Solved Mebroot and torpig removal...

Hill · 2010/03/03

[Resolved] Mebroot and torpig removal...

Hi all,

My ISP is sending me a security notice that my ip address is harboring a bot.

My desktop computer specs are win home xp sp3. Automatic updates enabled.
Trend Micro Security Suite 2010 updated and run daily. Updated.

Laptop is Vista Home Premium. Updated and auto updates enabled.
Trend Micro Security Suite 2010. Updated and run daily.

Desktop I have scanned with TM. Spybot and Malware bytes. TM Did find Trojan.dropper and a few tracking cookies. All taken care of. Spybot found 3 cookies. Removed.

Laptop I have only scanned with TM. Cookies found. Removed.

We do have a other devices that connect to our home network. But, I don't think they can harbor a bot? Play station 3 and a ipod touch.

Here is the DDS log for the desktop. Kids going crazy, will post laptop DDS log when requested.
Thanks

DDS (Ver_09-12-01.01) - NTFSx86
Run by Heath Hill at 18:53:02.25 on Wed 03/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1162 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Documents and Settings\Heath Hill\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe "
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [SaiVolume] c:\program files\saitek\sd6\software\SaiVolume.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe "
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tisspwiz.lnk - c:\program files\trend micro\internet security\tisspwiz.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\heathh~1\applic~1\mozilla\firefox\profiles\xwvkbvvu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-1-21 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-15 24652]
R3 SaiH0728;SaiH0728;c:\windows\system32\drivers\SaiH0728.sys [2009-2-14 136448]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-1-21 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-1-21 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-1-21 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-1-21 689416]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-10-6 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-10-6 8320]
S3 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-10-5 91392]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-11-30 23936]

=============== Created Last 30 ================

2010-03-04 01:02:32 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-04 01:02:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-27 21:10:17 0 d-----w- c:\program files\Go Diego Go
2010-02-18 01:50:00 75536 ------w- c:\windows\system32\PICCLP32.OCX
2010-02-18 01:50:00 50896 ------w- c:\windows\system32\TEGODS.OCX
2010-02-18 01:50:00 253 ----a-w- c:\windows\Creator.INI
2010-02-18 01:49:55 92208 ------w- c:\windows\system32\WING.DLL
2010-02-18 01:49:55 6736 ------w- c:\windows\system32\WINGDIB.DRV
2010-02-18 01:49:55 5195 ------w- c:\windows\system32\DVA.386
2010-02-18 01:49:55 5024 ------w- c:\windows\system32\WINGPAL.WND
2010-02-18 01:49:55 36864 ------w- c:\windows\system32\SCLVideo.ax
2010-02-18 01:49:55 28672 ------w- c:\windows\system32\SCLAudio.ax
2010-02-18 01:49:55 188960 ------w- c:\windows\system32\WINGDE.DLL
2010-02-18 01:49:53 0 d-----w- c:\program files\LEGO Media
2010-02-10 16:37:13 0 d-----w- c:\windows\system32\AGEIA
2010-02-10 16:36:58 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-10 16:35:18 0 d-----w- c:\windows\Logs
2010-02-10 16:12:34 0 d-----w- c:\program files\Mass Effect 2
2010-02-10 16:12:33 0 d-----w- c:\program files\common files\BioWare

==================== Find3M ====================

2010-03-01 02:49:51 21664 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-21 16:08:32 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-21 16:08:32 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-21 16:08:32 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-21 16:08:32 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-21 16:08:32 339984 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2010-01-21 16:08:32 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-21 16:08:32 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-21 16:08:32 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-01-16 21:25:49 29783 ----a-w- c:\windows\War3Unin.dat
2010-01-07 23:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 18:53:31.50 ===============

