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\users\bonnie\appdata\roaming\mozilla\firefox\profiles\tv9nvaeb.default\e xtensions\oberongamehost@oberongames.com\platform\winnt_x86-msvc\plugins\npOberonGameHost.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2009-4-30 284416]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-2 28552]
R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2009-8-25 136744]
R2 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [2009-6-25 100728]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-3-23 7424]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]

=============== Created Last 30 ================

2009-11-02 22:32:32 397623805 ----a-w- c:\windows\MEMORY.DMP
2009-11-02 20:11:38 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-02 20:07:08 0 d-----w- c:\program files\Panda Security
2009-11-02 17:27:57 0 d-----w- c:\users\bonnie\appdata\roaming\Malwarebytes
2009-11-02 17:27:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 17:27:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 17:27:51 0 d-----w- c:\programdata\Malwarebytes
2009-11-02 17:27:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 17:36:41 0 d-----w- c:\program files\Marvell
2009-10-30 10:33:11 10249 ----a-w- c:\windows\system32\Config.MPF
2009-10-30 10:31:34 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-30 10:31:34 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-30 10:31:34 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-30 10:31:33 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-30 10:31:14 0 d-----w- c:\program files\common files\McAfee
2009-10-30 10:31:14 0 d-----w- C:\mcafee_mcpr
2009-10-30 10:31:13 0 d-----w- c:\program files\McAfee.com
2009-10-30 10:31:11 0 d-----w- c:\program files\McAfee
2009-10-30 10:22:05 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-29 13:02:14 0 d-sh--w- C:\found.001
2009-10-28 21:13:23 0 d-sh--w- C:\found.000
2009-10-27 14:59:08 0 d-----w- C:\b85bf47ce69ba1949e
2009-10-18 09:52:39 3601 ----a-w- c:\users\bonnie\Husband9781415947753.odm
2009-10-16 10:22:10 332883009 ----a-w- c:\users\bonnie\The_Prince_of_Tides_Uabr.wma
2009-10-16 09:51:33 0 d-----w- c:\program files\Microsoft
2009-10-16 09:51:17 0 d-----w- c:\program files\Windows Live SkyDrive
2009-10-16 09:50:59 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-16 09:50:48 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-16 09:10:15 465778 ----a-w- c:\users\bonnie\gp.xpi
2009-10-16 08:42:02 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 08:41:59 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-16 08:41:58 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-16 08:41:17 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 08:41:16 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 08:41:14 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 13:03:02 3550592 ----a-w- c:\users\bonnie\procexp.exe
2009-10-12 16:51:48 0 d-----w- c:\program files\LAlarm
2009-10-12 16:51:11 945323 ----a-w- c:\users\bonnie\LAlarm34.exe
2009-10-12 16:39:20 0 ----a-w- c:\windows\system32\null
2009-10-11 15:21:50 0 d-----w- c:\windows\New Folder
2009-10-11 11:50:45 0 d-----w- c:\program files\Retrospect
2009-10-11 11:27:26 0 d-----w- c:\windows\pss
2009-10-09 16:18:35 0 d-----w- c:\program files\MozyHome
2009-10-09 16:18:22 0 d-----w- c:\programdata\RetroExp
2009-10-09 13:32:03 0 d-----w- c:\programdata\WindowsSearch
2009-10-07 22:45:43 670477 ----a-w- C:\Drive_C.xml
2009-10-07 22:45:43 512 ----a-w- C:\Drive_C.dat
2009-10-07 22:23:55 0 d-----w- c:\program files\Runtime Software
2009-10-07 20:21:03 0 d-----w- c:\program files\common files\Software Update Utility
2009-10-07 20:20:29 0 d-----w- c:\programdata\AIM
2009-10-07 11:06:07 0 d-----w- c:\program files\Ask.com
2009-10-07 01:57:18 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-07 01:57:01 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-07 01:56:55 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-07 01:56:54 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-06 09:10:13 0 d-----w- c:\program files\JRE
2009-10-04 11:51:27 0 d-----w- c:\program files\Zone Labs
2009-10-04 11:50:42 293528 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2009-10-04 11:49:45 0 d-----w- c:\programdata\CheckPoint
2009-10-04 11:49:39 0 d-----w- c:\windows\Internet Logs

==================== Find3M ====================

2009-11-03 04:08:59 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-11-03 04:08:59 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-11-03 04:08:46 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-10-30 18:34:19 27934 ----a-w- c:\programdata\nvModes.dat
2009-10-30 17:59:06 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-30 17:59:06 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-30 17:59:02 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-01 14:29:14 195440 ----a-w- c:\windows\system32\MpSigStub.exe
2009-09-23 10:27:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 15:43:14 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-09-11 15:34:26 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-09 23:34:08 49152 ----a-w- c:\windows\system32\instw32.exe
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:13 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-03-26 23:55:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-03-25 00:21:33 76 --sh--r- c:\windows\CT4CET.bin
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 23:17:48.16 ===============

DDS (Ver_09-10-26.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 3/24/2009 12:47:10 AM
System Uptime: 11/3/2009 12:08:26 AM (-1 hours ago)

Motherboard: Dell Inc. | | 0D500F
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 2001/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 230 GiB total, 165.259 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP334: 10/15/2009 5:11:41 AM - Windows Update
RP335: 10/16/2009 4:48:09 AM - Windows Update
RP336: 10/16/2009 5:06:11 AM - Windows Update
RP337: 10/16/2009 5:22:57 AM - Windows Update
RP338: 10/16/2009 5:25:49 AM - Installed Adobe Reader 9.2.
RP339: 10/16/2009 5:42:17 AM - Windows Update
RP340: 10/17/2009 6:24:14 AM - Windows Update
RP341: 10/19/2009 7:34:04 AM - Windows Update
RP342: 10/20/2009 8:01:50 AM - Windows Update
RP343: 10/20/2009 10:46:48 AM - Windows Update
RP344: 10/21/2009 8:42:32 AM - Windows Update
RP345: 10/22/2009 10:28:10 AM - Windows Update
RP346: 10/23/2009 9:35:48 AM - Windows Update
RP347: 10/24/2009 10:09:55 AM - Windows Update
RP348: 10/25/2009 9:34:37 AM - Windows Update
RP349: 10/26/2009 10:32:35 AM - Windows Update
RP350: 10/27/2009 10:58:36 AM - Windows Update
RP351: 10/28/2009 6:03:54 PM - Windows Update
RP354: 10/29/2009 12:12:30 PM - Windows Update
RP355: 10/30/2009 1:30:02 PM - Removed Marvell Miniport Driver
RP356: 10/30/2009 1:37:03 PM - Device Driver Package Install: Marvell Network adapters
RP357: 10/30/2009 1:52:04 PM - Device Driver Package Install: Intel System devices
RP358: 10/30/2009 1:58:54 PM - Device Driver Package Install: Intel System devices

