Active loud fan, slow computer

RAMickelsen · 2009/12/02

[Active] loud fan, slow computer

I am not sure if this is the right place for this post because I don't know what the problem is. I am running a Dell Inspirion 9400 Laptop with Windows XP and have all the latest service packs installed. I have a gig of RAM and about a 200G HD. I run Spyware Doctor, Avast, Regpro, and Wise Registry cleaner as well as a couple of other attack dogs I cannot think of just now. My computer is about three years old. I have had no major problems with it besides the usual Dell powersupply failures.

About four days ago I noticed the fan began to hum loudly and the computer slowed way down to a fraction of its normal speed and stayed that way until I reset. Upon resetting, the fan shuts off and speed returns to normal for a few minutes... then the fan comes back on and the computer slows down again. I have researched online for possible solutions. I have tried the following:

I ran evey spyware, anti-virus, and registry cleaner I have. They ran very slowly, but did seem to work. This made very little difference.

I ran msconfig.exe and disabled every application under "services" and "startup" that I could leaving only my wireless adapter, the microsoft services, and avast entries. This helped a little. The processor usage dropped from 100% to around 60% when the fan is on.

I did a CHKDSK on reboot and a defrag. No errors and no difference.

I took the computer apart and cleaned out the fan and intake for the cooling device that is attached to the heat sink for the processor. I found a significant dust bunny there, but no place else. When I started up again, the computer ran faster than it has run in a year. But the next day the problem re-appeared worse than before. I took the computer apart again and found no further problems inside.

Following another suggestion for dealing with a similar problem, I went to the event manager and cleared the logs for the first three entries... this made no noticable difference.

I have noticed these things while watching the task manager:

Services.exe seems to be related to the problem. Before the fan comes on, it shows little CPU usage. After it comes on it jumps around erratically from 10% to 30%. Listed under Services are ten instances of svchost.exe. Of these, one consistently bounces around from 0% to 15% in a predictable rythym. When I temporarily disable this application, Windows Explorer will not run. When I re-enable it, explorer will run. I also notice that spoolsv.exe bounces around from 0% to 20%, even though there are no print jobs queued. I do not think this is the virus version since it is identified in task manager as a SYSTEM application.

There do not appear to be any other processes that can account for this behavior.

I am completely stumped. I am also out of ideas. The computer fan comes on now about two minutes after reboot with no applications at all running. Before I tried all of these "fixes" the problem would not arise until I was watching videos for 10 minutes or doing something else that required processing power. It seems I have succeeded only in making the problem worse. Any ideas you might have would be greatly appreciated.

Thanks in advance.

Robert Mickelsen

PeteC · 2009/12/02

Welcome to WindowsBBS

Strong possibility of malware - thread moved to the Malware & Virus Removal forum .....

Please read this as indicated at the head of the forum and post the logs requested in this thread.

BTW - steer well clear of Registry cleaners - they do no good and yield no performance gain. They can render a computer unbootable in the wrong hands and are not a general panacea for all ills or for regular use.

RAMickelsen · 2009/12/02

win32:malware-gen

"PeteC said: ↑

Welcome to WindowsBBS

Strong possibility of malware - thread moved to the Malware & Virus Removal forum .....
Click to expand...

OK... I am in the process of getting the logs requested. That computer is extremely sick and it is slow going. Typing this from another computer.

Ran a boot-time virus scan and it returned three errors:

C:\System volume Information\_restore{202550A8-7A334BCA-956-051D24DDBF8F}RP864\A0282294.exe is infected by win32:malware-gen
Repair:Error 42060 {file not repaired}

then the same thing but A0282295.exe and A0282296.exe

Naturally, this points to a directory that I cannot find or cannot see so I cannot get to this file to delete it. You said malware... so... how do I get rid of this?

- RAM

RAMickelsen · 2009/12/02

Logs from DDS

Here are the logs from DDS as instructed.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Robert Mickelsen at 16:02:01.31 on Wed 12/02/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.377 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: avast! antivirus 4.8.1368 [VPS 091202-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Online Backup\OnlineBackup.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Documents and Settings\Robert Mickelsen\Application Data\U3\0000D18001502B06\LaunchPad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Robert Mickelsen\My Documents\Downloads\ProcessExplorer\procexp.exe
C:\Program Files\ATT-SST\McciBrowser.exe
C:\Documents and Settings\Robert Mickelsen\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070125
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=Og0l62XfLXwJadixFJPp5TS9D_U
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB0.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
BHO: {00A6FAF1-072E-44cf-8957-5838F569A31D} - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ClickCatcher MSIE handler: {16664845-0e00-11d2-8059-000000000000} - c:\program files\common files\reget shared\Catcher.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB0.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: ReGet Bar: {17939a30-18e2-471e-9d3a-56dd725f1215} - c:\program files\regetdx\iebar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB0.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [@BackupScheduler] c:\program files\online backup\OnlineBackup.exe
uRun: [Uniblue SpeedUpMyPC] c:\program files\uniblue\speedupmypc 3\SpeedUpMyPC.exe -s
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
uRun: [Pando] "c:\program files\pando networks\pando\Pando.exe" /Minimized
uRun: [Google Update] "c:\documents and settings\robert mickelsen\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe "
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RDFNSListener] c:\program files\regdefense\RDFNSListener.exe
mRun: [RDFNSAgent] c:\program files\regdefense\RDFNSAgent.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\1.bin\M3PLUGIN.DLL,UPF
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
IE: Do&wnload by ReGet Deluxe - c:\program files\common files\reget shared\CC_Link.htm
IE: Download A&ll by ReGet Deluxe - c:\program files\common files\reget shared\CC_All.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - hxxp://www.parallelgraphics.com/bin/cortvrml.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\q0p7dfyc.default\
FF - prefs.js: browser.startup.homepage - hxxp://robertmickelsen.com/
FF - component: c:\documents and settings\robert mickelsen\application data\mozilla\firefox\profiles\q0p7dfyc.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayAccessComponent.dll
FF - component: c:\documents and settings\robert mickelsen\application data\mozilla\firefox\profiles\q0p7dfyc.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayShortcutMaker.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\robert mickelsen\application data\mozilla\firefox\profiles\q0p7dfyc.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\robert mickelsen\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\dassault systemes\3d xml player\intel_a\code\bin\NP3DXMLPlugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-29 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-29 20560]

