Solved Trojan/Virus Adware Serious problem

second report

ComboFix 08-07-21.2 - Morgan 2008-07-23 21:39:45.9 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.109 [GMT -4:00]
Running from: C:\Documents and Settings\Morgan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Morgan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-22 23:30 . 2008-07-22 23:30 <DIR> d-------- C:\Documents and Settings\Morgan\Application Data\Malwarebytes
2008-07-22 22:36 . 2008-07-22 22:36 <DIR> d-------- C:\Documents and Settings\Grant\Application Data\Malwarebytes
2008-07-22 22:36 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-22 21:12 . 2008-07-22 21:12 <DIR> d-------- C:\Program Files\iPod
2008-07-22 21:12 . 2008-07-22 21:12 <DIR> d-------- C:\Program Files\Bonjour
2008-07-21 17:29 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-17 15:06 . 2008-07-17 15:06 <DIR> d-------- C:\Program Files\iTunes
2008-07-17 15:04 . 2008-07-17 15:04 <DIR> d-------- C:\Program Files\QuickTime
2008-07-17 10:26 . 2008-07-17 10:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 10:26 . 2008-07-17 10:26 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\Malwarebytes
2008-07-17 10:26 . 2008-07-17 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 10:26 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-17 01:05 . 2008-07-23 21:21 0 --a------ C:\$bootcln.sch
2008-07-16 10:24 . 2008-07-16 10:25 72,944,878 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-07-16 04:41 . 2008-07-16 04:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-15 14:01 . 2008-07-15 14:09 4,286 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-15 13:59 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-15 13:59 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-15 13:59 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-15 13:59 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-15 13:59 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-15 13:59 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-15 13:59 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-15 13:59 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-15 13:59 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-15 12:52 . 2008-07-15 12:52 <DIR> d--hs---- C:\FOUND.032
2008-07-15 11:33 . 2008-07-15 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 11:32 . 2008-07-15 11:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-14 23:20 . 2008-07-14 23:20 2 --a------ C:\WINDOWS\msoffice.ini
2008-07-14 18:09 . 2003-01-10 17:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-07-14 16:15 . 2008-07-14 16:15 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-14 16:10 . 2008-07-14 16:10 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\AOL
2008-07-14 16:07 . 2008-07-14 16:07 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-07-14 16:05 . 2008-07-14 16:05 <DIR> d-------- C:\Program Files\Viewpoint
2008-07-14 16:05 . 2008-07-14 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-14 14:24 . 2008-07-14 14:24 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-07-14 14:24 . 2008-07-14 14:24 335 --a------ C:\WINDOWS\nsreg.dat
2008-07-14 14:23 . 2008-07-14 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-07-14 14:23 . 2008-07-14 14:23 29 --a------ C:\WINDOWS\atid.ini
2008-07-14 13:22 . 2008-07-14 13:22 <DIR> d--hs---- C:\FOUND.031
2008-07-14 13:05 . 2008-07-14 13:24 354 ---hs---- C:\WINDOWS\system32\aetktdwv.ini
2008-07-11 20:09 . 2008-07-11 20:09 <DIR> d--hs---- C:\FOUND.030
2008-07-11 19:46 . 2008-07-11 19:46 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\MSNInstaller
2008-07-11 18:51 . 2008-07-11 18:51 <DIR> d-------- C:\Documents and Settings\Morgan\Application Data\TmpRecentIcons
2008-07-11 18:51 . 2008-07-11 18:51 <DIR> d-------- C:\Documents and Settings\Grant\Application Data\TmpRecentIcons
2008-07-11 11:55 . 2008-07-11 11:55 <DIR> d--hs---- C:\FOUND.029
2008-07-10 20:14 . 2008-07-10 20:14 <DIR> d--hs---- C:\FOUND.028
2008-07-10 02:58 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\AvRack
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\Atari
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.009
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.008
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.007
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.006
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.005
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.004
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.003
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.002
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.001
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.000
2008-07-05 20:44 . 2008-07-09 09:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-05 20:44 . 2008-07-05 20:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-05 20:42 . 2008-07-05 20:42 <DIR> d-------- C:\Program Files\QuickTime(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 23:54 --------- d-----w C:\Documents and Settings\Morgan\Application Data\ooVoo Details
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:45 360,320 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-20 09:52 225,920 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 23:23 --------- d-----w C:\Documents and Settings\Morgan\Application Data\FrostWire
2008-06-17 23:19 --------- d-----w C:\Program Files\FrostWire
2008-06-17 23:19 --------- d-----w C:\Program Files\AskSBar
2008-06-13 20:06 --------- d-----w C:\Documents and Settings\Grant\Application Data\LimeWire
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 20:25 --------- d-----w C:\Documents and Settings\Grant\Application Data\uTorrent
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 02:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2004-08-04 09:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 09:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Grant\Application Data\TmpRecentIcons ----