==== Installed Programs ======================

Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Advanced Audio FX Engine
Advanced Video FX Engine
AOL Uninstaller (Choose which Products to Remove)
Apple Application Support
Apple Software Update
ArcSoft MediaConverter 2.5
Ask Toolbar
CCleaner (remove only)
CDDRV_Installer
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Coupon Printer for Windows
Cypherix LE
Dell Driver Download Manager
Dell Resource CD
Dell Support Center (Support Software)
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card
Download Updater (AOL LLC)
Dragon NaturallySpeaking 10
Driver Detective
EPSON Printer Software
EPSON Scan
Family Tree Maker 2008
Fingerprint Reader Suite 5.6
Garmin Communicator Plugin
Garmin USB Drivers
Google Earth
Google Update Helper
Google Updater
GoToAssist 8.0.0.514
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Imikimi Plugin
Intel® Matrix Storage Manager
Java(TM) 6 Update 16
KhalInstallWrapper
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Logitech SetPoint
Malwarebytes' Anti-Malware
ManyCam 2.4 (remove only)
Marvell Miniport Driver
McAfee SecurityCenter
MedalFolders 2.0.0.500
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft IntelliPoint 6.3
Microsoft Primary Interoperability Assemblies 2005
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft WSE 3.0
Mozilla Firefox (3.5.4)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
OpenOffice.org 3.1
OverDrive Media Console
Panda ActiveScan 2.0
QuickBooks Product Listing Service
QuickBooks Simple Start Edition
Quicken 2007
QuickSet
QuickTime
RapidTyping
RegistryFix v8.0
Retrospect Express HD 2.5
Rhapsody
Rhapsody Player Engine
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.06
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
SA52xx Device Manager
Sansa Updater
Secunia PSI
SigmaTel Audio
SupportSoft Assisted Service
The LaptopLock 0.94
TouchChip USB Driver 2.16
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
Viewpoint Media Player
Visual C++ Runtime for Dragon NaturallySpeaking
Weather Watcher Live
WIDCOMM Bluetooth Software 6.0.1.3100
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
XPlay 3

==== End Of File ===========================

**broni** · 4th November 2009

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download HijackThis:
http://www.trendsecure.com/portal/en...kthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

cda25 · 4th November 2009

Below are results for the SuperAnti Virus scan and the Malwarebytes scan.

I was totally unsuccessful in getting the GMER file to run. I attempted to run it as stated, then renamed it several times, tried to run in safe mode, and tried with all start ups removed by way of msconfig. I also tried the GMER file through majorgeeks as above to no avail. The third link gave me a notice of 404 page not found. The results of the above attempts were abrupt shut downs with black screens, blue screen shut downs, and even notices that the renamed GMER file was corrupt. Please inform.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/03/2009 at 11:26 PM

Application Version : 4.29.1004

Core Rules Database Version : 4227
Trace Rules Database Version: 2127

Scan type : Complete Scan
Total Scan Time : 01:19:29

Memory items scanned : 323
Memory threats detected : 0
Registry items scanned : 7528
Registry threats detected : 0
File items scanned : 146703
File threats detected : 0

Malwarebytes' Anti-Malware 1.41
Database version: 3098
Windows 6.0.6002 Service Pack 2

11/4/2009 9:35:52 AM
mbam-log-2009-11-04 (09-35-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 239329
Time elapsed: 1 hour(s), 17 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**broni** · 4th November 2009

Skip GMER for now.

cda25 · 4th November 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:37 PM, on 11/4/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\HUGHES~3\HDM.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=13739&l=dir
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Mediafour XPlay Explorer notifications - {4907C0AD-874D-44D9-B13E-7B0A4D8B9D3E} - C:\Program Files\Mediafour\XPlay 3\XPBHO.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: HDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\HughesNet Download Manager\iefdm2.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download all with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dllink.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: www.netlibrary.com
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Windows\
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.e xe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9c5d01e9960f5) (gupdate1c9c5d01e9960f5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: LAlarm Service (LAlarmService) - LAlarm Systems - C:\Program Files\LAlarm\LAlarmService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: M4iPodWPDService - Mediafour Corporation - C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.ex e
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 7829 bytes

**broni** · 4th November 2009

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE. If Combofix asks you to install Recovery Console, please allow it.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

cda25 · 4th November 2009

Requested reports will be in multiple postings due to length.

I disabled McAfee Security Suite (all sections) so I am confused as to why the report says that resident AV is active. I received a message that the computer was not protected and I had to reopen everything on McAfee when I restarted. McAfee, however, jumped up and quarantined a file during the process.

I received an error message multiple times during the process that stated a file was corrupt and I needed to run the disk utility.

ComboFix 09-11-04.02 - Bonnie 11/04/2009 14:11.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1663 [GMT -5:00]
Running from: c:\users\Public\Pictures\Sample Pictures\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
C:\install.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\system32\oem17.inf