=============== Created Last 30 ================

2009-12-02 19:38:11 7430144 ---ha-w- c:\documents and settings\robert mickelsen\ntuser.tmp
2009-11-19 14:24:05 0 d-----w- c:\program files\common files\Config
2009-11-11 02:05:29 0 d-----w- c:\docume~1\robert~1\applic~1\AT&T
2009-11-11 02:05:26 0 d-----w- c:\program files\AT&T
2009-11-11 02:05:26 0 d-----w- c:\docume~1\alluse~1\applic~1\AT&T
2009-11-11 02:05:14 0 d-----w- c:\docume~1\alluse~1\applic~1\ATTToolbar
2009-11-11 02:05:12 0 d-----w- c:\program files\ATTToolbar
2009-11-11 02:05:11 0 d-----w- c:\docume~1\robert~1\applic~1\ATTToolbar
2009-11-11 02:02:32 0 d-----w- c:\program files\ATT-SST
2009-11-11 01:33:08 0 d-----w- c:\program files\ATT-HSI
2009-11-10 15:06:46 13696 ----a-w- c:\windows\system32\drivers\wpsnuio.sys
2009-11-10 15:06:45 0 d-----w- c:\program files\Skyhook Wireless
2009-11-10 15:06:38 0 d-----w- c:\program files\Boingo
2009-11-10 15:06:37 0 d-----w- c:\docume~1\alluse~1\applic~1\GoBoingo

==================== Find3M ====================

2009-12-02 20:56:10 12950 ----a-w- c:\windows\system32\tablet.dat
2009-11-26 15:02:15 178700 ----a-w- c:\windows\hpwins20.dat
2009-10-29 15:33:46 49152 ------w- c:\documents and settings\robert mickelsen\PNPrint3.exe
2009-10-26 19:05:56 76984 ----a-w- c:\docume~1\robert~1\applic~1\GDIPFONTCACHEV1.DAT
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2008-12-18 03:33:10 162248 ----a-w- c:\program files\lsm_1_7_11.zip

============= FINISH: 16:08:15.79 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/29/2007 12:52:40 PM
System Uptime: 12/2/2009 3:54:36 PM (1 hours ago)

Motherboard: Dell Inc. | | 0YD479
Processor: Genuine Intel(R) CPU T2250 @ 1.73GHz | Microprocessor | 795/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 59.476 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM (CDFS)
G: is Removable