Attach log

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/4/2009 3:25:14 AM
System Uptime: 3/3/2010 5:42:14 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | M3A78-EM
Processor: AMD Athlon(tm) 7750 Dual-Core Processor | AM2 | 2711/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 220 GiB total, 128.412 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 246 GiB total, 207.232 GiB free.
H: is FIXED (NTFS) - 466 GiB total, 131.661 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP142: 12/2/2009 10:13:49 PM - System Checkpoint
RP143: 12/4/2009 7:09:22 AM - System Checkpoint
RP144: 12/5/2009 7:41:13 AM - System Checkpoint
RP145: 12/6/2009 11:06:53 AM - System Checkpoint
RP146: 12/7/2009 11:45:52 AM - System Checkpoint
RP147: 12/8/2009 2:05:42 PM - System Checkpoint
RP148: 12/9/2009 3:00:14 AM - Software Distribution Service 3.0
RP149: 12/10/2009 7:07:41 AM - System Checkpoint
RP150: 12/11/2009 7:20:44 AM - System Checkpoint
RP151: 12/12/2009 10:57:52 AM - System Checkpoint
RP152: 12/13/2009 11:37:02 AM - System Checkpoint
RP153: 12/14/2009 8:13:15 PM - System Checkpoint
RP154: 12/16/2009 6:19:16 AM - System Checkpoint
RP155: 12/17/2009 7:09:20 AM - System Checkpoint
RP156: 12/18/2009 9:33:55 AM - System Checkpoint
RP157: 12/19/2009 9:50:36 AM - System Checkpoint
RP158: 12/20/2009 11:15:10 AM - System Checkpoint
RP159: 12/21/2009 11:40:44 AM - System Checkpoint
RP160: 12/22/2009 11:59:06 AM - System Checkpoint
RP161: 12/23/2009 12:28:36 PM - System Checkpoint
RP162: 12/24/2009 1:25:04 PM - System Checkpoint
RP163: 12/26/2009 4:50:03 PM - System Checkpoint
RP164: 12/26/2009 5:13:17 PM - Installed DirectX
RP165: 12/28/2009 7:12:12 AM - System Checkpoint
RP166: 12/29/2009 7:52:20 AM - System Checkpoint
RP167: 12/30/2009 12:27:44 PM - System Checkpoint
RP168: 12/31/2009 12:55:36 PM - System Checkpoint
RP169: 1/1/2010 1:04:45 PM - System Checkpoint
RP170: 1/2/2010 3:15:25 PM - System Checkpoint
RP171: 1/3/2010 9:19:06 PM - System Checkpoint
RP172: 1/4/2010 10:33:26 PM - System Checkpoint
RP173: 1/6/2010 6:12:29 PM - System Checkpoint
RP174: 1/8/2010 5:54:07 AM - System Checkpoint
RP175: 1/9/2010 8:18:27 AM - System Checkpoint
RP176: 1/10/2010 12:30:06 PM - System Checkpoint
RP177: 1/11/2010 8:03:08 PM - System Checkpoint
RP178: 1/12/2010 6:08:25 PM - Software Distribution Service 3.0
RP179: 1/13/2010 7:54:40 PM - System Checkpoint
RP180: 1/15/2010 7:46:15 PM - System Checkpoint
RP181: 1/15/2010 9:42:40 PM - Installed DSW Piano
RP182: 1/17/2010 1:22:31 AM - System Checkpoint
RP183: 1/18/2010 1:56:05 AM - System Checkpoint
RP184: 1/19/2010 7:01:54 AM - System Checkpoint
RP185: 1/20/2010 7:24:36 AM - System Checkpoint
RP186: 1/21/2010 8:12:37 AM - System Checkpoint
RP187: 1/21/2010 9:11:43 AM - Installed Trend Micro Internet Security
RP188: 1/22/2010 8:04:14 AM - Software Distribution Service 3.0
RP189: 1/23/2010 8:27:31 AM - System Checkpoint
RP190: 1/24/2010 10:57:39 AM - System Checkpoint
RP191: 1/25/2010 12:32:40 PM - System Checkpoint
RP192: 1/26/2010 4:32:39 PM - System Checkpoint
RP193: 1/27/2010 7:36:38 PM - System Checkpoint
RP194: 1/28/2010 9:32:19 PM - System Checkpoint
RP195: 1/29/2010 11:16:23 PM - System Checkpoint
RP196: 1/30/2010 11:54:41 PM - System Checkpoint
RP197: 2/1/2010 12:54:41 AM - System Checkpoint
RP198: 2/2/2010 7:00:35 AM - System Checkpoint
RP199: 2/3/2010 7:08:55 AM - System Checkpoint
RP200: 2/4/2010 7:45:55 AM - System Checkpoint
RP201: 2/5/2010 7:50:59 AM - System Checkpoint
RP202: 2/6/2010 12:03:51 PM - System Checkpoint
RP203: 2/7/2010 8:18:49 PM - System Checkpoint
RP204: 2/9/2010 6:24:12 AM - System Checkpoint
RP205: 2/9/2010 10:41:32 PM - Software Distribution Service 3.0
RP206: 2/10/2010 9:35:28 AM - Installed DirectX
RP207: 2/11/2010 10:34:07 AM - System Checkpoint
RP208: 2/12/2010 6:21:30 PM - System Checkpoint
RP209: 2/13/2010 6:48:28 PM - System Checkpoint
RP210: 2/14/2010 7:14:34 PM - System Checkpoint
RP211: 2/15/2010 7:31:30 PM - System Checkpoint
RP212: 2/16/2010 7:37:19 PM - System Checkpoint
RP213: 2/17/2010 9:37:00 PM - System Checkpoint
RP214: 2/18/2010 10:30:20 PM - System Checkpoint
RP215: 2/19/2010 10:42:30 PM - System Checkpoint
RP216: 2/20/2010 11:12:37 PM - System Checkpoint
RP217: 2/22/2010 6:32:02 PM - System Checkpoint
RP218: 2/23/2010 5:25:35 PM - Installed MotoConnect
RP219: 2/23/2010 5:59:19 PM - Software Distribution Service 3.0
RP220: 2/24/2010 7:40:15 PM - System Checkpoint
RP221: 2/26/2010 6:31:40 AM - System Checkpoint
RP222: 2/27/2010 7:17:31 AM - System Checkpoint
RP223: 2/27/2010 2:10:16 PM - Installed Go Diego Go.
RP224: 2/28/2010 5:05:26 PM - System Checkpoint
RP225: 3/1/2010 6:37:08 PM - System Checkpoint
RP226: 3/2/2010 10:00:01 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Acronis*True*Image*Home
Adobe Acrobat 5.0
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Creative Suite 2
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe InDesign CS2
Adobe Photoshop 7.0
Adobe Photoshop CS2
Adobe Reader 9.3.1
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Adobe Version Cue CS2
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Catalyst Install Manager
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
Audacity 1.2.6
Battlefield 2142
Bella Sara
Bonjour
Call of Duty(R) 4 - Modern Warfare(TM)
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Disney Princess Royal Horse Show
Dora the Explorer: Animal Adventures
Dora World Adventure
DSW Piano
DVD Decrypter (Remove Only)
Fable - The Lost Chapters
FEAR
FEAR Extraction Point
Free FLV to iPhone Converter
FTP Explorer
Garry's Mod
Go Diego Go
Google Earth
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Handbrake 0.9.4
HD Tune Pro 3.50
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
ISO Recorder
iTunes
Java(TM) 6 Update 15
JSWPFCom
JSWPFGradeK
JumpStart 3D Ages 4-6
JumpStart Advanced Language Club
JumpStart Advanced Preschool
JumpStart Advanced School Time
JumpStart Art for Fun
JumpStart Arts and Crafts
Kid Keys 2
LEGO Creator
Magic 3D Coloring Book Amazing Animals
Malwarebytes' Anti-Malware
Mass Effect 2
Meet Blue's Baby Brother
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2000 Professional
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
MotoConnect
Motorola Driver Installation 4.2.0
Mozilla Firefox (3.6)
Mozilla Thunderbird (2.0.0.23)
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
NaturalMotion endorphin 2.7.1
NVIDIA PhysX
Pajama Sam Life is Rough When You Lose Your Stuff
PBS KIDS PLAY!
Portal
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Safari
Saitek SD6 Programming Software 6.0.12.2
Samsung ML-2510 Series
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Steam
Subsea Relic
Suite Specific
Team Fortress 2
Trend Micro Internet Security
TuxGuitar 1.0
Unity Web Player
Unreal Tournament 3
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
V CAST Music with Rhapsody
Viewpoint Media Player
ViewSonic Monitor Drivers
VitalSource Bookshelf
WAV to MP3 Encoder
WebFldrs XP
Windows 7 Upgrade Advisor
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
WinZip 14.0
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