---- Directory of C:\Documents and Settings\Morgan\Application Data\TmpRecentIcons ----



((((((((((((((((((((((((((((( snapshot@2008-07-22_22.29.19.34 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} "= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-07-22 14:44 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-07-22 14:44 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"msnmsgr "= "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [BU]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp "= "Alaunch" [X]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 23:44 98394]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 23:43 688218]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [2005-03-04 13:13 32768]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"eRecoveryService "= "C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 16:54 385024]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-19 19:41 579584]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 00:55 176128]
"HPHUPD05 "= "C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 00:55 49152]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHmon05 "= "C:\WINDOWS\system32\hphmon05.exe" [2005-07-08 00:55 491520]
"eFax 4.2 "= "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 16:36 107008]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SoundMan "= "SOUNDMAN.EXE" [2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-10-07 19:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"SiSPower "= "SiSPower.dll" [2005-02-25 19:35 49152 C:\WINDOWS\system32\SiSPower.dll]

C:\Documents and Settings\andrew\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864]
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-01-04 16:52:52 331776]
eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [2006-10-02 21:00:05 612352]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-06 15:54:09 25214]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Acer Inc\\Acer GridVista\\GridVistaU.exe "=
"C:\\Program Files\\Grisoft\\AVG Free\\AVGCC.EXE "=
"C:\\Program Files\\Grisoft\\AVG Free\\avgw.exe "=
"C:\\Program Files\\Grisoft\\AVG Free\\avgvv.exe "=
"C:\\Program Files\\eFax Messenger 4.2\\J2GPBook.exe "=
"C:\\Program Files\\Hewlett-Packard\\Precisionscan Pro 3.1\\hpipcopy.exe "=
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe "=
"C:\\HSH\\HBCS\\unins000.exe "=
"C:\\Program Files\\TheWeatherNetwork\\WeatherEye\\WeatherEye.exe "=
"C:\\Program Files\\AvRack\\rtlrack.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 01:43]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 01:10:02 C:\WINDOWS\Tasks\HP Usg Daily.job "
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-03-22 21:59:02 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job "
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
"2008-07-17 19:04:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.ask.com?o=1607
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
O8 -: &Search
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 21:40:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-23 21:41:48
ComboFix-quarantined-files.txt 2008-07-24 01:41:44
ComboFix4.txt 2008-07-23 02:29:36
ComboFix3.txt 2008-07-23 03:25:12
ComboFix5.txt 2008-07-24 01:38:52
ComboFix2.txt 2008-07-24 01:13:02

Pre-Run: 10,076,160,000 bytes free
Post-Run: 10,072,489,984 bytes free

226 --- E O F --- 2008-07-23 03:56:19

 

third report

This is the third one, once again thank you for all of your time. I feel bad not thinking about the other two logins earlier.