==== Disabled Device Manager Items =============

==== Installed Programs ======================

µTorrent
32 Bit HP CIO Components Installer
3D XML Player
3DVIA player 5.0
4660_4680_Help
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Photoshop CS
Adobe Reader 8.1.3
AnswerWorks 5.0 English Runtime
AOLIcon
Apple Mobile Device Support
Apple Software Update
AT&T Internet Security Wizard 1.5.11
AT&T Self Support Tool
AT&T Toolbar
ATI Catalyst Control Center
ATI Display Driver
avast! Antivirus
Boingo Wi-Fi
Bonjour
BookSmartâ„¢ 1.9.9 1.9.9
Bookworm® Deluxe
BPD_HPSU
bpd_scan
BPDSoftware
BPDSoftware_Ini
Broadcom Management Programs
Bryce(R) 5
Cartes du Ciel
Chaoscope 0.3.1
Chess Assistant 7 Light
Conexant HDA D110 MDC V.92 Modem
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Critical Update for Windows Media Player 11 (KB959772)
Dassault Systemes Software Prerequisites x86
Dell Support 3.2.1
Dell System Restore
Dell Wireless WLAN Card
DeviceFunctionQFolder
Digital Content Portal
Digital Line Detect
dj_sf_software
DocMgr
DocProc
DocProcQFolder
dvdSanta 4.50
Eudora
ffdshow (remove only)
FileZilla Client 3.0.3
Flip Words
Free Video to Flash Converter version 4.1
Garmin Communicator Plugin
Garmin USB Drivers
Google Chrome
Google Desktop
Google Earth
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Updater
HepYek 1.0
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Document Manager 1.0
HP Officejet All-In-One Series
HP Smart Web Printing
HP Update
HPSSupply
iMesh
IsoBuster 2.3
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J4680
Java(TM) SE Runtime Environment 6 Update 1
Learn To Speak Spanish Deluxe 10
Learn2 Player (Uninstall Only)
LightWave 7 Full Install
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
MarketResearch
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Small Business Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works
Modem Helper
Moffsoft FreeCalc
Moray For Windows V3.5
Mozilla Firefox (3.5.5)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
My Web Search (My Web Face)
myBabylon_English Toolbar
Need4 Software Launcher 5.8
Need4 Video Converter 5.9
neroxml
NetDeviceManager
NetWaiting
NoAdware v5.0
OCR Software by I.R.I.S. 10.0
Online Backup
OutlookAddinSetup
Pando
pdc Calendar V2
Photosynth 2.0.1403.5
PictoWords
Play65
Play89
PokerStars
Poser 7
POV-Ray for Windows v3.6.1c
Prism Video Converter
ProductContext
Punch! Ultimate Deck and Landscape
QuickBooks
QuickBooks Pro 2010
QuickBooks Product Listing Service
Quicken 2010
QuickSet
QuickTime
RealPlayer
ReGet Deluxe 4.2
Safari
Scan
SearchAssist
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shop for HP Supplies
Skyhook Wireless Wi-Fi Service
SmartWebPrintingOC
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Spyware Doctor 6.0
SupportSoft Assisted Service
Switch Sound File Converter
Synaptics Pointing Device Driver
Tablet
Toolbox
U.S. Robotics 56K Faxmodem USB
Uniblue SpeedUpMyPC 3
Uniblue System Tweaker
Uninstall 1.0.0.0
Unload
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URL Assistant
VideoLAN VLC media player 0.8.6d
Viewpoint Media Player
WebFldrs XP
WebReg
Whats Up
Wheel of Fortune
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinImage
WinMorphâ„¢ 3.01
Word Connect
Word Slinger
Word Wars
Yahoo! Pin High Country Club Golf
Yahoo! Toolbar
ZoneAlarm Pro

==== End Of File ===========================

PeteC · 2009/12/02

You said malware... so... how do I get rid of this?
Click to expand...

One of our trained malware removal experts will respond shortly.

broni · 2009/12/02

First of all, you're running TWO antivirus programs:
Spyware Doctor with AntiVirus
avast! antivirus
One of them has to go. I suggest, you leave Avast.

Then, there are Norton's leftovers.
Download and run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

When done....

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

RAMickelsen · 2009/12/02

I tried to download the Norton removal tool, but get an error stating that my internet connection is not working... even though it is working fine.

I tried to download Combofix and avast is identifying it as containing a virus. I already have Combofix downloaded today from another source. I will identify it as a false positive.

I was able to download Hijack this.

broni · 2009/12/02

Turn off Avast (as instructions say) and run Combofix.

RAMickelsen · 2009/12/03

I think that may have worked

I really appreciate what you guys do. Here is the Combofix log:

ComboFix 09-12-02.05 - Robert Mickelsen 12/03/2009 0:50.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.553 [GMT -5:00]
Running from: c:\documents and settings\Robert Mickelsen\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - system32: deleted 426 bytes in 3 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\windows\system32\AutoRun.inf
c:\windows\system32\f3PSSavr.scr
.
---- Previous Run -------
.
c:\documents and settings\Robert Mickelsen\x.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService

((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-12-03 04:08 . 2009-12-03 04:08 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\Malwarebytes
2009-12-03 04:07 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 04:07 . 2009-12-03 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-03 04:07 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 04:07 . 2009-12-03 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-19 14:24 . 2009-11-19 14:24 -------- d-----w- c:\program files\Common Files\Config
2009-11-19 14:23 . 2009-11-19 14:23 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll
2009-11-11 02:05 . 2009-11-11 02:05 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\AT&T
2009-11-11 02:05 . 2009-11-11 02:05 -------- d-----w- c:\program files\AT&T
2009-11-11 02:05 . 2009-11-11 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2009-11-11 02:05 . 2009-11-17 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-11-11 02:05 . 2009-11-11 02:05 -------- d-----w- c:\program files\ATTToolbar
2009-11-11 02:05 . 2009-11-17 03:15 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\ATTToolbar
2009-11-11 02:02 . 2009-11-11 02:03 -------- d-----w- c:\program files\ATT-SST
2009-11-11 01:33 . 2009-11-11 01:33 -------- d-----w- c:\program files\ATT-HSI
2009-11-10 15:06 . 2009-11-10 15:06 13696 ----a-w- c:\windows\system32\drivers\wpsnuio.sys
2009-11-10 15:06 . 2009-11-10 15:06 -------- d-----w- c:\program files\Skyhook Wireless
2009-11-10 15:06 . 2009-11-10 15:06 -------- d-----w- c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\Skyhook Wireless
2009-11-10 15:06 . 2009-11-10 15:06 -------- d-----w- c:\program files\Boingo
2009-11-10 15:06 . 2009-11-10 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\GoBoingo
2009-11-10 02:35 . 2009-12-01 17:24 219304 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-09 13:19 . 2009-11-09 13:19 975648 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2009-11-09 13:19 . 2009-11-09 13:19 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2009-11-09 13:19 . 2009-11-09 13:19 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 06:37 . 2008-12-04 16:57 12950 ----a-w- c:\windows\system32\tablet.dat
2009-12-03 05:22 . 2009-05-23 14:42 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-03 05:22 . 2009-05-23 14:42 -------- d-----w- c:\program files\Spyware Doctor
2009-12-03 05:19 . 2008-11-14 01:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-03 02:09 . 2007-01-29 19:14 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\U3
2009-12-02 23:10 . 2007-01-30 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-02 02:47 . 2007-03-09 03:05 -------- d-----w- c:\program files\PokerStars
2009-12-02 01:53 . 2009-10-26 14:57 -------- d-----w- c:\program files\RegDefense
2009-12-01 13:37 . 2009-10-28 14:39 2827 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2009-11-26 15:02 . 2009-02-21 02:12 178700 ----a-w- c:\windows\hpwins20.dat
2009-11-26 01:27 . 2007-06-04 02:45 -------- d-----w- c:\program files\Play89
2009-11-25 13:19 . 2009-10-28 14:45 205576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-11-25 13:19 . 2009-10-28 14:45 1087752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-11-25 13:19 . 2009-10-28 14:45 2168112 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2009-11-25 13:19 . 2009-10-28 14:45 852784 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\dblgen11.dll
2009-11-19 14:23 . 2007-11-01 17:00 -------- d-----w- c:\program files\Quicken
2009-11-19 14:22 . 2009-10-14 17:06 241000 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-11-17 23:49 . 2008-02-25 20:07 -------- d-----w- c:\program files\Common Files\Motive
2009-11-11 02:04 . 2008-02-25 20:07 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\Motive
2009-11-08 13:24 . 2009-10-28 14:45 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2009-11-08 13:24 . 2009-10-28 14:45 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2009-11-08 13:24 . 2009-10-28 14:45 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2009-11-08 13:24 . 2009-10-28 14:45 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2009-11-08 13:24 . 2009-10-28 14:45 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2009-11-08 13:24 . 2009-10-28 14:45 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2009-11-08 13:24 . 2009-10-28 14:45 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2009-11-08 13:24 . 2009-10-28 14:45 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2009-11-08 13:24 . 2009-10-28 14:45 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2009-10-29 15:33 . 2009-10-29 15:33 49152 ------w- c:\documents and settings\Robert Mickelsen\PNPrint3.exe
2009-10-28 14:45 . 2009-10-28 14:45 34056 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2009-10-28 14:45 . 2009-10-28 14:45 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2009-10-28 14:39 . 2009-10-28 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2009-10-28 14:29 . 2007-08-30 21:32 -------- d-----w- c:\program files\Common Files\Intuit
2009-10-28 14:26 . 2009-10-28 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2009-10-28 14:26 . 2007-08-30 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-10-28 14:26 . 2007-08-30 21:32 -------- d-----w- c:\program files\Intuit
2009-10-27 17:47 . 2009-10-27 15:01 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\Move Networks
2009-10-26 14:21 . 2009-10-29 12:39 50176 ----a-w- c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
2009-10-26 14:21 . 2009-10-29 12:39 94208 ----a-w- c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
2009-10-23 00:42 . 2009-10-23 00:42 -------- d-----w- c:\program files\Blender
2009-10-23 00:39 . 2009-10-23 00:38 -------- d-----w- c:\program files\Archimedes - The Open CAD
2009-10-18 19:09 . 2007-01-29 17:53 76984 ----a-w- c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-18 02:35 . 2009-10-18 02:35 -------- d-----w- c:\program files\MSBuild
2009-10-18 02:34 . 2009-10-18 02:34 -------- d-----w- c:\program files\Reference Assemblies
2009-10-14 17:08 . 2009-10-14 17:08 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll
2009-10-14 17:05 . 2009-10-14 17:05 223584 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2009-10-14 17:05 . 2009-10-14 17:05 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2009-10-10 03:46 . 2007-01-26 02:11 -------- d-----w- c:\program files\Common Files\Real
2009-10-10 03:46 . 2009-10-10 03:46 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-10 03:46 . 2009-10-10 03:46 -------- d-----w- c:\program files\real
2009-10-05 23:16 . 2007-01-26 02:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-30 22:19 . 2009-10-14 17:05 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Hab\Custom\billmind.exe
2009-09-30 22:19 . 2009-10-14 17:05 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Deluxe\Custom\billmind.exe
2009-09-30 22:19 . 2009-10-14 17:05 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\RPM\Custom\billmind.exe
2009-09-30 22:19 . 2009-10-14 17:05 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Premier\Custom\billmind.exe
2009-09-30 22:18 . 2009-09-30 22:18 91 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\Pnf\Pas\reg.bat
2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-12-18 03:33 . 2008-12-18 03:33 162248 ----a-w- c:\program files\lsm_1_7_11.zip
2008-08-09 16:32 . 2007-01-30 14:11 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} "= "c:\program files\myBabylon_English\tbmyB0.dll" [2009-07-19 2215960]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2009-07-19 21:56 2215960 ----a-w- c:\program files\myBabylon_English\tbmyB0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} "= "c:\program files\myBabylon_English\tbmyB0.dll" [2009-07-19 2215960]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7} "= "c:\program files\myBabylon_English\tbmyB0.dll" [2009-07-19 2215960]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@BackupScheduler "= "c:\program files\Online Backup\OnlineBackup.exe" [2007-09-04 611768]
"Uniblue SpeedUpMyPC "= "c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-05-23 8631840]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-05 68856]
"Pando "= "c:\program files\Pando Networks\Pando\Pando.exe" [2008-06-02 6210888]
"Google Update "= "c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Intuit SyncManager "= "c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup" [X]
"Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-10 198160]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"ISW.exe "= "c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-09 29744]
"ATT-SST_McciTrayApp "= "c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe "=
"c:\\StubInstaller.exe "=
"c:\\Program Files\\uTorrent\\utorrent.exe "=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe "=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\att-nap\\McciBrowser.exe "=
"c:\\Program Files\\Yahoo! Games\\Yahoo! Pin High Country Club Golf\\Course1.exe "=
"c:\\LightWave_3D_7.0\\Programs\\hub.exe "=
"c:\\LightWave_3D_7.0\\Programs\\Lightwav.exe "=
"c:\\LightWave_3D_7.0\\Programs\\Modeler.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Safari\\Safari.exe "=
"c:\\Program Files\\Shockwave.com\\Wheel of Fortune\\product\\Wheel of Fortune.exe "=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe "=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe "=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51532:TCP "= 51532:TCP:limewire
"51532:UDP "= 51532:UDP:limewire