3/3/2010 5:43:07 PM, error: Dhcp [1002] - The IP address lease 192.168.2.14 for the Network Card with network address 00248C7A3226 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
3/2/2010 7:27:55 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/1/2010 8:01:46 PM, error: Service Control Manager [7034] - The Imapi Helper service terminated unexpectedly. It has done this 1 time(s).
3/1/2010 8:01:45 PM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).
3/1/2010 6:40:10 AM, error: Service Control Manager [7023] - The Terminal Services service terminated with the following error: %1 is not a valid Win32 application.
3/1/2010 6:40:10 AM, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error: %1 is not a valid Win32 application.
3/1/2010 4:45:15 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
2/27/2010 9:15:18 AM, error: atapi [9] - The device, \Device\Ide\IdePort2, did not respond within the timeout period.

==== End Of File ===========================

broni · 2010/03/03

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

Hill · 2010/03/04

The computer took a turn for the worst!
Soon after I posted, TM stopped loading. Iam getting a Microsoft C++ error when TM loads and the TM firewall won't load. Once that happened I disconnected the desktop from the internet. I cannot access the TM console. I have tried removing TM from start up and "end process" of TM in task manager. Although, it isn't showing in the tray, combo fix says its still running. I have even tried uninstalling it and repairing it. It gives me a generic critical os error
This combo fix log is with TM active.
Thanks a ton

ComboFix 10-03-03.04 - Heath Hill 03/03/2010 23:00:39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1531 [GMT -7:00]
Running from: c:\documents and settings\Heath Hill\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\MSIMRT.DLL
c:\windows\system32\MSIMRT32.DLL
c:\windows\system32\MSIMUSIC.DLL
c:\windows\system32\service
c:\windows\system32\service\03092009_TIS17_SfFniAU.log
c:\windows\system32\service\07042009_TIS17_SfFniAU.log
c:\windows\system32\service\08032009_TIS17_SfFniAU.log
c:\windows\system32\service\10052009_TIS17_SfFniAU.log
c:\windows\system32\service\17092009_TIS17_SfFniAU.log
c:\windows\system32\service\22082009_TIS17_SfFniAU.log
c:\windows\system32\service\28042009_TIS17_SfFniAU.log