ComboFix 08-07-23.4 - andrew 2008-07-23 21:10:36.8 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.170 [GMT -4:00]
Running from: C:\Documents and Settings\andrew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\andrew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-22 23:30 . 2008-07-22 23:30 <DIR> d-------- C:\Documents and Settings\Morgan\Application Data\Malwarebytes
2008-07-22 22:36 . 2008-07-22 22:36 <DIR> d-------- C:\Documents and Settings\Grant\Application Data\Malwarebytes
2008-07-22 22:36 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-22 21:12 . 2008-07-22 21:12 <DIR> d-------- C:\Program Files\iPod
2008-07-22 21:12 . 2008-07-22 21:12 <DIR> d-------- C:\Program Files\Bonjour
2008-07-21 17:29 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-17 15:06 . 2008-07-17 15:06 <DIR> d-------- C:\Program Files\iTunes
2008-07-17 15:04 . 2008-07-17 15:04 <DIR> d-------- C:\Program Files\QuickTime
2008-07-17 10:26 . 2008-07-17 10:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 10:26 . 2008-07-17 10:26 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\Malwarebytes
2008-07-17 10:26 . 2008-07-17 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 10:26 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-17 01:05 . 2008-07-23 12:39 0 --a------ C:\$bootcln.sch
2008-07-16 10:24 . 2008-07-16 10:25 72,944,878 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-07-16 04:41 . 2008-07-16 04:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-15 14:01 . 2008-07-15 14:09 4,286 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-15 13:59 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-15 13:59 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-15 13:59 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-15 13:59 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-15 13:59 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-15 13:59 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-15 13:59 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-15 13:59 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-15 13:59 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-15 12:52 . 2008-07-15 12:52 <DIR> d--hs---- C:\FOUND.032
2008-07-15 11:33 . 2008-07-15 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 11:32 . 2008-07-15 11:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-14 23:20 . 2008-07-14 23:20 2 --a------ C:\WINDOWS\msoffice.ini
2008-07-14 18:09 . 2003-01-10 17:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-07-14 16:15 . 2008-07-14 16:15 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-14 16:10 . 2008-07-14 16:10 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\AOL
2008-07-14 16:07 . 2008-07-14 16:07 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-07-14 16:05 . 2008-07-14 16:05 <DIR> d-------- C:\Program Files\Viewpoint
2008-07-14 16:05 . 2008-07-14 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-14 14:24 . 2008-07-14 14:24 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-07-14 14:24 . 2008-07-14 14:24 335 --a------ C:\WINDOWS\nsreg.dat
2008-07-14 14:23 . 2008-07-14 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-07-14 14:23 . 2008-07-14 14:23 29 --a------ C:\WINDOWS\atid.ini
2008-07-14 13:22 . 2008-07-14 13:22 <DIR> d--hs---- C:\FOUND.031
2008-07-14 13:05 . 2008-07-14 13:24 354 ---hs---- C:\WINDOWS\system32\aetktdwv.ini
2008-07-11 20:09 . 2008-07-11 20:09 <DIR> d--hs---- C:\FOUND.030
2008-07-11 19:46 . 2008-07-11 19:46 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\MSNInstaller
2008-07-11 18:51 . 2008-07-11 18:51 <DIR> d-------- C:\Documents and Settings\Morgan\Application Data\TmpRecentIcons
2008-07-11 18:51 . 2008-07-11 18:51 <DIR> d-------- C:\Documents and Settings\Grant\Application Data\TmpRecentIcons
2008-07-11 11:55 . 2008-07-11 11:55 <DIR> d--hs---- C:\FOUND.029
2008-07-10 20:14 . 2008-07-10 20:14 <DIR> d--hs---- C:\FOUND.028
2008-07-10 02:58 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\AvRack
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\Atari
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.009
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.008
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.007
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.006
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.005
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.004
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.003
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.002
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.001
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d--hs---- C:\FOUND.000
2008-07-05 20:44 . 2008-07-09 09:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-05 20:44 . 2008-07-05 20:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-05 20:42 . 2008-07-05 20:42 <DIR> d-------- C:\Program Files\QuickTime(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 23:54 --------- d-----w C:\Documents and Settings\Morgan\Application Data\ooVoo Details
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:45 360,320 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-20 09:52 225,920 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 23:23 --------- d-----w C:\Documents and Settings\Morgan\Application Data\FrostWire
2008-06-17 23:19 --------- d-----w C:\Program Files\FrostWire
2008-06-17 23:19 --------- d-----w C:\Program Files\AskSBar
2008-06-13 20:06 --------- d-----w C:\Documents and Settings\Grant\Application Data\LimeWire
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 20:25 --------- d-----w C:\Documents and Settings\Grant\Application Data\uTorrent
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 02:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2004-08-04 09:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 09:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Grant\Application Data\TmpRecentIconsClose all other windows ----