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2007 8:02 AM 639224]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/25/2007 9:16 PM 29744]
S3 Idnydsg;Idnydsg; [x]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 Winacusb;Winacusb;c:\windows\system32\drivers\winacusb.sys [9/28/2007 10:46 PM 902860]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-30 04:08]

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-402912332-3275947696-2339302964-1007Core.job
- c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-12 18:30]

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-402912332-3275947696-2339302964-1007UA.job
- c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-12 18:30]

2009-08-19 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-06-03 18:03]

2009-11-29 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-06-03 18:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=Og0l62XfLXwJadixFJPp5TS9D_U
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Do&wnload by ReGet Deluxe - c:\program files\Common Files\ReGet Shared\CC_Link.htm
IE: Download A&ll by ReGet Deluxe - c:\program files\Common Files\ReGet Shared\CC_All.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\
FF - prefs.js: browser.startup.homepage - hxxp://robertmickelsen.com/
FF - component: c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
FF - component: c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Dassault Systemes\3D XML Player\intel_a\code\bin\NP3DXMLPlugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RDFNSListener - c:\program files\RegDefense\RDFNSListener.exe
HKLM-Run-RDFNSAgent - c:\program files\RegDefense\RDFNSAgent.exe
HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose
AddRemove-iMesh - c:\program files\iMesh Applications\iMesh\UninstallSurvey.exe c:\program files\iMesh Applications\iMesh\UnwiseLauncher.exe
AddRemove-Online Backup - c:\program files\Online Backup\OnlineBackup.exe UNINSTALL
AddRemove-RealPlayer 12.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 01:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\Ã€Ãµspctlsp.log 142 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x871817AC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76aaf28
\Driver\ACPI -> ACPI.sys @ 0xf744ecb8
\Driver\atapi -> atapi.sys @ 0xf7409b40
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf72fcbb0
PacketIndicateHandler -> NDIS.sys @ 0xf72eba0d
SendHandler -> NDIS.sys @ 0xf72ffb40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(984)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2672)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-03 01:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-03 06:56

Pre-Run: 68,792,823,808 bytes free
Post-Run: 68,873,330,688 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 299768432A33A4156D400C6988A604A3

RAMickelsen · 2009/12/03

second log

...and here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:39 AM, on 12/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Online Backup\OnlineBackup.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Robert Mickelsen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070125
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=Og0l62XfLXwJadixFJPp5TS9D_U
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB1.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [@BackupScheduler] C:\Program Files\Online Backup\OnlineBackup.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Robert Mickelsen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11249 bytes

RAMickelsen · 2009/12/03

post deleted

RAMickelsen · 2009/12/03

I just posted the logs.. waiting to get the all-clear.

I was not able to disable avast so I uninstalled it before running Combofix. I also turned off windows firewall and uninstalled spyware doctor. Combofix ran all night and I awoke to a quiet and very fast computer.

There are a number of new logs ending in lps on my desktop. Are these important?

I am waiting to hear from you before re-intalling avast. I should also have a spyware program. Which to you recommend? I have already turned the firewall back on. My computer is now off and I am writing from another one to make sure nothing happens before you declare me clean.

Thanks again for all your help. You guys rock!

- RAM

RAMickelsen · 2009/12/03

I am sad to report that the fix seems to have been temporary and that the problem has returned as if I had done nothing. Now what?

- RAM

broni · 2009/12/03

We only started cleaning process, so you have to be patient.
Make sure, firewall is up. That's the most important thing.
We'll reinstall Avast after completing next step.
Antimalware programs will also come along with next steps.