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-04 04:23 . 2010-03-04 04:23 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-04 03:51 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-03-04 03:51 . 2008-04-14 01:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-03-04 03:51 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-03-04 03:51 . 2001-08-18 05:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-03-04 03:51 . 2001-08-18 05:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-03-04 03:51 . 2001-08-18 05:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-03-04 03:51 . 2001-08-17 19:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-03-04 03:51 . 2004-08-04 05:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-03-04 03:51 . 2004-08-04 05:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-03-04 03:51 . 2008-04-14 01:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-03-04 03:49 . 2001-08-17 20:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2010-03-04 03:48 . 2001-08-18 05:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-03-04 03:47 . 2001-08-17 19:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2010-03-04 03:46 . 2001-08-18 05:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-03-04 03:45 . 2001-08-18 05:36 28160 -c--a-w- c:\windows\system32\dllcache\sm91w.dll
2010-03-04 03:44 . 2001-08-17 20:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2010-03-04 03:43 . 2008-04-13 19:40 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-03-04 03:42 . 2001-08-17 20:53 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-03-04 03:41 . 2001-08-17 21:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2010-03-04 03:40 . 2001-08-17 21:56 91488 -c--a-w- c:\windows\system32\dllcache\n9i3disp.dll
2010-03-04 03:39 . 2001-08-17 20:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-03-04 03:38 . 2001-08-17 19:12 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys
2010-03-04 03:37 . 2001-08-18 05:36 45056 -c--a-w- c:\windows\system32\dllcache\icam5com.dll
2010-03-04 03:36 . 2001-08-18 05:36 19456 -c--a-w- c:\windows\system32\dllcache\hr1w.dll
2010-03-04 03:35 . 2001-08-17 19:15 455680 -c--a-w- c:\windows\system32\dllcache\fus2base.sys
2010-03-04 03:34 . 2001-08-17 19:10 25159 -c--a-w- c:\windows\system32\dllcache\elnk3.sys
2010-03-04 03:33 . 2001-08-18 05:36 24064 -c--a-w- c:\windows\system32\dllcache\devldr32.exe
2010-03-04 03:32 . 2001-08-17 19:13 164923 -c--a-w- c:\windows\system32\dllcache\diapi2.sys
2010-03-04 03:31 . 2001-08-17 21:55 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2010-03-04 03:30 . 2001-08-17 21:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-03-04 03:25 . 2010-03-04 03:25 -------- d-----w- c:\documents and settings\HelpAssistant\log
2010-03-04 03:16 . 2010-03-04 03:16 -------- d-----w- c:\documents and settings\Heath Hill\log
2010-03-04 01:02 . 2010-03-04 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-04 01:02 . 2010-03-04 01:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-02 02:58 . 2010-03-02 02:58 3638 ----a-r- c:\documents and settings\Heath Hill\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2010-03-02 00:40 . 2010-01-21 16:08 574728 ----a-w- c:\documents and settings\All Users\Application Data\Trend Micro\OE\tmaseng.dll
2010-03-02 00:20 . 2010-03-02 00:20 -------- d-----w- c:\documents and settings\Heath Hill\Local Settings\Application Data\WinZip
2010-03-01 13:45 . 2010-03-01 13:45 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-03-01 13:43 . 2010-03-01 13:43 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-03-01 12:57 . 2010-03-01 12:57 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-03-01 12:57 . 2010-03-01 12:57 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-03-01 12:57 . 2010-03-01 12:57 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-27 21:10 . 2010-02-27 21:10 -------- d-----w- c:\program files\Go Diego Go
2010-02-18 01:49 . 1994-09-21 07:00 92208 ------w- c:\windows\system32\WING.DLL
2010-02-18 01:49 . 1994-09-21 07:00 6736 ------w- c:\windows\system32\WINGDIB.DRV
2010-02-18 01:49 . 1994-08-24 07:00 188960 ------w- c:\windows\system32\WINGDE.DLL
2010-02-18 01:49 . 2010-02-18 01:49 -------- d-----w- c:\program files\LEGO Media
2010-02-18 01:48 . 2010-02-18 01:48 -------- d-----w- c:\documents and settings\Annabella Hill\WINDOWS
2010-02-11 00:40 . 2010-01-06 19:08 545280 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-02-11 00:40 . 2010-01-06 19:08 4726272 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-02-11 00:40 . 2010-01-06 19:08 4725760 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-02-11 00:40 . 2010-01-06 19:08 103424 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-02-11 00:40 . 2010-01-06 19:08 57856 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-02-11 00:40 . 2010-01-06 19:08 344064 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-02-11 00:40 . 2010-01-06 19:08 153600 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-02-10 16:37 . 2010-02-10 16:37 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-10 16:37 . 2010-02-10 16:37 -------- d-----w- c:\windows\system32\AGEIA
2010-02-10 16:35 . 2010-02-10 16:35 -------- d-----w- c:\windows\Logs
2010-02-10 16:12 . 2010-02-10 16:22 -------- d-----w- c:\program files\Mass Effect 2
2010-02-10 16:12 . 2010-02-10 16:35 -------- d-----w- c:\program files\Common Files\BioWare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 05:24 . 2008-12-06 23:49 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-02 19:31 . 2008-12-15 17:30 -------- d-----w- c:\program files\Steam
2010-03-02 13:53 . 2009-01-17 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 13:52 . 2009-01-17 01:19 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-02 13:49 . 2009-03-13 16:02 -------- d-----w- c:\program files\project dogwaffle
2010-03-02 00:40 . 2010-01-21 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-03-01 02:49 . 2009-09-09 23:57 21664 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-22 21:17 . 2008-12-07 21:05 24112 ----a-w- c:\documents and settings\Alexander Robles\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-19 01:43 . 2009-01-15 13:46 24112 ----a-w- c:\documents and settings\Julie Hill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-19 01:01 . 2008-12-06 22:24 24112 ----a-w- c:\documents and settings\Heath Hill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-15 17:35 . 2008-12-26 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure
2010-02-15 17:32 . 2008-12-14 17:12 -------- d-----w- c:\program files\JumpStart
2010-02-10 16:36 . 2010-02-10 16:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-28 18:51 . 2009-01-17 01:15 -------- d-----w- c:\documents and settings\Heath Hill\Application Data\U3
2010-01-24 19:42 . 2010-01-24 19:41 -------- d-----w- c:\documents and settings\Alexander Robles\Application Data\HandBrake
2010-01-24 19:23 . 2009-02-06 13:51 -------- d-----w- c:\program files\HandBrake
2010-01-24 17:29 . 2010-01-24 17:29 -------- d-----w- c:\documents and settings\Annabella Hill\Application Data\InstallShield Installation Information
2010-01-24 17:28 . 2010-01-24 17:28 45056 ----a-r- c:\documents and settings\Annabella Hill\Application Data\Microsoft\Installer\{56C632F1-E684-4033-8390-1C39A1719B01}\NewShortcut5_56C632F1E684403383901C39A1719B01.exe
2010-01-24 17:28 . 2010-01-24 17:28 2238 ----a-r- c:\documents and settings\Annabella Hill\Application Data\Microsoft\Installer\{56C632F1-E684-4033-8390-1C39A1719B01}\NewShortcut1_56C632F1E684403383901C39A1719B01.exe
2010-01-24 17:28 . 2010-01-24 17:28 2238 ----a-r- c:\documents and settings\Annabella Hill\Application Data\Microsoft\Installer\{56C632F1-E684-4033-8390-1C39A1719B01}\ARPPRODUCTICON.exe
2010-01-24 17:26 . 2008-12-26 16:36 -------- d-----w- c:\program files\Atari
2010-01-24 17:26 . 2009-12-27 00:05 -------- d-----w- c:\documents and settings\Annabella Hill\Application Data\InstallShield
2010-01-21 16:14 . 2008-12-06 23:41 -------- d-----w- c:\program files\Trend Micro
2010-01-21 16:08 . 2010-01-21 16:14 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-21 16:08 . 2010-01-21 16:14 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-21 16:08 . 2010-01-21 16:14 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-21 16:08 . 2010-01-21 16:08 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-21 16:08 . 2010-01-21 16:08 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-21 16:08 . 2010-01-21 16:08 339984 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2010-01-21 16:08 . 2010-01-21 16:08 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-21 16:08 . 2010-01-21 16:08 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-01-17 16:39 . 2008-12-06 22:43 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-17 00:11 . 2010-01-17 00:11 -------- d-----w- c:\program files\Activision Value
2010-01-16 23:59 . 2010-01-16 23:59 -------- d-----w- c:\program files\Knowledge Adventure
2010-01-16 21:26 . 2008-12-07 20:43 -------- d-----w- c:\program files\Warcraft III
2010-01-16 21:25 . 2008-12-07 20:47 29783 ----a-w- c:\windows\War3Unin.dat
2010-01-16 15:42 . 2008-12-14 17:12 -------- d-----w- c:\program files\Common Files\Knowledge Adventure
2010-01-16 15:42 . 2010-01-16 15:42 -------- d-----w- c:\documents and settings\Julie Hill\Application Data\InstallShield
2010-01-16 04:42 . 2010-01-16 04:42 -------- d-----w- c:\program files\DemonicSoftware
2010-01-07 23:07 . 2009-01-17 01:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-01-17 01:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 02:08 . 2010-01-04 02:07 -------- d-----w- c:\program files\iTunes
2010-01-04 02:07 . 2010-01-04 02:07 -------- d-----w- c:\program files\iPod
2010-01-04 02:07 . 2008-12-12 03:19 -------- d-----w- c:\program files\Common Files\Apple
2010-01-04 02:03 . 2009-08-07 01:07 -------- d-----w- c:\program files\QuickTime
2010-01-04 01:43 . 2010-01-04 01:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 22:02 . 2009-08-15 20:52 23720 ----a-w- c:\documents and settings\Annabella Hill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 00:34 . 2009-01-19 01:17 1324 ------w- c:\windows\system32\d3d9caps.dat
2009-12-16 18:43 . 2008-12-06 22:14 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe "= "c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor "= "c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service "= "c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"Samsung PanelMgr "= "c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"ProfilerU "= "c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2007-10-29 233472]
"SaiMfd "= "c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2007-10-29 131072]
"SaiVolume "= "c:\program files\Saitek\SD6\Software\SaiVolume.exe" [2007-10-29 126976]
"StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-29 61440]
"RTHDCPL "= "RTHDCPL.EXE" [2008-11-17 17676288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^tisspwiz.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\tisspwiz.lnk
backup=c:\windows\pss\tisspwiz.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 22:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-05 01:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 23:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
2010-01-21 16:08 492808 ----a-w- c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 06:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 11:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
2010-01-21 16:08 1020248 ----a-w- c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe "=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe "=
"c:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe "=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe "=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP "= 6112:TCP:Warcraft III
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"3246:TCP "= 3246:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [1/21/2010 9:08 AM 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/15/2008 2:37 PM 24652]
R3 SaiH0728;SaiH0728;c:\windows\system32\drivers\SaiH0728.sys [2/14/2009 6:36 PM 136448]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [1/21/2010 9:08 AM 339984]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [1/21/2010 9:14 AM 689416]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [10/6/2009 2:53 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [10/6/2009 2:53 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [11/30/2009 6:12 PM 23936]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/21/2010 9:14 AM 50704]
S3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [1/21/2010 9:14 AM 497008]
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 23:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\pluginreg.dat.bak 10623 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x897C9D30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x897c9d30
\Driver\atapi -> atapi.sys @ 0xb9f37852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x898f0330
PacketIndicateHandler -> NDIS.sys @ 0xb9e3da21
SendHandler -> NDIS.sys @ 0xb9e1b87b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1276)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-03-03 23:05:01
ComboFix-quarantined-files.txt 2010-03-04 06:04