.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 17:54 . 2009-11-04 17:54 -------- d-----w- c:\program files\Trend Micro
2009-11-04 02:50 . 2009-11-04 02:50 117760 ----a-w- c:\users\Bonnie\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLL S\UIREPAIR.DLL
2009-11-04 02:47 . 2009-11-04 02:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-04 02:46 . 2009-11-04 02:46 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-11-04 02:46 . 2009-11-04 02:46 -------- d-----w- c:\users\Bonnie\AppData\Roaming\SUPERAntiSpyware.com
2009-11-04 02:44 . 2009-11-04 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-03 23:50 . 2009-11-04 19:19 4096 d-----w- c:\users\Bonnie\AppData\Roaming\HughesNet Download Manager
2009-11-03 23:49 . 2009-11-03 23:49 8192 d-----w- c:\program files\HughesNet Download Manager
2009-11-03 23:38 . 2009-11-04 00:27 -------- d-----w- c:\users\Bonnie\AppData\Roaming\Motive
2009-11-03 23:35 . 2009-11-03 23:33 38208 ----a-w- c:\users\Bonnie\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-11-03 23:35 . 2009-11-03 23:33 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-11-03 23:35 . 2009-11-03 23:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-03 23:35 . 2009-11-03 23:35 -------- d-----w- c:\program files\HughesNetStatusMeter
2009-11-03 23:30 . 2009-11-03 23:30 -------- d-----w- c:\program files\HughesNetTools
2009-11-03 23:30 . 2007-12-10 15:12 85 ----a-w- c:\windows\system32\h53unin.bat
2009-11-03 23:30 . 2007-12-04 19:17 528384 ----a-w- c:\windows\system32\McciExecute.exe
2009-11-03 23:30 . 2009-11-04 14:55 -------- d-----w- c:\programdata\Motive
2009-11-03 23:30 . 2009-11-03 23:30 8192 d-----w- c:\program files\Common Files\Motive
2009-11-02 20:11 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-02 20:07 . 2009-11-02 20:07 -------- d-----w- c:\program files\Panda Security
2009-11-02 17:27 . 2009-11-02 17:27 -------- d-----w- c:\users\Bonnie\AppData\Roaming\Malwarebytes
2009-11-02 17:27 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 17:27 . 2009-11-02 17:27 -------- d-----w- c:\programdata\Malwarebytes
2009-11-02 17:27 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 17:27 . 2009-11-02 19:08 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 17:49 . 2009-10-30 17:49 2517528 ----a-w- c:\programdata\PC Drivers HeadQuarters\Driver Detective\Downloads\INF_allOS_9.0.0.1011_PV.exe
2009-10-30 17:36 . 2009-10-30 17:36 -------- d-----w- c:\program files\Marvell
2009-10-30 10:31 . 2009-09-16 14:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-30 10:31 . 2009-09-16 14:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-30 10:31 . 2009-09-16 14:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-30 10:31 . 2009-07-16 16:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-30 10:31 . 2009-10-30 10:31 4096 d-----w- c:\program files\Common Files\McAfee
2009-10-30 10:31 . 2009-10-30 10:31 -------- d-----w- C:\mcafee_mcpr
2009-10-30 10:31 . 2009-10-30 10:31 -------- d-----w- c:\program files\McAfee.com
2009-10-30 10:31 . 2009-10-31 11:53 4096 d-----w- c:\program files\McAfee
2009-10-30 10:22 . 2009-09-16 14:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-29 13:02 . 2009-10-31 14:57 4096 d-----w- C:\found.001
2009-10-28 21:13 . 2009-10-28 23:01 -------- d-----w- C:\found.000
2009-10-27 14:59 . 2009-10-27 14:59 4096 d-----w- C:\b85bf47ce69ba1949e
2009-10-16 09:51 . 2009-10-16 09:51 -------- d-----w- c:\program files\Microsoft
2009-10-16 09:51 . 2009-10-16 09:51 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-16 09:51 . 2009-10-16 09:51 4096 d-----w- c:\program files\Windows Live
2009-10-16 09:50 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-16 09:50 . 2009-10-16 09:50 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-16 09:26 . 2009-10-16 09:27 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-16 08:42 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 08:41 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-16 08:41 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-16 08:41 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 08:41 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 08:41 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 13:03 . 2009-10-14 13:03 3550592 ----a-w- c:\users\Bonnie\procexp.exe
2009-10-12 16:51 . 2009-10-12 16:51 8192 d-----w- c:\program files\LAlarm
2009-10-12 16:51 . 2009-10-12 16:51 945323 ----a-w- c:\users\Bonnie\LAlarm34.exe
2009-10-11 15:21 . 2009-10-11 15:21 -------- d-----w- c:\windows\New Folder
2009-10-11 11:50 . 2009-10-11 11:50 -------- d-----w- c:\program files\Retrospect
2009-10-09 16:18 . 2009-10-11 00:44 4096 d-----w- c:\program files\MozyHome
2009-10-09 16:18 . 2009-11-04 16:27 4096 d-----w- c:\programdata\RetroExp
2009-10-09 13:32 . 2009-10-09 13:32 -------- d-----w- c:\programdata\WindowsSearch
2009-10-07 22:45 . 2009-10-07 22:45 512 ----a-w- C:\Drive_C.dat
2009-10-07 22:23 . 2009-10-09 16:07 -------- d-----w- c:\program files\Runtime Software
2009-10-07 21:18 . 2009-10-07 21:18 4096 d-----w- c:\users\Bonnie\AppData\Local\MigWiz
2009-10-07 20:21 . 2009-10-07 20:21 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-10-07 20:20 . 2009-10-07 20:21 -------- d-----w- c:\users\Bonnie\AppData\Roaming\acccore
2009-10-07 20:20 . 2009-10-07 20:20 -------- d-----w- c:\users\Bonnie\AppData\Local\AIM
2009-10-07 20:20 . 2009-10-07 20:20 -------- d-----w- c:\programdata\AIM
2009-10-07 11:06 . 2009-10-07 11:09 4096 d-----w- c:\program files\Ask.com
2009-10-07 01:57 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-07 01:57 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-07 01:57 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-07 01:57 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-07 01:57 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-07 01:57 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-07 01:57 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-07 01:56 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-07 01:56 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-06 09:10 . 2009-10-06 09:10 -------- d-----w- c:\program files\JRE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 16:28 . 2009-03-24 04:40 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-11-04 16:28 . 2009-03-25 12:11 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-11-04 16:27 . 2009-03-24 04:44 12 ----a-w- c:\windows\bthservsdp.dat
2009-11-04 04:31 . 2009-03-24 04:42 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-11-03 19:26 . 2009-04-25 17:58 4096 d-----w- c:\programdata\Google Updater
2009-11-02 14:33 . 2009-03-25 22:04 3507 ----a-w- c:\programdata\Intuit\QuickBooks 2007\qbbackup.sys
2009-10-31 13:47 . 2009-04-09 13:01 1 ----a-w- c:\users\Bonnie\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\st amp.sys
2009-10-30 18:34 . 2009-03-25 01:41 27934 ----a-w- c:\programdata\nvModes.dat
2009-10-30 18:12 . 2009-05-31 13:57 2096392 ----a-w- c:\programdata\PC Drivers HeadQuarters\Driver Detective\Downloads\R166187.exe
2009-10-30 10:33 . 2009-03-24 13:08 4096 d-----w- c:\programdata\McAfee
2009-10-29 17:24 . 2009-05-31 12:22 46149072 ----a-w- c:\programdata\PC Drivers HeadQuarters\Driver Detective\Downloads\R140135.exe
2009-10-29 14:15 . 2009-09-25 12:17 4096 d-----w- c:\program files\MedalFolders
2009-10-16 09:17 . 2009-03-25 10:21 4096 d-----w- c:\programdata\NOS
2009-10-16 08:54 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-09 13:35 . 2009-03-26 19:13 4096 d-----w- c:\program files\RegistryFix7
2009-10-08 19:20 . 2009-03-25 17:38 4096 d-----w- c:\program files\Common Files\AOL
2009-10-07 20:20 . 2009-03-25 17:38 -------- d-----w- c:\programdata\AOL
2009-10-06 15:48 . 2009-03-24 04:58 59544 ----a-w- c:\users\Bonnie\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-06 09:10 . 2009-04-09 12:59 4096 d-----w- c:\program files\OpenOffice.org 3
2009-10-04 11:54 . 2009-07-27 14:02 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-04 11:51 . 2009-10-04 11:51 -------- d-----w- c:\program files\Zone Labs
2009-10-04 11:49 . 2009-10-04 11:49 -------- d-----w- c:\programdata\CheckPoint
2009-10-04 10:39 . 2009-07-27 14:02 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-02 21:04 . 2009-04-11 22:31 816392 ----a-w- c:\programdata\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2009-10-01 14:29 . 2009-10-02 16:02 195440 ----a-w- c:\windows\system32\MpSigStub.exe
2009-09-25 14:28 . 2009-03-25 22:28 -------- d-----w- c:\users\Bonnie\AppData\Roaming\U3
2009-09-23 10:27 . 2009-04-09 22:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-23 10:27 . 2009-09-23 10:27 -------- d-----w- c:\program files\Java
2009-09-22 15:05 . 2009-06-21 22:22 4096 d-----w- c:\program files\OverDrive Media Console
2009-09-22 14:33 . 2009-04-30 09:39 4096 d-----w- c:\program files\BookSmart
2009-09-22 11:29 . 2009-09-22 11:29 4096 d-----w- c:\program files\QuickTime
2009-09-22 11:29 . 2009-09-22 11:29 -------- d-----w- c:\programdata\Apple Computer
2009-09-22 11:26 . 2009-09-22 11:26 -------- d-----w- c:\program files\Common Files\Apple
2009-09-22 11:26 . 2009-09-22 11:26 4096 d-----w- c:\program files\Apple Software Update
2009-09-22 11:26 . 2009-09-22 11:26 -------- d-----w- c:\programdata\Apple
2009-09-22 11:18 . 2009-09-22 11:18 -------- d-----w- c:\program files\NOS
2009-09-22 11:09 . 2009-09-22 11:09 -------- d-----w- c:\program files\Secunia
2009-09-16 14:22 . 2009-09-16 14:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 16:06 . 2009-04-21 17:15 548792 ----a-w- c:\users\Bonnie\AppData\Roaming\SanDisk\Sansa Updater\SansaUpdater.exe
2009-09-11 15:44 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
2009-09-11 15:44 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-11 15:44 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal
2009-09-11 15:44 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration
2009-09-11 15:44 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
2009-09-11 15:44 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
2009-09-11 15:43 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-09-11 02:05 . 2009-09-11 02:02 1925024 ----a-w- c:\programdata\NOS\Adobe_Downloads\install_flash_player.exe
2009-09-09 23:34 . 2008-01-22 01:43 49152 ----a-w- c:\windows\system32\instw32.exe
2009-09-09 01:36 . 2009-04-23 00:05 4096 d-----w- c:\program files\Microsoft Silverlight
2009-09-03 15:53 . 2009-09-22 11:50 22848 ----a-w- c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\e xtensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-09-03 15:53 . 2009-09-22 11:50 30912 ----a-w- c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\e xtensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-09-03 15:53 . 2009-09-22 11:50 19792 ----a-w- c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\e xtensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-08-29 00:27 . 2009-09-02 20:43 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 20:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-16 09:22 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-16 09:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-16 09:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-16 09:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 16:27 . 2009-09-08 20:51 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-08 20:51 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-08 20:51 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-08 20:51 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-08 20:51 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-08 20:51 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-08 20:51 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-08 20:51 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-08 20:51 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-08 20:51 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-08 20:51 105984 ----a-w- c:\windows\system32\netiohlp.dll
2006-06-16 03:33 . 2009-03-25 00:21 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-26 01:43 . 2009-03-25 00:21 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 21:41 . 2009-03-25 00:21 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 20:10 . 2009-03-25 00:21 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 19:19 . 2009-03-25 00:21 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-11 01:35 . 2009-03-25 00:21 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 18:10 . 2009-03-25 00:21 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 18:42 . 2009-03-25 00:21 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 18:22 . 2009-03-25 00:21 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 18:21 . 2009-03-25 00:21 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2009-03-25 00:21 . 2009-03-25 00:21 76 --sh--r- c:\windows\CT4CET.bin
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 21:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 06:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 06:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoThumbnailCache"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 06:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscs vc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Bonnie^AppData^Roaming^Microsoft^Windows^Star t Menu^Programs^Startup^HughesNetStatusMeter.lnk]
path=c:\users\Bonnie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HughesNetStatusMeter.lnk
backup=c:\windows\pss\HughesNetStatusMeter.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Bonnie^AppData^Roaming^Microsoft^Windows^Star t Menu^Programs^Startup^MedalFolders.lnk]
backup=c:\windows\pss\MedalFolders.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Bonnie^AppData^Roaming^Microsoft^Windows^Star t Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):b5,9b,26,4a,f7,32,ca,01