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::

File::
c:\windows\system32\DRIVERS\tclondrv.sys
c:\windows\system32\drivers\TfFsMon.sys
c:\windows\system32\drivers\TfSysMon.sys
c:\windows\system32\drivers\TfNetMon.sys 


Folder::
c:\program files\Common Files\PC Tools
c:\program files\Spyware Doctor


Driver::
tclondrv
TfFsMon
TfSysMon
Idnydsg
pctplsg


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]


RegLockDel::

mbr::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

RAMickelsen · 2009/12/03

Combofix.txt

ComboFix 09-12-02.08 - Robert Mickelsen 12/03/2009 19:50.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.687 [GMT -5:00]
Running from: c:\documents and settings\Robert Mickelsen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert Mickelsen\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\DRIVERS\tclondrv.sys "
"c:\windows\system32\drivers\TfFsMon.sys "
"c:\windows\system32\drivers\TfNetMon.sys "
"c:\windows\system32\drivers\TfSysMon.sys "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Spyware Doctor
c:\program files\Spyware Doctor\&pctlsp.log
c:\program files\Spyware Doctor\data\ER_SD_en.dat
c:\program files\Spyware Doctor\data\ER_SD_uk.dat
c:\program files\Spyware Doctor\data\ER_SDA_en.dat
c:\program files\Spyware Doctor\data\ER_SDA_uk.dat
c:\program files\Spyware Doctor\data\FU_SD_en.dat
c:\program files\Spyware Doctor\data\FU_SD_uk.dat
c:\program files\Spyware Doctor\data\FU_SDA_en.dat
c:\program files\Spyware Doctor\data\FU_SDA_uk.dat
c:\program files\Spyware Doctor\data\TB_SD_en.dat
c:\program files\Spyware Doctor\data\TB_SD_uk.dat
c:\program files\Spyware Doctor\data\TB_SDA_en.dat
c:\program files\Spyware Doctor\data\TB_SDA_uk.dat
c:\program files\Spyware Doctor\pctlsp.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PCTPLSG
-------\Legacy_TFFSMON
-------\Legacy_TFSYSMON
-------\Service_Idnydsg
-------\Service_pctplsg
-------\Service_tclondrv
-------\Service_TfFsMon
-------\Service_TfSysMon