Pre-Run: 137,361,346,560 bytes free
Post-Run: 138,222,678,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 05F69DB8C46DAA756274CCE57D58BB22

HiJack this with TM active.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:43 PM, on 3/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Heath Hill\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6851 bytes

broni · 2010/03/04

The computer took a turn for the worst!
Click to expand...

It may happen with seriously infected computers. You have to be patient and please do nothing else than advised.
Wait for my next reply.

broni · 2010/03/04

Download and save HelpAsst_mebroot_fix.exe
Then double click HelpAsst_mebroot_fix.exe to run it.

================================================================

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::

File::
c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\pluginreg.dat.bak

Folder::

Driver::

Registry::

RegLockDel::

MBR::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

Hill · 2010/03/04

Here are the logs.
Are you able to tell if any other badies were downloaded when I was infected by Mebroot? Like keyloggers or anything else? Or how it got past my anti-virus?
Thanks. Waiting your instructions:

ComboFix 10-03-03.04 - Heath Hill 03/04/2010 8:25.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1577 [GMT -7:00]
Running from: c:\documents and settings\Heath Hill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Heath Hill\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\pluginreg.dat.bak "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\pluginreg.dat.bak
c:\windows\system32\sdra64.exe

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-04 04:23 . 2010-03-04 04:23 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-04 03:51 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-03-04 03:51 . 2008-04-14 01:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-03-04 03:51 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-03-04 03:51 . 2001-08-18 05:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-03-04 03:51 . 2001-08-18 05:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-03-04 03:51 . 2001-08-18 05:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-03-04 03:51 . 2001-08-17 19:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-03-04 03:51 . 2004-08-04 05:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-03-04 03:51 . 2004-08-04 05:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-03-04 03:51 . 2008-04-14 01:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-03-04 03:49 . 2001-08-17 20:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2010-03-04 03:48 . 2001-08-18 05:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-03-04 03:47 . 2001-08-17 19:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2010-03-04 03:46 . 2001-08-18 05:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-03-04 03:45 . 2001-08-18 05:36 28160 -c--a-w- c:\windows\system32\dllcache\sm91w.dll
2010-03-04 03:44 . 2001-08-17 20:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2010-03-04 03:43 . 2008-04-13 19:40 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-03-04 03:42 . 2001-08-17 20:53 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-03-04 03:41 . 2001-08-17 21:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2010-03-04 03:40 . 2001-08-17 21:56 91488 -c--a-w- c:\windows\system32\dllcache\n9i3disp.dll
2010-03-04 03:39 . 2001-08-17 20:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-03-04 03:38 . 2001-08-17 19:12 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys
2010-03-04 03:37 . 2001-08-18 05:36 45056 -c--a-w- c:\windows\system32\dllcache\icam5com.dll
2010-03-04 03:36 . 2001-08-18 05:36 19456 -c--a-w- c:\windows\system32\dllcache\hr1w.dll
2010-03-04 03:35 . 2001-08-17 19:15 455680 -c--a-w- c:\windows\system32\dllcache\fus2base.sys
2010-03-04 03:34 . 2001-08-17 19:10 25159 -c--a-w- c:\windows\system32\dllcache\elnk3.sys
2010-03-04 03:33 . 2001-08-18 05:36 24064 -c--a-w- c:\windows\system32\dllcache\devldr32.exe
2010-03-04 03:32 . 2001-08-17 19:13 164923 -c--a-w- c:\windows\system32\dllcache\diapi2.sys
2010-03-04 03:31 . 2001-08-17 21:55 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2010-03-04 03:30 . 2001-08-17 21:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-03-04 03:16 . 2010-03-04 03:16 -------- d-----w- c:\documents and settings\Heath Hill\log
2010-03-04 01:02 . 2010-03-04 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-04 01:02 . 2010-03-04 01:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-02 02:58 . 2010-03-02 02:58 3638 ----a-r- c:\documents and settings\Heath Hill\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2010-03-02 00:40 . 2010-01-21 16:08 574728 ----a-w- c:\documents and settings\All Users\Application Data\Trend Micro\OE\tmaseng.dll
2010-03-02 00:20 . 2010-03-02 00:20 -------- d-----w- c:\documents and settings\Heath Hill\Local Settings\Application Data\WinZip
2010-02-27 21:10 . 2010-02-27 21:10 -------- d-----w- c:\program files\Go Diego Go
2010-02-18 01:49 . 1994-09-21 07:00 92208 ------w- c:\windows\system32\WING.DLL
2010-02-18 01:49 . 1994-09-21 07:00 6736 ------w- c:\windows\system32\WINGDIB.DRV
2010-02-18 01:49 . 1994-08-24 07:00 188960 ------w- c:\windows\system32\WINGDE.DLL
2010-02-18 01:49 . 2010-02-18 01:49 -------- d-----w- c:\program files\LEGO Media
2010-02-18 01:48 . 2010-02-18 01:48 -------- d-----w- c:\documents and settings\Annabella Hill\WINDOWS
2010-02-11 00:40 . 2010-01-06 19:08 545280 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-02-11 00:40 . 2010-01-06 19:08 4726272 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-02-11 00:40 . 2010-01-06 19:08 4725760 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-02-11 00:40 . 2010-01-06 19:08 103424 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-02-11 00:40 . 2010-01-06 19:08 57856 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-02-11 00:40 . 2010-01-06 19:08 344064 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-02-11 00:40 . 2010-01-06 19:08 153600 ----a-w- c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-02-10 16:37 . 2010-02-10 16:37 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-10 16:37 . 2010-02-10 16:37 -------- d-----w- c:\windows\system32\AGEIA
2010-02-10 16:35 . 2010-02-10 16:35 -------- d-----w- c:\windows\Logs
2010-02-10 16:12 . 2010-02-10 16:22 -------- d-----w- c:\program files\Mass Effect 2
2010-02-10 16:12 . 2010-02-10 16:35 -------- d-----w- c:\program files\Common Files\BioWare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 05:24 . 2008-12-06 23:49 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-02 19:31 . 2008-12-15 17:30 -------- d-----w- c:\program files\Steam