R0 MDFSYSNT;MacDrive file system driver;c:\windows\System32\drivers\MDFSYSNT.SYS [4/30/2009 4:18 PM 284416]
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/2/2009 3:11 PM 28552]
R1 CbFs;CbFs;c:\windows\System32\drivers\cbfs.sys [8/25/2009 5:29 AM 136744]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 cyphxdrv;cyphxdrv;c:\windows\System32\drivers\cyphxdrv.sys [6/25/2009 1:39 PM 100728]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\System32\drivers\ManyCam.sys [1/14/2008 5:06 AM 21632]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [10/10/2007 4:03 PM 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [3/23/2009 10:16 PM 7424]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S3 PSI;PSI;c:\windows\System32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
S3 VtcDrv;VTC Driver V4.00;c:\windows\System32\drivers\vtcdrv_x86.sys [5/13/2009 10:12 AM 18944]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - kwryrkow
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
yksvcs REG_MULTI_SZ yksvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-25 17:58]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 18:02]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 18:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=13739&l=dir
IE: Download all with HughesNet Download Manager - file://c:\program files\HughesNet Download Manager\dlall.htm
IE: Download selected with HughesNet Download Manager - file://c:\program files\HughesNet Download Manager\dlselected.htm
IE: Download video with HughesNet Download Manager - file://c:\program files\HughesNet Download Manager\dlfvideo.htm
IE: Download with HughesNet Download Manager - file://c:\program files\HughesNet Download Manager\dllink.htm
Trusted Zone: netlibrary.com\www
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\program files\HughesNet Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\e xtensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\e xtensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-MacDrive Volume Icons - (no file)
Notify-GoToAssist - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 14:21
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

cda25 · 4th November 2009

There are pages and pages of these temp files that seem to be duplicates. If you need all of them please inform and I will send, otherwise, the final posting will be the hihackthis report.