((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-03 17:33 . 2009-12-03 17:33 -------- d-----w- c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\PCHealth
2009-12-03 04:08 . 2009-12-03 04:08 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\Malwarebytes
2009-12-03 04:07 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 04:07 . 2009-12-03 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-03 04:07 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 04:07 . 2009-12-03 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-19 14:24 . 2009-11-19 14:24 -------- d-----w- c:\program files\Common Files\Config
2009-11-19 14:23 . 2009-11-19 14:23 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll
2009-11-11 02:05 . 2009-11-11 02:05 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\AT&T
2009-11-11 02:05 . 2009-11-11 02:05 -------- d-----w- c:\program files\AT&T
2009-11-11 02:05 . 2009-11-11 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2009-11-11 02:05 . 2009-11-17 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-11-11 02:05 . 2009-11-11 02:05 -------- d-----w- c:\program files\ATTToolbar
2009-11-11 02:05 . 2009-11-17 03:15 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\ATTToolbar
2009-11-11 02:02 . 2009-11-11 02:03 -------- d-----w- c:\program files\ATT-SST
2009-11-11 01:33 . 2009-11-11 01:33 -------- d-----w- c:\program files\ATT-HSI
2009-11-10 15:06 . 2009-11-10 15:06 13696 ----a-w- c:\windows\system32\drivers\wpsnuio.sys
2009-11-10 15:06 . 2009-11-10 15:06 -------- d-----w- c:\program files\Skyhook Wireless
2009-11-10 15:06 . 2009-11-10 15:06 -------- d-----w- c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\Skyhook Wireless
2009-11-10 15:06 . 2009-11-10 15:06 -------- d-----w- c:\program files\Boingo
2009-11-10 15:06 . 2009-11-10 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\GoBoingo
2009-11-10 02:35 . 2009-12-01 17:24 219304 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-09 13:19 . 2009-11-09 13:19 975648 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2009-11-09 13:19 . 2009-11-09 13:19 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2009-11-09 13:19 . 2009-11-09 13:19 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 01:25 . 2008-12-04 16:57 12950 ----a-w- c:\windows\system32\tablet.dat
2009-12-04 00:40 . 2007-01-30 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-03 17:38 . 2008-12-28 00:39 -------- d-----w- c:\program files\Shockwave.com
2009-12-03 17:27 . 2008-11-14 01:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-03 16:49 . 2009-10-28 14:39 2827 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2009-12-03 13:59 . 2007-06-03 21:18 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\Uniblue
2009-12-03 13:54 . 2007-01-29 19:14 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\U3
2009-12-02 02:47 . 2007-03-09 03:05 -------- d-----w- c:\program files\PokerStars
2009-12-02 01:53 . 2009-10-26 14:57 -------- d-----w- c:\program files\RegDefense
2009-11-26 15:02 . 2009-02-21 02:12 178700 ----a-w- c:\windows\hpwins20.dat
2009-11-26 01:27 . 2007-06-04 02:45 -------- d-----w- c:\program files\Play89
2009-11-25 13:19 . 2009-10-28 14:45 205576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-11-25 13:19 . 2009-10-28 14:45 1087752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-11-25 13:19 . 2009-10-28 14:45 2168112 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2009-11-25 13:19 . 2009-10-28 14:45 852784 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\dblgen11.dll
2009-11-19 14:23 . 2007-11-01 17:00 -------- d-----w- c:\program files\Quicken
2009-11-19 14:22 . 2009-10-14 17:06 241000 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-11-17 23:49 . 2008-02-25 20:07 -------- d-----w- c:\program files\Common Files\Motive
2009-11-11 02:04 . 2008-02-25 20:07 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\Motive
2009-11-08 13:24 . 2009-10-28 14:45 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2009-11-08 13:24 . 2009-10-28 14:45 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2009-11-08 13:24 . 2009-10-28 14:45 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2009-11-08 13:24 . 2009-10-28 14:45 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2009-11-08 13:24 . 2009-10-28 14:45 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2009-11-08 13:24 . 2009-10-28 14:45 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2009-11-08 13:24 . 2009-10-28 14:45 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2009-11-08 13:24 . 2009-10-28 14:45 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2009-11-08 13:24 . 2009-10-28 14:45 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2009-10-29 15:33 . 2009-10-29 15:33 49152 ------w- c:\documents and settings\Robert Mickelsen\PNPrint3.exe
2009-10-28 14:45 . 2009-10-28 14:45 34056 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2009-10-28 14:45 . 2009-10-28 14:45 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2009-10-28 14:39 . 2009-10-28 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2009-10-28 14:29 . 2007-08-30 21:32 -------- d-----w- c:\program files\Common Files\Intuit
2009-10-28 14:26 . 2009-10-28 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2009-10-28 14:26 . 2007-08-30 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-10-28 14:26 . 2007-08-30 21:32 -------- d-----w- c:\program files\Intuit
2009-10-27 17:47 . 2009-10-27 15:01 -------- d-----w- c:\documents and settings\Robert Mickelsen\Application Data\Move Networks
2009-10-26 14:21 . 2009-10-29 12:39 50176 ----a-w- c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
2009-10-26 14:21 . 2009-10-29 12:39 94208 ----a-w- c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
2009-10-23 00:42 . 2009-10-23 00:42 -------- d-----w- c:\program files\Blender
2009-10-23 00:39 . 2009-10-23 00:38 -------- d-----w- c:\program files\Archimedes - The Open CAD
2009-10-18 19:09 . 2007-01-29 17:53 76984 ----a-w- c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-18 02:35 . 2009-10-18 02:35 -------- d-----w- c:\program files\MSBuild
2009-10-18 02:34 . 2009-10-18 02:34 -------- d-----w- c:\program files\Reference Assemblies
2009-10-14 17:08 . 2009-10-14 17:08 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll
2009-10-14 17:05 . 2009-10-14 17:05 223584 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2009-10-14 17:05 . 2009-10-14 17:05 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2009-10-10 03:46 . 2007-01-26 02:11 -------- d-----w- c:\program files\Common Files\Real
2009-10-10 03:46 . 2009-10-10 03:46 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-10 03:46 . 2009-10-10 03:46 -------- d-----w- c:\program files\real
2009-10-05 23:16 . 2007-01-26 02:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-30 22:19 . 2009-10-14 17:05 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Hab\Custom\billmind.exe
2009-09-30 22:19 . 2009-10-14 17:05 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Deluxe\Custom\billmind.exe
2009-09-30 22:19 . 2009-10-14 17:05 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\RPM\Custom\billmind.exe
2009-09-30 22:19 . 2009-10-14 17:05 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Premier\Custom\billmind.exe
2009-09-30 22:18 . 2009-09-30 22:18 91 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\Pnf\Pas\reg.bat
2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-12-18 03:33 . 2008-12-18 03:33 162248 ----a-w- c:\program files\lsm_1_7_11.zip
2008-08-09 16:32 . 2007-01-30 14:11 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-03_06.37.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-04 01:25 . 2009-12-04 01:25 16384 c:\windows\Temp\Perflib_Perfdata_214.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} "= "c:\program files\myBabylon_English\tbmyB1.dll" [2009-12-03 2166296]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2009-12-03 13:32 2166296 ----a-w- c:\program files\myBabylon_English\tbmyB1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} "= "c:\program files\myBabylon_English\tbmyB1.dll" [2009-12-03 2166296]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7} "= "c:\program files\myBabylon_English\tbmyB1.dll" [2009-12-03 2166296]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@BackupScheduler "= "c:\program files\Online Backup\OnlineBackup.exe" [2007-09-04 611768]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-05 68856]
"Pando "= "c:\program files\Pando Networks\Pando\Pando.exe" [2008-06-02 6210888]
"Google Update "= "c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Intuit SyncManager "= "c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup" [X]
"Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-10 198160]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"ISW.exe "= "c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-09 29744]
"ATT-SST_McciTrayApp "= "c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe "=
"c:\\Program Files\\uTorrent\\utorrent.exe "=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe "=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\att-nap\\McciBrowser.exe "=
"c:\\Program Files\\Yahoo! Games\\Yahoo! Pin High Country Club Golf\\Course1.exe "=
"c:\\LightWave_3D_7.0\\Programs\\hub.exe "=
"c:\\LightWave_3D_7.0\\Programs\\Lightwav.exe "=
"c:\\LightWave_3D_7.0\\Programs\\Modeler.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Safari\\Safari.exe "=
"c:\\Program Files\\Shockwave.com\\Wheel of Fortune\\product\\Wheel of Fortune.exe "=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe "=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe "=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe "=
"c:\\StubInstaller.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51532:TCP "= 51532:TCP:*isabled:limewire
"51532:UDP "= 51532:UDP:*isabled:limewire