C:\Documents and Settings\Grant\Application Data\TmpRecentIconsClose all other windows\

---- Directory of C:\Documents and Settings\Morgan\Application Data\TmpRecentIcons ----



((((((((((((((((((((((((((((( snapshot@2008-07-22_22.29.19.34 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} "= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-07-22 14:44 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-07-22 14:44 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye "= "C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye" [X]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp "= "Alaunch" [X]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 23:44 98394]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 23:43 688218]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [2005-03-04 13:13 32768]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"eRecoveryService "= "C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 16:54 385024]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-19 19:41 579584]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 00:55 176128]
"HPHUPD05 "= "C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 00:55 49152]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHmon05 "= "C:\WINDOWS\system32\hphmon05.exe" [2005-07-08 00:55 491520]
"eFax 4.2 "= "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 16:36 107008]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SoundMan "= "SOUNDMAN.EXE" [2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-10-07 19:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"SiSPower "= "SiSPower.dll" [2005-02-25 19:35 49152 C:\WINDOWS\system32\SiSPower.dll]

C:\Documents and Settings\andrew\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864]
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-01-04 16:52:52 331776]
eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [2006-10-02 21:00:05 612352]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-06 15:54:09 25214]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Acer Inc\\Acer GridVista\\GridVistaU.exe "=
"C:\\Program Files\\Grisoft\\AVG Free\\AVGCC.EXE "=
"C:\\Program Files\\Grisoft\\AVG Free\\avgw.exe "=
"C:\\Program Files\\Grisoft\\AVG Free\\avgvv.exe "=
"C:\\Program Files\\eFax Messenger 4.2\\J2GPBook.exe "=
"C:\\Program Files\\Hewlett-Packard\\Precisionscan Pro 3.1\\hpipcopy.exe "=
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe "=
"C:\\HSH\\HBCS\\unins000.exe "=
"C:\\Program Files\\TheWeatherNetwork\\WeatherEye\\WeatherEye.exe "=
"C:\\Program Files\\AvRack\\rtlrack.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 01:43]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\topmenu.exe

*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 01:10:02 C:\WINDOWS\Tasks\HP Usg Daily.job "
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-03-22 21:59:02 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job "
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
"2008-07-17 19:04:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Start Page = hxxp://www.andrewtrojner.ca/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 21:11:01
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-23 21:13:00
ComboFix4.txt 2008-07-21 02:42:20
ComboFix-quarantined-files.txt 2008-07-24 01:12:56
ComboFix3.txt 2008-07-23 02:29:36
ComboFix2.txt 2008-07-23 03:25:12

Pre-Run: 10,122,297,344 bytes free
Post-Run: 10,127,769,600 bytes free

216 --- E O F --- 2008-07-23 03:56:19

 

The homepage on the Morgan account is set to Ask.com, probably a result of Ask being installed as a bundle with another application. Might want to reset it.
MBAM took out quite a lot of Ask, but you might also want to check Add/remove programs for it and uninstall if listed, then clean up the Ask folder in C:\Program Files. Ask is in my opinion, optional software rather than rogue, and your choice whether or not to keep.

The homepage on the Andrew account appears to be a mortgage broker's site. You might check with Andrew on that one.

Let's do a bit of final cleanup. From an account with Administrative rights, highlight and copy the contents of the code box below.

Code:

@echo off
attrib -h -s C:\WINDOWS\system32\aetktdwv.ini
attrib -h -s  "C:\Documents and Settings\Morgan\Application Data\TmpRecentIcons "
attrib -h -s  "C:\Documents and Settings\Grant\Application Data\TmpRecentIcons "
attrib -h -s C:\FOUND.032
attrib -h -s C:\FOUND.031
attrib -h -s C:\FOUND.030
attrib -h -s C:\FOUND.029
attrib -h -s C:\FOUND.028
attrib -h -s C:\FOUND.009
attrib -h -s C:\FOUND.008
attrib -h -s C:\FOUND.007
attrib -h -s C:\FOUND.006
attrib -h -s C:\FOUND.005
attrib -h -s C:\FOUND.004
attrib -h -s C:\FOUND.003
attrib -h -s C:\FOUND.002
attrib -h -s C:\FOUND.001
attrib -h -s C:\FOUND.000
del /q C:\WINDOWS\system32\tmp.reg
del /q C:\WINDOWS\system32\VCCLSID.exe
del /q C:\WINDOWS\system32\SrchSTS.exe
del /q C:\WINDOWS\system32\VACFix.exe
del /q C:\WINDOWS\system32\IEDFix.exe
del /q C:\WINDOWS\system32\IEDFix.C.exe
del /q C:\WINDOWS\system32\404Fix.exe
del /q C:\WINDOWS\system32\Process.exe
del /q C:\WINDOWS\system32\dumphive.exe
del /q C:\WINDOWS\system32\WS2Fix.exe
del /q C:\WINDOWS\system32\aetktdwv.ini
rmdir /s /q  "C:\Documents and Settings\Morgan\Application Data\TmpRecentIcons "
rmdir /s /q  "C:\Documents and Settings\Grant\Application Data\TmpRecentIcons "
rmdir /s /q C:\FOUND.032
rmdir /s /q C:\FOUND.031
rmdir /s /q C:\FOUND.030
rmdir /s /q C:\FOUND.029
rmdir /s /q C:\FOUND.028
rmdir /s /q C:\FOUND.009
rmdir /s /q C:\FOUND.008
rmdir /s /q C:\FOUND.007
rmdir /s /q C:\FOUND.006
rmdir /s /q C:\FOUND.005
rmdir /s /q C:\FOUND.004
rmdir /s /q C:\FOUND.003
rmdir /s /q C:\FOUND.002
rmdir /s /q C:\FOUND.001
rmdir /s /q C:\FOUND.000
exit
cls

Click Start>Run and type cmd then hit Enter to open a command window.
Right click in the command window and Paste the copied text.
The command window will close on it's own.

Now lets uninstall ComboFix. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points.

Suggest you run ATF Cleaner on all 3 accounts to clean out temp files and empty the recycle bin.


Unless you've noticed anything else, that should finish things up.

 

Good news!

The homepage for andrew is my homepage.. I switched Morgan to google, ran the program that you suggested and did ATF Cleaner on all three logins. I went to system restore and the furthest date that I could go back to is today, which is find, I would prefer that as anything before that is suspect. I only mentioned that as I hope that the restore point doesnt keep moving forward everyday and dropping the previous day.
As for ASK, I went to add/remove and only a toolbar shows up for ask. I went to remove it and this is the message.

Error loading C:\PROGRA~1\AskSBar\bar\2.bin\AskSbar.dll

the specific module could not be found.

The computer works very fast, very efficient, I tend to ask it to do many things at the same time and I often can type faster than the letters show up. After all the utilities you asked me to run, it works like it did when it was brand new 2 years ago. I am not a fan of a split hard drive, I thought that it was slowing down because C is almost full, but now it is fantastic!

Your help and dedication to us users is fantastic. I know people who have spent hundreds of dollars trying to get their computers cleaned up. I appreciate you and your team.

Sincerely,
living life

 

There was only 1 restore point because ComboFix reset them when you uninstalled it. They should again populate after today.

If you have more than 1 hard drive or partition, you should check to see if System Restore is monitoring it as well, and reset that drive too.

Right click My Computer and select Properties
Select the System Restore tab
Select a drive (other than your operating system drive, usually C: ) in the list that is shown as Monitoring then click Settings
Select the box in the popup to Turn off System Restore on this drive and click OK
Repeat for all drives listed
Once you've turned them off, you can go back and clear the box to turn it back on, if desired
This will clear the infected System Restore points on those drives as well.


Was the Ask add/remove entry removed? Did you check for and remove the Ask folder in C:\Program Files?

 

follow up

Ask was never his home page, so we don't know why that happened. the tool bar shows on add/remove programs and we cannot get it off, but it doesn't seem to be a big deal, unless maybe it is doing something that it should not do.

I also tried to remove it from C:|Program Files and it says that it cannot be deleted because A2SRCHAS.DLL access is denied and then to check if the disk is not full or write-protected and that the file is not currently in use.