scanning hidden files ...

c:\windows\TEMP\MSI70494.LOG 94 bytes
c:\windows\TEMP\MSI70495.LOG 94 bytes
c:\windows\TEMP\MSI70496.LOG 94 bytes
c:\windows\TEMP\MSI70497.LOG 94 bytes
c:\windows\TEMP\MSI70498.LOG 94 bytes
c:\windows\TEMP\MSI7049a.LOG 94 bytes
c:\windows\TEMP\MSI7049b.LOG 94 bytes
c:\windows\TEMP\MSI7049d.LOG 1490 bytes
c:\windows\TEMP\MSI7049e.LOG 94 bytes
c:\windows\TEMP\MSI7049f.LOG 94 bytes
c:\windows\TEMP\MSI704a1.LOG 94 bytes
c:\windows\TEMP\MSI704a2.LOG 94 bytes
c:\windows\TEMP\MSI704a3.LOG 94 bytes
c:\windows\TEMP\MSI704a5.LOG 94 bytes
c:\windows\TEMP\MSI704a6.LOG 94 bytes
c:\windows\TEMP\MSI704a7.LOG 94 bytes
c:\windows\TEMP\MSI704a8.LOG 94 bytes
c:\windows\TEMP\MSI704ab.LOG 94 bytes
c:\windows\TEMP\MSI704ac.LOG 94 bytes
c:\windows\TEMP\MSI704ad.LOG 94 bytes
c:\windows\TEMP\MSI704ae.LOG 94 bytes
c:\windows\TEMP\MSI704af.LOG 94 bytes
c:\windows\TEMP\MSI704b0.LOG 94 bytes
c:\windows\TEMP\MSI704b1.LOG 94 bytes
c:\windows\TEMP\MSI704b2.LOG 94 bytes
c:\windows\TEMP\MSI704b3.LOG 94 bytes
c:\windows\TEMP\MSI704b4.LOG 94 bytes
c:\windows\TEMP\MSI704b5.LOG 94 bytes
c:\windows\TEMP\MSI704b6.LOG 94 bytes
c:\windows\TEMP\MSI704b7.LOG 94 bytes
c:\windows\TEMP\MSI704b8.LOG 94 bytes
c:\windows\TEMP\MSI704b9.LOG 94 bytes
c:\windows\TEMP\MSI704ba.LOG 94 bytes
c:\windows\TEMP\MSI704bb.LOG 94 bytes
c:\windows\TEMP\MSI704be.LOG 94 bytes
c:\windows\TEMP\MSI704bf.LOG 94 bytes
c:\windows\TEMP\MSI704c1.LOG 94 bytes
c:\windows\TEMP\MSI704c3.LOG 94 bytes
c:\windows\TEMP\MSI704c4.LOG 94 bytes
c:\windows\TEMP\MSI704c5.LOG 94 bytes
c:\windows\TEMP\MSI704c6.LOG 94 bytes
c:\windows\TEMP\MSI704c7.LOG 94 bytes
c:\windows\TEMP\MSI704c8.LOG 94 bytes
c:\windows\TEMP\MSI704ca.LOG 94 bytes
c:\windows\TEMP\MSI704cb.LOG 94 bytes
c:\windows\TEMP\MSI704cd.LOG 94 bytes
c:\windows\TEMP\MSI704ce.LOG 1440 bytes
c:\windows\TEMP\MSI704cf.LOG 94 bytes
c:\windows\TEMP\MSI704d1.LOG 94 bytes
c:\windows\TEMP\MSI704d2.LOG 94 bytes
c:\windows\TEMP\MSI704d3.LOG 6690 bytes
c:\windows\TEMP\MSI704d5.LOG 94 bytes
c:\windows\TEMP\MSI704d6.LOG 94 bytes
c:\windows\TEMP\MSI704d7.LOG 94 bytes
c:\windows\TEMP\MSI704d8.LOG 94 bytes
c:\windows\TEMP\MSI704da.LOG 94 bytes
c:\windows\TEMP\MSI704db.LOG 94 bytes
c:\windows\TEMP\MSI704dd.LOG 94 bytes
c:\windows\TEMP\MSI704df.LOG 94 bytes
c:\windows\TEMP\MSI704e1.LOG 94 bytes
c:\windows\TEMP\MSI704e2.LOG 94 bytes
c:\windows\TEMP\MSI704e3.LOG 94 bytes
c:\windows\TEMP\MSI704e4.LOG 94 bytes
c:\windows\TEMP\MSI704e5.LOG 94 bytes
c:\windows\TEMP\MSI704e7.LOG 94 bytes
c:\windows\TEMP\MSI704e8.LOG 94 bytes
c:\windows\TEMP\MSI704ea.LOG 1490 bytes
c:\windows\TEMP\MSI704eb.LOG 94 bytes
c:\windows\TEMP\MSI704ee.LOG 94 bytes
c:\windows\TEMP\MSI704ef.LOG 94 bytes
c:\windows\TEMP\MSI704f0.LOG 94 bytes
c:\windows\TEMP\MSI704f2.LOG 94 bytes
c:\windows\TEMP\MSI704f3.LOG 94 bytes
c:\windows\TEMP\MSI704f4.LOG 94 bytes
c:\windows\TEMP\MSI704f5.LOG 94 bytes
c:\windows\TEMP\MSI704f7.LOG 94 bytes
c:\windows\TEMP\MSI704f8.LOG 94 bytes
c:\windows\TEMP\MSI704f9.LOG 94 bytes
c:\windows\TEMP\MSI704fa.LOG 94 bytes
c:\windows\TEMP\MSI704fb.LOG 94 bytes
c:\windows\TEMP\MSI704fc.LOG 94 bytes
c:\windows\TEMP\MSI704fd.LOG 94 bytes
c:\windows\TEMP\MSI704fe.LOG 94 bytes
c:\windows\TEMP\MSI704ff.LOG 94 bytes
c:\windows\TEMP\MSI70500.LOG 94 bytes
c:\windows\TEMP\MSI70502.LOG 94 bytes
c:\windows\TEMP\MSI70503.LOG 94 bytes
c:\windows\TEMP\MSI70504.LOG 94 bytes
c:\windows\TEMP\MSI70505.LOG 94 bytes
c:\windows\TEMP\MSI70506.LOG 94 bytes
c:\windows\TEMP\MSI70507.LOG 94 bytes
c:\windows\TEMP\MSI70508.LOG 94 bytes
c:\windows\TEMP\MSI70509.LOG 94 bytes
c:\windows\TEMP\MSI7050b.LOG 94 bytes
c:\windows\TEMP\MSI7050c.LOG 94 bytes
c:\windows\TEMP\MSI7050e.LOG 94 bytes
c:\windows\TEMP\MSI70510.LOG 94 bytes
c:\windows\TEMP\MSI70511.LOG 94 bytes
c:\windows\TEMP\MSI70512.LOG 94 bytes