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2007 8:02 AM 639224]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/25/2007 9:16 PM 29744]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 Winacusb;Winacusb;c:\windows\system32\drivers\winacusb.sys [9/28/2007 10:46 PM 902860]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2009-12-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-30 04:08]

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-402912332-3275947696-2339302964-1007Core.job
- c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-12 18:30]

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-402912332-3275947696-2339302964-1007UA.job
- c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-12 18:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=Og0l62XfLXwJadixFJPp5TS9D_U
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Do&wnload by ReGet Deluxe - c:\program files\Common Files\ReGet Shared\CC_Link.htm
IE: Download A&ll by ReGet Deluxe - c:\program files\Common Files\ReGet Shared\CC_All.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\
FF - prefs.js: browser.startup.homepage - hxxp://robertmickelsen.com/
FF - component: c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
FF - component: c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Robert Mickelsen\Application Data\Mozilla\Firefox\Profiles\q0p7dfyc.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\Robert Mickelsen\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 20:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x871817AC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76adf28
\Driver\ACPI -> ACPI.sys @ 0xf7451cb8
\Driver\atapi -> atapi.sys @ 0xf740cb40
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf72ffbb0
PacketIndicateHandler -> NDIS.sys @ 0xf72eea0d
SendHandler -> NDIS.sys @ 0xf7302b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-03 20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-04 01:42
ComboFix2.txt 2009-12-03 20:36
ComboFix3.txt 2009-12-03 06:57

Pre-Run: 68,825,874,432 bytes free
Post-Run: 68,784,431,104 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 0A9A298DCBE3ADF9E0A5A28E947900B1

RAMickelsen · 2009/12/03

hijackthis.txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:16 PM, on 12/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Online Backup\OnlineBackup.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Robert Mickelsen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070125
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=Og0l62XfLXwJadixFJPp5TS9D_U
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB1.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [@BackupScheduler] C:\Program Files\Online Backup\OnlineBackup.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Robert Mickelsen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11109 bytes

broni · 2009/12/03

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

RAMickelsen · 2009/12/04

I followed your instructions to the letter and I have SUPERantispyware running... but very slowly. It has been running for 9.5 hours thus far and is only about 1/4 of the way through my files. It has detected two trojans and 24 spywares. Is it normal for it to run this slow? At this rate it will be Saturday afternoon or Sunday before I will be able to post the logs.

OK... 13 hours in and I give up. Still only about 1/4 of the way done and taking up to a full minute to scan a TIF file. This cannot be right so I clicked "next" and followed instructions to get rid of the trojans and spyware. I rebooted back to safe mode and ran the program again. While starting the program, the fan came on and everything slowed down to a crawl again. Now SASW is doing another scan and is going just as slow as before. Is this right? I have read other forums that state that this program should do a complete scan in under 30minutes... not three to four days (which is what it will take on my machine at this rate).

- RAM

broni · 2009/12/04

Stop Super. Proceed to Malwarebytes.

RAMickelsen · 2009/12/06

latest malwarebytes scan log

Malwarebytes' Anti-Malware 1.42
Database version: 3303
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/6/2009 7:57:19 AM
mbam-log-2009-12-06 (07-57-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 281699
Time elapsed: 2 hour(s), 25 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\NoAdware\nutilities.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000604.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000605.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000606.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000611.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000612.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000613.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000614.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000615.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000599.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000617.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000618.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000619.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000620.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000621.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000622.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000623.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000624.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000625.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000633.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Log in or Sign up

Active loud fan, slow computer

RAMickelsen Inactive Thread Starter

PeteC SuperGeek Staff

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

RAMickelsen Inactive Thread Starter

broni Moderator Malware Analyst

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

broni Moderator Malware Analyst

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

broni Moderator Malware Analyst

RAMickelsen Inactive Thread Starter

broni Moderator Malware Analyst

RAMickelsen Inactive Thread Starter

Share This Page

Log in or Sign up

Active loud fan, slow computer

RAMickelsen Inactive Thread Starter

PeteC SuperGeek Staff

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

RAMickelsen Inactive Thread Starter

broni Moderator Malware Analyst

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

broni Moderator Malware Analyst

RAMickelsen Inactive Thread Starter

RAMickelsen Inactive Thread Starter

broni Moderator Malware Analyst

RAMickelsen Inactive Thread Starter

broni Moderator Malware Analyst

RAMickelsen Inactive Thread Starter

Share This Page

Useful Searches