2010-03-02 13:53 . 2009-01-17 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 13:52 . 2009-01-17 01:19 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-02 13:49 . 2009-03-13 16:02 -------- d-----w- c:\program files\project dogwaffle
2010-03-02 00:40 . 2010-01-21 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-03-01 02:49 . 2009-09-09 23:57 21664 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-22 21:17 . 2008-12-07 21:05 24112 ----a-w- c:\documents and settings\Alexander Robles\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-19 01:43 . 2009-01-15 13:46 24112 ----a-w- c:\documents and settings\Julie Hill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-19 01:01 . 2008-12-06 22:24 24112 ----a-w- c:\documents and settings\Heath Hill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-15 17:35 . 2008-12-26 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure
2010-02-15 17:32 . 2008-12-14 17:12 -------- d-----w- c:\program files\JumpStart
2010-02-10 16:36 . 2010-02-10 16:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-28 18:51 . 2009-01-17 01:15 -------- d-----w- c:\documents and settings\Heath Hill\Application Data\U3
2010-01-24 19:42 . 2010-01-24 19:41 -------- d-----w- c:\documents and settings\Alexander Robles\Application Data\HandBrake
2010-01-24 19:23 . 2009-02-06 13:51 -------- d-----w- c:\program files\HandBrake
2010-01-24 17:29 . 2010-01-24 17:29 -------- d-----w- c:\documents and settings\Annabella Hill\Application Data\InstallShield Installation Information
2010-01-24 17:28 . 2010-01-24 17:28 45056 ----a-r- c:\documents and settings\Annabella Hill\Application Data\Microsoft\Installer\{56C632F1-E684-4033-8390-1C39A1719B01}\NewShortcut5_56C632F1E684403383901C39A1719B01.exe
2010-01-24 17:28 . 2010-01-24 17:28 2238 ----a-r- c:\documents and settings\Annabella Hill\Application Data\Microsoft\Installer\{56C632F1-E684-4033-8390-1C39A1719B01}\NewShortcut1_56C632F1E684403383901C39A1719B01.exe
2010-01-24 17:28 . 2010-01-24 17:28 2238 ----a-r- c:\documents and settings\Annabella Hill\Application Data\Microsoft\Installer\{56C632F1-E684-4033-8390-1C39A1719B01}\ARPPRODUCTICON.exe
2010-01-24 17:26 . 2008-12-26 16:36 -------- d-----w- c:\program files\Atari
2010-01-24 17:26 . 2009-12-27 00:05 -------- d-----w- c:\documents and settings\Annabella Hill\Application Data\InstallShield
2010-01-21 16:14 . 2008-12-06 23:41 -------- d-----w- c:\program files\Trend Micro
2010-01-21 16:08 . 2010-01-21 16:14 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-21 16:08 . 2010-01-21 16:14 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-21 16:08 . 2010-01-21 16:14 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-21 16:08 . 2010-01-21 16:08 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-21 16:08 . 2010-01-21 16:08 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-21 16:08 . 2010-01-21 16:08 339984 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2010-01-21 16:08 . 2010-01-21 16:08 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-21 16:08 . 2010-01-21 16:08 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-01-17 16:39 . 2008-12-06 22:43 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-17 00:11 . 2010-01-17 00:11 -------- d-----w- c:\program files\Activision Value
2010-01-16 23:59 . 2010-01-16 23:59 -------- d-----w- c:\program files\Knowledge Adventure
2010-01-16 21:26 . 2008-12-07 20:43 -------- d-----w- c:\program files\Warcraft III
2010-01-16 21:25 . 2008-12-07 20:47 29783 ----a-w- c:\windows\War3Unin.dat
2010-01-16 15:42 . 2008-12-14 17:12 -------- d-----w- c:\program files\Common Files\Knowledge Adventure
2010-01-16 15:42 . 2010-01-16 15:42 -------- d-----w- c:\documents and settings\Julie Hill\Application Data\InstallShield
2010-01-16 04:42 . 2010-01-16 04:42 -------- d-----w- c:\program files\DemonicSoftware
2010-01-07 23:07 . 2009-01-17 01:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-01-17 01:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 02:08 . 2010-01-04 02:07 -------- d-----w- c:\program files\iTunes
2010-01-04 02:07 . 2010-01-04 02:07 -------- d-----w- c:\program files\iPod
2010-01-04 02:07 . 2008-12-12 03:19 -------- d-----w- c:\program files\Common Files\Apple
2010-01-04 02:03 . 2009-08-07 01:07 -------- d-----w- c:\program files\QuickTime
2010-01-04 01:43 . 2010-01-04 01:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 22:02 . 2009-08-15 20:52 23720 ----a-w- c:\documents and settings\Annabella Hill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 00:34 . 2009-01-19 01:17 1324 ------w- c:\windows\system32\d3d9caps.dat
2009-12-16 18:43 . 2008-12-06 22:14 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-04_06.04.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-04 15:32 . 2010-03-04 15:32 16384 c:\windows\temp\Perflib_Perfdata_1b4.dat
+ 2010-03-04 15:32 . 2010-03-04 15:32 16384 c:\windows\temp\Perflib_Perfdata_178.dat
+ 2004-08-04 12:00 . 2010-03-04 15:26 60936 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-03-04 05:49 60936 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-03-04 15:26 411252 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-03-04 05:49 411252 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe "= "c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor "= "c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service "= "c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"Samsung PanelMgr "= "c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"ProfilerU "= "c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2007-10-29 233472]
"SaiMfd "= "c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2007-10-29 131072]
"SaiVolume "= "c:\program files\Saitek\SD6\Software\SaiVolume.exe" [2007-10-29 126976]
"StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-29 61440]
"RTHDCPL "= "RTHDCPL.EXE" [2008-11-17 17676288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^tisspwiz.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\tisspwiz.lnk
backup=c:\windows\pss\tisspwiz.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 22:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-05 01:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 23:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
2010-01-21 16:08 492808 ----a-w- c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 06:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 11:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
2010-01-21 16:08 1020248 ----a-w- c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe "=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe "=
"c:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe "=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe "=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP "= 6112:TCP:Warcraft III
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"3246:TCP "= 3246:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop
"4461:TCP "= 4461:TCP:Services