c:\windows\TEMP\MSI70513.LOG 94 bytes
c:\windows\TEMP\MSI70514.LOG 94 bytes
c:\windows\TEMP\MSI70515.LOG 94 bytes
c:\windows\TEMP\MSI70518.LOG 94 bytes
c:\windows\TEMP\MSI7051a.LOG 94 bytes
c:\windows\TEMP\MSI7051b.LOG 1440 bytes
c:\windows\TEMP\MSI7051c.LOG 94 bytes
c:\windows\TEMP\MSI7051e.LOG 94 bytes
c:\windows\TEMP\MSI7051f.LOG 94 bytes
c:\windows\TEMP\MSI70520.LOG 6690 bytes
c:\windows\TEMP\MSI70521.LOG 94 bytes
c:\windows\TEMP\MSI70522.LOG 94 bytes
c:\windows\TEMP\MSI70523.LOG 94 bytes
c:\windows\TEMP\MSI70524.LOG 94 bytes
c:\windows\TEMP\MSI70525.LOG 94 bytes
c:\windows\TEMP\MSI70527.LOG 94 bytes
c:\windows\TEMP\MSI70528.LOG 94 bytes
c:\windows\TEMP\MSI7052a.LOG 94 bytes
c:\windows\TEMP\MSI7052c.LOG 94 bytes
c:\windows\TEMP\MSI7052e.LOG 94 bytes
c:\windows\TEMP\MSI70530.LOG 94 bytes
c:\windows\TEMP\MSI70531.LOG 94 bytes
c:\windows\TEMP\MSI70532.LOG 94 bytes
c:\windows\TEMP\MSI70534.LOG 94 bytes
c:\windows\TEMP\MSI70535.LOG 94 bytes
c:\windows\TEMP\MSI70537.LOG 1490 bytes
c:\windows\TEMP\MSI70538.LOG 94 bytes
c:\windows\TEMP\MSI70539.LOG 94 bytes
c:\windows\TEMP\MSI7053b.LOG 94 bytes
c:\windows\TEMP\MSI7053c.LOG 94 bytes
c:\windows\TEMP\MSI7053d.LOG 94 bytes
c:\windows\TEMP\MSI7053f.LOG 94 bytes
c:\windows\TEMP\MSI70540.LOG 94 bytes
c:\windows\TEMP\MSI70541.LOG 94 bytes
c:\windows\TEMP\MSI70542.LOG 94 bytes
c:\windows\TEMP\MSI70544.LOG 94 bytes
c:\windows\TEMP\MSI70545.LOG 94 bytes
c:\windows\TEMP\MSI70547.LOG 94 bytes
c:\windows\TEMP\MSI70548.LOG 94 bytes
c:\windows\TEMP\MSI70549.LOG 94 bytes
c:\windows\TEMP\MSI7054a.LOG 94 bytes
c:\windows\TEMP\MSI7054b.LOG 94 bytes
c:\windows\TEMP\MSI7054c.LOG 94 bytes
c:\windows\TEMP\MSI7054d.LOG 94 bytes
c:\windows\TEMP\MSI7054e.LOG 94 bytes
c:\windows\TEMP\MSI7054f.LOG 94 bytes
c:\windows\TEMP\MSI70550.LOG 94 bytes
c:\windows\TEMP\MSI70551.LOG 94 bytes
c:\windows\TEMP\MSI70552.LOG 94 bytes
c:\windows\TEMP\MSI70553.LOG 94 bytes
c:\windows\TEMP\MSI70554.LOG 94 bytes
c:\windows\TEMP\MSI70555.LOG 94 bytes
c:\windows\TEMP\MSI70556.LOG 94 bytes
c:\windows\TEMP\MSI70558.LOG 94 bytes
c:\windows\TEMP\MSI7055b.LOG 94 bytes
c:\windows\TEMP\MSI7055d.LOG 94 bytes
c:\windows\TEMP\MSI7055e.LOG 94 bytes
c:\windows\TEMP\MSI7055f.LOG 94 bytes
c:\windows\TEMP\MSI70560.LOG 94 bytes
c:\windows\TEMP\MSI70561.LOG 94 bytes
c:\windows\TEMP\MSI70562.LOG 94 bytes
c:\windows\TEMP\MSI70564.LOG 94 bytes
c:\windows\TEMP\MSI70565.LOG 94 bytes
c:\windows\TEMP\MSI70567.LOG 94 bytes
c:\windows\TEMP\MSI70568.LOG 1440 bytes
c:\windows\TEMP\MSI70569.LOG 94 bytes
c:\windows\TEMP\MSI7056b.LOG 94 bytes
c:\windows\TEMP\MSI7056c.LOG 94 bytes
c:\windows\TEMP\MSI7056d.LOG 6690 bytes
c:\windows\TEMP\MSI7056e.LOG 94 bytes
c:\windows\TEMP\MSI7056f.LOG 94 bytes
c:\windows\TEMP\MSI7047a.LOG 94 bytes
c:\windows\TEMP\MSI70492.LOG 94 bytes
c:\windows\TEMP\MSI704aa.LOG 94 bytes
c:\windows\TEMP\MSI704bc.LOG 94 bytes
c:\windows\TEMP\MSI704d4.LOG 94 bytes
c:\windows\TEMP\MSI704ec.LOG 94 bytes
c:\windows\TEMP\MSI70501.LOG 94 bytes
c:\windows\TEMP\MSI70517.LOG 94 bytes
c:\windows\TEMP\MSI7052f.LOG 94 bytes
c:\windows\TEMP\MSI70546.LOG 94 bytes
c:\windows\TEMP\MSI70559.LOG 94 bytes
c:\windows\TEMP\MSI70570.LOG 94 bytes
c:\windows\TEMP\MSI70589.LOG 94 bytes
c:\windows\TEMP\MSI7059d.LOG 94 bytes
c:\windows\TEMP\MSI705b4.LOG 94 bytes
c:\windows\TEMP\MSI705cb.LOG 94 bytes
c:\windows\TEMP\MSI70571.LOG 94 bytes
c:\windows\TEMP\MSI70572.LOG 94 bytes
c:\windows\TEMP\MSI70574.LOG 94 bytes
c:\windows\TEMP\MSI70575.LOG 94 bytes
c:\windows\TEMP\MSI70577.LOG 94 bytes
c:\windows\TEMP\MSI70579.LOG 94 bytes
c:\windows\TEMP\MSI7057b.LOG 94 bytes
c:\windows\TEMP\MSI7057c.LOG 94 bytes
c:\windows\TEMP\MSI7057d.LOG 94 bytes
c:\windows\TEMP\MSI7057e.LOG 94 bytes
c:\windows\TEMP\MSI7057f.LOG 94 bytes
c:\windows\TEMP\MSI70581.LOG 94 bytes
c:\windows\TEMP\MSI70582.LOG 94 bytes