Let me know if I should do something about that.

Sincerely,
Living Life

 

Well, I'd guess MBAM removed enough of the toolbar components that it's not possible to uninstall now. My recommendation is to download and re-install the Ask.com toolbar to repair the uninstaller. Then, uninstall it via Add/Remove. It should go quietly then, as well as the folder in C:\Program Files (reboot may be necessay first).

Let me know how that goes and if everything else is still OK.

 

It doesn't want to leave!

Good day!
I installed the Ask tool bar and put it inside the old folder where the other tool bar is. then i went to add/remove and removed it. Everything went except for the old one.

I went to program files, clicked on it and properties. This is what i get:

A2SRCHAS.DLL
1.1.0.1
Ask.com Search Assistant

C:\Program Files\AskSBar\SrchAstt\1.bin

Once, again thank you for your help! Everything else has been working fine.

 

Sounds as though instead of re-installing (exact same set of folders and files as original when done) you installed it as another installation within the original. In other words;

Original path = C:\Program Files\AskSBar
New path = C:\Program Files\AskSBar\AskSBar

If that's what you did, try again, allowing it to install with it's default settings.

 

nope!

Hi!
I installed it again, let it set its own path, opened it, launched it and then removed it. It went, but the old one is still there and it gives the same message.

Sincerely,
Living Life

 

And even after a reboot you cannot delete the AskSBar folder?

 

more information

That is right. I always reboot/turn off and on after use, even if I am only on for 15 minutes. I also did a error scan on both c and d drives and defragged both drives.
On the add/remove menu, it shows that it takes no space, but it is listed and when I go to c/programs, it is there in a file folder. I cannot delete it!

while I was on, avg started doing a scan and it picked up some viruses again. I think that it is from my son using fr os t wi re to download to his ipod. If that is the culprit both my children know that it will be removed without hesitation. I do not like having it on my system to begin with and I removed l ime w ir e when I found out it was on about 6 months ago.

This is the report from avg.

Virus name Path Date of detection Filename File size
Trojan horse Downloader.Wimad.E C:\Documents and Settings\Morgan\Incomplete\T-5745425-dysenatry gary.mp3 8/2/2008 12:38:42 AM T-5745425-dysenatry gary.mp3 1.13 MB
Trojan horse Downloader.Wimad.E C:\Documents and Settings\Morgan\Incomplete\Preview-T-5745425-dysenatry gary.mp3 8/2/2008 12:38:42 AM Preview-T-5745425-dysenatry gary.mp3 35.89 KB
Trojan horse Downloader.Wimad.E C:\Documents and Settings\Morgan\Incomplete\T-3545425-dysenatry gary.mp3 8/2/2008 12:38:42 AM T-3545425-dysenatry gary.mp3 644 KB
Trojan horse Downloader.Wimad.E C:\Documents and Settings\Morgan\Incomplete\Preview-T-3545425-dysenatry gary.mp3 8/2/2008 12:38:42 AM Preview-T-3545425-dysenatry gary.mp3 16 KB


this is the HiJack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:30, on 02/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\keyhook.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.andrewtrojner.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe "/Trigger RunAtLogon "
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.carpages.ca/js/aurigma/resources/ImageUploader5.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://gtroj73.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9935 bytes

And this is the combofix.
ComboFix 08-07-31.06 - andrew 2008-08-02 2:39:56.12 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT -4:00]
Running from: C:\Documents and Settings\andrew\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.