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [1/21/2010 9:08 AM 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/15/2008 2:37 PM 24652]
R3 SaiH0728;SaiH0728;c:\windows\system32\drivers\SaiH0728.sys [2/14/2009 6:36 PM 136448]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [1/21/2010 9:08 AM 339984]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [1/21/2010 9:14 AM 689416]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [10/6/2009 2:53 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [10/6/2009 2:53 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [11/30/2009 6:12 PM 23936]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/21/2010 9:14 AM 50704]
S3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [1/21/2010 9:14 AM 497008]
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Heath Hill\Application Data\Mozilla\Firefox\Profiles\xwvkbvvu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 08:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1188)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1248)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3312)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\FTP Explorer\ftpxext.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2010-03-04 08:36:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 15:36
ComboFix2.txt 2010-03-04 06:05

Pre-Run: 138,294,255,616 bytes free
Post-Run: 138,968,911,872 bytes free

- - End Of File - - E2D5A9565F748A16826655CEB31E1351

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:25 AM, on 3/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Documents and Settings\Heath Hill\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6867 bytes

broni · 2010/03/04

Are you able to tell if any other badies were downloaded when I was infected by Mebroot?
Click to expand...

Impossible to say

Or how it got past my anti-virus?
Click to expand...

Bullet-proof security program doesn't exist and it never will. At the end of this thread I'll give you some pointers, how to be safer while using internet. You, personally and your surfing habits are the number one security. All security programs are only the second line.

Combofix log looks good

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

================================================================

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Hill · 2010/03/04

Here are the latest logs.
They're are still some issues with Trend Micro not able to load and Iam unable to uninstall. Also, can't get online with browsers. I guess we can deal with that after we are done.
Thanks a bunch. Once the desktop is confirmed clean, do you want me to start a new thread for the laptop or use the same thread? I am not getting any weird symptoms but would appreciate it if you can take a look.
Thanks

Malwarebytes' Anti-Malware 1.44
Database version: 3825
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/4/2010 5:52:12 PM
mbam-log-2010-03-04 (17-52-12).txt

Scan type: Quick Scan
Objects scanned: 151621
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:26 PM, on 3/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Documents and Settings\Heath Hill\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe "
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: tisspwiz.lnk = C:\Program Files\Trend Micro\Internet Security\tisspwiz.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6907 bytes

broni · 2010/03/04

They're are still some issues with Trend Micro not able to load and Iam unable to uninstall.
Click to expand...

Try this: http://esupport.trendmicro.com/4/Ho...ternet-Security-Pro-and-Trend-Micro-Inte.aspx

Also, can't get online with browsers.
Click to expand...

Where are you posting from then?

Hill · 2010/03/04

my laptop

checking out link.....

broni · 2010/03/04

I assume, you ran MBAM not updated then?