c:\windows\TEMP\MSI70584.LOG 1490 bytes
c:\windows\TEMP\MSI70585.LOG 94 bytes
c:\windows\TEMP\MSI70586.LOG 94 bytes
c:\windows\TEMP\MSI70588.LOG 94 bytes
c:\windows\TEMP\MSI7058a.LOG 94 bytes
c:\windows\TEMP\MSI7058c.LOG 94 bytes
c:\windows\TEMP\MSI7058d.LOG 94 bytes
c:\windows\TEMP\MSI7058e.LOG 94 bytes
c:\windows\TEMP\MSI7058f.LOG 94 bytes
c:\windows\TEMP\MSI70591.LOG 94 bytes
c:\windows\TEMP\MSI70592.LOG 94 bytes
c:\windows\TEMP\MSI70593.LOG 94 bytes
c:\windows\TEMP\MSI70594.LOG 94 bytes
c:\windows\TEMP\MSI70595.LOG 94 bytes
c:\windows\TEMP\MSI70596.LOG 94 bytes
c:\windows\TEMP\MSI70597.LOG 94 bytes
c:\windows\TEMP\MSI70598.LOG 94 bytes
c:\windows\TEMP\MSI70599.LOG 94 bytes
c:\windows\TEMP\MSI7059a.LOG 94 bytes
c:\windows\TEMP\MSI7059b.LOG 94 bytes
c:\windows\TEMP\MSI7059c.LOG 94 bytes
c:\windows\TEMP\MSI7059e.LOG 94 bytes
c:\windows\TEMP\MSI7059f.LOG 94 bytes
c:\windows\TEMP\MSI705a0.LOG 94 bytes
c:\windows\TEMP\MSI705a1.LOG 94 bytes
c:\windows\TEMP\MSI705a2.LOG 94 bytes
c:\windows\TEMP\MSI705a3.LOG 94 bytes
c:\windows\TEMP\MSI705a5.LOG 94 bytes
c:\windows\TEMP\MSI705a6.LOG 94 bytes
c:\windows\TEMP\MSI705a8.LOG 94 bytes
c:\windows\TEMP\MSI705aa.LOG 94 bytes
c:\windows\TEMP\MSI705ab.LOG 94 bytes
c:\windows\TEMP\MSI705ac.LOG 94 bytes
c:\windows\TEMP\MSI705ad.LOG 94 bytes
c:\windows\TEMP\MSI705ae.LOG 94 bytes
c:\windows\TEMP\MSI705af.LOG 94 bytes
c:\windows\TEMP\MSI705b1.LOG 94 bytes
c:\windows\TEMP\MSI705b2.LOG 94 bytes
c:\windows\TEMP\MSI705b5.LOG 1440 bytes
c:\windows\TEMP\MSI705b6.LOG 94 bytes
c:\windows\TEMP\MSI705b8.LOG 94 bytes
c:\windows\TEMP\MSI705b9.LOG 94 bytes
c:\windows\TEMP\MSI705ba.LOG 6690 bytes
c:\windows\TEMP\MSI705bb.LOG 94 bytes
c:\windows\TEMP\MSI705bc.LOG 94 bytes
c:\windows\TEMP\MSI705bd.LOG 94 bytes
c:\windows\TEMP\MSI705be.LOG 94 bytes
c:\windows\TEMP\MSI705bf.LOG 94 bytes
c:\windows\TEMP\MSI705c1.LOG 94 bytes
c:\windows\TEMP\MSI705c2.LOG 94 bytes
c:\windows\TEMP\MSI705c4.LOG 94 bytes
c:\windows\TEMP\MSI705c6.LOG 94 bytes
c:\windows\TEMP\MSI705c8.LOG 94 bytes
c:\windows\TEMP\MSI705c9.LOG 94 bytes
c:\windows\TEMP\MSI705ca.LOG 94 bytes
c:\windows\TEMP\MSI705cc.LOG 94 bytes
c:\windows\TEMP\MSI705ce.LOG 94 bytes
c:\windows\TEMP\MSI705cf.LOG 94 bytes
c:\windows\TEMP\MSI705d1.LOG 1490 bytes
c:\windows\TEMP\MSI705d2.LOG 94 bytes
c:\windows\TEMP\MSI705d3.LOG 94 bytes
c:\windows\TEMP\MSI705d5.LOG 94 bytes
c:\windows\TEMP\MSI705d6.LOG 94 bytes
c:\windows\TEMP\MSI705d7.LOG 94 bytes
c:\windows\TEMP\MSI705d9.LOG 94 bytes
c:\windows\TEMP\MSI705da.LOG 94 bytes
c:\windows\TEMP\MSI705db.LOG 94 bytes
c:\windows\TEMP\MSI705dc.LOG 94 bytes
c:\windows\TEMP\MSI705de.LOG 94 bytes
c:\windows\TEMP\MSI705df.LOG 94 bytes
c:\windows\TEMP\MSI705e0.LOG 94 bytes
c:\windows\TEMP\MSI705e1.LOG 94 bytes
c:\windows\TEMP\MSI705e3.LOG 94 bytes
c:\windows\TEMP\MSI705e4.LOG 94 bytes
c:\windows\TEMP\MSI705e5.LOG 94 bytes
c:\windows\TEMP\MSI705e6.LOG 94 bytes
c:\windows\TEMP\MSI705e7.LOG 94 bytes
c:\windows\TEMP\MSI705e8.LOG 94 bytes
c:\windows\TEMP\MSI705e9.LOG 94 bytes
c:\windows\TEMP\MSI705ea.LOG 94 bytes
c:\windows\TEMP\MSI705eb.LOG 94 bytes
c:\windows\TEMP\MSI705ec.LOG 94 bytes
c:\windows\TEMP\MSI705ed.LOG 94 bytes
c:\windows\TEMP\MSI705ee.LOG 94 bytes
c:\windows\TEMP\MSI705ef.LOG 94 bytes
c:\windows\TEMP\MSI705f0.LOG 94 bytes
c:\windows\TEMP\MSI705f2.LOG 94 bytes
c:\windows\TEMP\MSI705f3.LOG 94 bytes
c:\windows\TEMP\MSI705f5.LOG 94 bytes
c:\windows\TEMP\MSI705f8.LOG 94 bytes
c:\windows\TEMP\MSI705f9.LOG 94 bytes
c:\windows\TEMP\MSI705fa.LOG 94 bytes
c:\windows\TEMP\MSI705fb.LOG 94 bytes
c:\windows\TEMP\MSI705fc.LOG 94 bytes
c:\windows\TEMP\MSI705fe.LOG 94 bytes
c:\windows\TEMP\MSI705ff.LOG 94 bytes
c:\windows\TEMP\MSI70601.LOG 94 bytes
c:\windows\TEMP\MSI70602.LOG 1440 bytes
c:\windows\TEMP\MSI70603.LOG 94 bytes
c:\windows\TEMP\MSI70605.LOG 94 bytes