2008-07-28 10:33 . 2008-07-28 10:33 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-28 10:32 . 2008-07-28 10:33 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\skypePM
2008-07-28 10:31 . 2008-07-28 10:31 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-07-28 10:30 . 2008-07-28 12:46 22,414,120 --a------ C:\SkypeSetup.exe
2008-07-28 10:25 . 2008-07-28 10:25 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\BitTorrent
2008-07-24 22:16 . 2008-07-24 22:16 <DIR> d-------- C:\Program Files\DNA
2008-07-24 22:16 . 2008-07-24 22:16 <DIR> d-------- C:\Program Files\BitTorrent
2008-07-24 22:16 . 2008-07-24 22:16 <DIR> d-------- C:\Documents and Settings\Morgan\Application Data\DNA
2008-07-24 22:16 . 2008-07-24 22:16 <DIR> d-------- C:\Documents and Settings\Morgan\Application Data\BitTorrent
2008-07-24 16:06 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-24 16:06 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-22 23:30 . 2008-07-22 23:30 <DIR> d-------- C:\Documents and Settings\Morgan\Application Data\Malwarebytes
2008-07-22 22:36 . 2008-07-22 22:36 <DIR> d-------- C:\Documents and Settings\Grant\Application Data\Malwarebytes
2008-07-22 22:36 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-22 21:12 . 2008-07-22 21:12 <DIR> d-------- C:\Program Files\iPod
2008-07-22 21:12 . 2008-07-22 21:12 <DIR> d-------- C:\Program Files\Bonjour
2008-07-21 17:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-17 15:06 . 2008-07-17 15:06 <DIR> d-------- C:\Program Files\iTunes
2008-07-17 15:04 . 2008-07-17 15:04 <DIR> d-------- C:\Program Files\QuickTime
2008-07-17 15:03 . 2008-07-10 09:35 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-17 15:00 . 2008-07-17 15:00 63,489,320 --a------ C:\iTunesSetup.exe
2008-07-17 10:26 . 2008-07-17 10:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 10:26 . 2008-07-17 10:26 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\Malwarebytes
2008-07-17 10:26 . 2008-07-17 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 10:26 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-17 01:05 . 2008-08-01 22:44 0 --a------ C:\$bootcln.sch
2008-07-16 10:24 . 2008-07-16 10:25 72,944,878 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-07-16 04:41 . 2008-07-16 04:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-15 11:33 . 2008-07-15 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 11:32 . 2008-07-15 11:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-14 23:20 . 2008-07-14 23:20 2 --a------ C:\WINDOWS\msoffice.ini
2008-07-14 18:09 . 2003-01-10 17:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-07-14 16:14 . 2008-07-14 16:14 7,851,488 --a------ C:\Free-SpyHunter-Scanner-ri-Install.exe
2008-07-14 16:10 . 2008-07-14 16:10 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\AOL
2008-07-14 16:07 . 2008-07-14 16:07 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-07-14 16:05 . 2008-07-14 16:05 <DIR> d-------- C:\Program Files\Viewpoint
2008-07-14 16:05 . 2008-07-14 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-14 14:24 . 2008-07-14 14:24 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-07-14 14:24 . 2008-07-14 14:24 335 --a------ C:\WINDOWS\nsreg.dat
2008-07-14 14:23 . 2008-07-14 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-07-14 14:23 . 2008-07-14 14:23 29 --a------ C:\WINDOWS\atid.ini
2008-07-11 21:37 . 2008-07-11 21:37 7,496,920 --a------ C:\Firefox Setup 3.0.exe
2008-07-11 19:46 . 2008-07-11 19:46 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\MSNInstaller
2008-07-10 02:58 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2008-07-10 01:30 . 2008-07-10 01:30 <DIR> d-------- C:\Program Files\AvRack
2008-07-05 20:44 . 2008-07-09 09:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-05 20:44 . 2008-07-05 20:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-05 20:42 . 2008-07-05 20:42 <DIR> d-------- C:\Program Files\QuickTime(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 23:54 --------- d-----w C:\Documents and Settings\Morgan\Application Data\ooVoo Details
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:45 360,320 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-20 09:52 225,920 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 23:23 --------- d-----w C:\Documents and Settings\Morgan\Application Data\FrostWire
2008-06-17 23:19 --------- d-----w C:\Program Files\FrostWire
2008-06-17 23:19 --------- d-----w C:\Program Files\AskSBar
2008-06-13 20:06 --------- d-----w C:\Documents and Settings\Grant\Application Data\LimeWire
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 20:25 --------- d-----w C:\Documents and Settings\Grant\Application Data\uTorrent
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2004-08-04 09:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 09:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} "= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-07-22 14:44 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-07-22 14:44 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye "= "C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye" [X]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"GoToMeeting "= "C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe" [2008-07-24 09:57 31552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp "= "Alaunch" [X]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 23:44 98394]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 23:43 688218]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [2005-03-04 13:13 32768]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"eRecoveryService "= "C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 16:54 385024]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-19 19:41 579584]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 00:55 176128]
"HPHUPD05 "= "C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 00:55 49152]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHmon05 "= "C:\WINDOWS\system32\hphmon05.exe" [2005-07-08 00:55 491520]
"eFax 4.2 "= "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 16:36 107008]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SoundMan "= "SOUNDMAN.EXE" [2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-10-07 19:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"SiSPower "= "SiSPower.dll" [2005-02-25 19:35 49152 C:\WINDOWS\system32\SiSPower.dll]