When you're done with Trend, run this on bad computer:

1. Click Start>Run (Start> "Start search" in Vista).

2. Type in (or copy and paste):

cmd /c ping google.com>%temp%\$.$&notepad %temp%\$.$

and press Enter.

3. Notepad will open.

4. Copy all text in Notepad ([Ctrl-A], then [Ctrl-C]), and then post it (paste = [Ctrl-V]) in your next reply.

Hill · 2010/03/04

Thats the weird thing, MBAM was able to update. But, when I open a browser it goes no where.

Pinging google.com [74.125.67.106] with 32 bytes of data:

Reply from 74.125.67.106: bytes=32 time=236ms TTL=54

Reply from 74.125.67.106: bytes=32 time=254ms TTL=54

Reply from 74.125.67.106: bytes=32 time=189ms TTL=54

Reply from 74.125.67.106: bytes=32 time=270ms TTL=54

Ping statistics for 74.125.67.106:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 189ms, Maximum = 270ms, Average = 237ms

Thats weird.

I think it may have to do with TM firewall freaking out. I just uninstalled the firewall and haven't received any of the error popups. Ok so now I can get online with the TM firewall uninstalled. Reinstalling firewall now....ok that cleared up the TM firewall error popups!!

Can we deem the desktop clean?
Do I need to worry about my external HD I use for back ups?
About the laptop? Can you take a look at what ever log you want/need?
Thanks so much!!

broni · 2010/03/04

Good news so far

Can we deem the desktop clean?
Click to expand...

Not yet.

Do I need to worry about my external HD I use for back ups?
Click to expand...

Surely. In next scan, make sure, external hard drive is selected.

About the laptop?
Click to expand...

You'll have to start new topic on it, when we're done with your desktop.

===============================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

Hill · 2010/03/05

Good Morning,
So I got another notice from my isp saying that the Torpig bot is still coming from my ip address. At least the Mebroot isn't showing up.

So I wasn't able to finish DL the Kaspersky online scanner.

What should I do now?
Thanks

broni · 2010/03/05

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

[color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

Hill · 2010/03/05

Took forever. I wish I had read your post closer and selected "yes to all" the first time it popped up
Let me know if you need anything else.
Thanks

free-flv-to-iphone-converter.exe/data002\{app}\dll\SplitEncoder.dll;C:\Documents and Settings\Alexander XXXXX\My Documents\Downloads\free-flv-to-iphone-converter.exe/data002;Trojan.DownLoad.44484;;
data002;C:\Documents and Settings\Alexander XXXX\My Documents\Downloads;Archive contains infected objects;;
free-flv-to-iphone-converter.exe;C:\Documents and Settings\Alexander XXXXX\My Documents\Downloads;Container contains infected objects;Moved.;
spellcheck.X32;C:\Program Files\Disney Interactive\Disney Princess Royal Horse Show\Xtras\Win\Disney Interactive;Trojan.MulDrop.origin;Incurable.Moved.;
SplitEncoder.dll;C:\Program Files\Topsevenreviews\Free FLV to iPhone Converter\dll;Trojan.DownLoad.44484;Incurable.Moved.;
A0070060.reg;C:\System Volume Information\_restore{FB4EAA52-6C5D-4E5E-804A-2876160D993A}\RP228;Trojan.StartPage.1505;Deleted.;
A0072410.dll;C:\System Volume Information\_restore{FB4EAA52-6C5D-4E5E-804A-2876160D993A}\RP229;Trojan.DownLoad.44484;Incurable.Moved.;
MBM505.EXE\data024;E:\Julie\My Downloads\Current Downloads\MBM505.EXE;Probably BACKDOOR.Trojan;;
MBM505.EXE;E:\Julie\My Downloads\Current Downloads;Archive contains infected objects;Moved.;
A0072411.EXE\data024;E:\System Volume Information\_restore{FB4EAA52-6C5D-4E5E-804A-2876160D993A}\RP229\A0072411.EXE;Probably BACKDOOR.Trojan;;
A0072411.EXE;E:\System Volume Information\_restore{FB4EAA52-6C5D-4E5E-804A-2876160D993A}\RP229;Archive contains infected objects;Moved.;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:54 PM, on 3/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Documents and Settings\Heath Hill\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe "
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: tisspwiz.lnk = C:\Program Files\Trend Micro\Internet Security\tisspwiz.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7151 bytes

broni · 2010/03/05

Download, and install AVP Tool.
After installation, leave all settings as they're, and simply click on Scan button.
When scan is done, and any objects are found, click on Neutralize all button.
Next, click Reports... button, then Save to file....
Save the file to know location as report.txt.
Open report.txt in Notepad, copy all content, and post it in your next reply.

Post fresh HJT log as well.

Hill · 2010/03/05

Ok, that's done.
I can't figure it out how to save the report. But, all it said was it started and then completed.
Here is the Hijack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:29 PM, on 3/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Heath Hill\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe "
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: setup_9.0.0.722_06.03.2010_02-12.lnk = C:\Documents and Settings\Heath Hill\Desktop\Virus Removal Tool\setup_9.0.0.722_06.03.2010_02-12\startup.exe
O4 - Global Startup: tisspwiz.lnk = C:\Program Files\Trend Micro\Internet Security\tisspwiz.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7281 bytes

broni · 2010/03/05

I really wish, I could see that report.

Let's try one more scan (I simply want to make sure, your ISP won't bother you anymore)

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

Hill · 2010/03/10

ISP went down for a day
So here is the eset log
Let me know if there is anything else to do.
Thanks

C:\Documents and Settings\Alexander XXXXX\Local Settings\Application Data\Mozilla\Firefox\Profiles\8dj2fq0u.default\Cache\01465605d01 JS/Exploit.Pdfka.NUI trojan cleaned by deleting - quarantined

Log in or Sign up

Solved Mebroot and torpig removal...

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Mebroot and torpig removal...

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

broni Moderator Malware Analyst

Hill Inactive Thread Starter

Share This Page

Useful Searches