cda25 · 4th November 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:08 PM, on 11/4/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\wbem\unsecapp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\HUGHES~3\HDM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=13739&l=dir
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Mediafour XPlay Explorer notifications - {4907C0AD-874D-44D9-B13E-7B0A4D8B9D3E} - C:\Program Files\Mediafour\XPlay 3\XPBHO.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: HDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\HughesNet Download Manager\iefdm2.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O8 - Extra context menu item: Download all with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dllink.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O15 - Trusted Zone: www.netlibrary.com
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.e xe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9c5d01e9960f5) (gupdate1c9c5d01e9960f5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: LAlarm Service (LAlarmService) - LAlarm Systems - C:\Program Files\LAlarm\LAlarmService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: M4iPodWPDService - Mediafour Corporation - C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.ex e
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 7249 bytes

**broni** · 4th November 2009

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove.

===============================================================

Uninstall Ask.com through Programs & Features. It may be listed as Ask Toolbar.

=================================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

==============================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
- O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

cda25 · 4th November 2009

Ask toolbar would not uninstall!

I kept getting "cannot find script file C:\users\Bonnie\Appdata\local\temp\Del_AskHPRFF.VBS"

and

error 1316 a network error occurred while attempting to read from C:\windows\installer\asktoolbar.msi

The 02 and 03 ask toolbar items to be checked on HijackThis were not listed also

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:24 PM, on 11/4/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Mediafour\XPlay 3\XPlay.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\LAlarm\LAlarmSub.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HughesNetTools\1\McciTrayApp_SSR.exe
C:\Program Files\Common Files\AOL\1243376702\ee\aolsoftware.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Bonnie\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HughesNet Download Manager\HDM.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HughesNetStatusMeter\HughesNetStatusMeter\HughesNetStatusMeter.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=13739&l=dir
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Mediafour XPlay Explorer notifications - {4907C0AD-874D-44D9-B13E-7B0A4D8B9D3E} - C:\Program Files\Mediafour\XPlay 3\XPBHO.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: HDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\HughesNet Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}] "C:\Program Files\Mediafour\XPlay 3\XPlay.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TheLaptopLock] C:\Program Files\The LaptopLock\LaptopLock.exe /startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.5\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [LAlarmSubProgram] C:\Program Files\LAlarm\LAlarmSub.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [HughesNetTools_McciTrayApp] C:\Program Files\HughesNetTools\1\McciTrayApp_SSR.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1243376702\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking10\Ereg.ini
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SansaDispatch] C:\Users\Bonnie\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [HughesNet Download Manager] "C:\Program Files\HughesNet Download Manager\HDM.exe" -autorun
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /FU "C:\Windows\TEMP\E_S561F.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: HughesNetStatusMeter.lnk = C:\Program Files\HughesNetStatusMeter\HughesNetStatusMeter\HughesNetStatusMeter.exe
O8 - Extra context menu item: Download all with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dllink.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O15 - Trusted Zone: www.netlibrary.com
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.e xe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9c5d01e9960f5) (gupdate1c9c5d01e9960f5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: LAlarm Service (LAlarmService) - LAlarm Systems - C:\Program Files\LAlarm\LAlarmService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: M4iPodWPDService - Mediafour Corporation - C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.ex e
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 11759 bytes

**broni** · 5th November 2009

Very good

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Please, let me know, how is your computer doing.

cda25 · 5th November 2009

Good news:

Computer is starting up much faster and seems to be operating well.
MS updates are now installing.

Bad news:
Operations that remain to fail are scandisk utility and defrag.

I tell scandisk to run on restart and it does not.

Defrag analyzes and tells me that I need to defrag but when I click on "defrag now" it returns to "your file system can be improved by defraging" after only a second of attempt at defrag.

The temporary file cleaner program ran for hours and seemed to delete the files because it stated the # that was deleted, however, there was an error notice on top of the notice to reboot. C:\windows\temp is corrupt and unreadable. Run chkdsk utility.

Ask.com/dictionary.com is still listed in my program and services list and will not delete. I get error 1316 A network error occurred while attempting to read C:\windows\installer\ask toolbar.msi AND cannot find script file c:\users\bonnie\appdata\local\temp\del_askHPRFF.VBS

WMI provider host has stopped working and was closed error message is still appearing.

**broni** · 5th November 2009

Quote:

Ask.com/dictionary.com is still listed in my program and services list and will not delete.

It's not running anymore, so it's most likely just registry leftover.
Download and run Add/Remove program cleaner (works with Vista): http://www.intelliadmin.com/blog/addremovecleaner.exe and remove the entry.

For all other non-malware related issues, you'll need to start new topic in Windows section.