C:\Documents and Settings\andrew\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864]
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-01-04 16:52:52 331776]
eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [2006-10-02 21:00:05 612352]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-06 15:54:09 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Acer Inc\\Acer GridVista\\GridVistaU.exe "=
"C:\\Program Files\\Grisoft\\AVG Free\\AVGCC.EXE "=
"C:\\Program Files\\Grisoft\\AVG Free\\avgw.exe "=
"C:\\Program Files\\Grisoft\\AVG Free\\avgvv.exe "=
"C:\\Program Files\\eFax Messenger 4.2\\J2GPBook.exe "=
"C:\\Program Files\\Hewlett-Packard\\Precisionscan Pro 3.1\\hpipcopy.exe "=
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe "=
"C:\\HSH\\HBCS\\unins000.exe "=
"C:\\Program Files\\TheWeatherNetwork\\WeatherEye\\WeatherEye.exe "=
"C:\\Program Files\\AvRack\\rtlrack.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\Program Files\\DNA\\btdna.exe "=
"C:\\Program Files\\BitTorrent\\bittorrent.exe "=
"C:\\Program Files\\FrostWire\\FrostWire.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=

R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 01:43]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\topmenu.exe

*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 C:\WINDOWS\Tasks\HP Usg Daily.job
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2005-07-08 00:55]

2007-03-22 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe []

2008-07-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Start Page = hxxp://www.andrewtrojner.ca/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore

O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.carpages.ca/js/aurigma/resources/ImageUploader5.cab
C:\WINDOWS\Downloaded Program Files\ImageUploader5.inf
C:\WINDOWS\system32\unicows.dll
C:\WINDOWS\Downloaded Program Files\ImageUploader5.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 02:41:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-02 2:42:01
ComboFix3.txt 2008-07-24 02:05:58
ComboFix-quarantined-files.txt 2008-08-02 06:42:00
ComboFix2.txt 2008-08-02 06:20:56

Pre-Run: 2,795,208,704 bytes free
Post-Run: 2,801,500,160 bytes free

194 --- E O F --- 2008-07-24 19:22:21


This really upsets me because I do not want to waste your time fixing something that a share program could have caused. I apologize for this. I went to the ask website and there is no information there on who to contact if you cannot get rid of their program.

Once again, thank you for all of your time with my matter.

Sincerely,
Living Life

 

one more question

2008-06-13 20:06 --------- d-----w C:\Documents and Settings\Grant\Application Data\LimeWire

Does this mean that this is still on the computer? It does not show in add/remove so is it a song or a file that he has stored by using that? The date is june 13 so it makes me wonder...

 

I would think the Limewire folder(s) just didn't get removed with the uninstallation process.

Also installed are a couple other p2p apps, in addition to Frostwire.
BitTorrent
uTorrent

Here's my general speech concerning p2p.

I'm not passing judgment on file-sharing as a concept. However, I will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Now, here's a list of the p2p folders I can see.

C:\Program Files\BitTorrent
C:\Program Files\FrostWire
C:\Documents and Settings\andrew\Application Data\BitTorrent
C:\Documents and Settings\Grant\Application Data\LimeWire
C:\Documents and Settings\Grant\Application Data\uTorrent
C:\Documents and Settings\Morgan\Application Data\BitTorrent
C:\Documents and Settings\Morgan\Application Data\FrostWire
C:\Documents and Settings\Morgan\Incomplete


Scan again with HijackThis and place a check next to the following entries.

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL


Close all open windows the click Fix Checked.

Reboot and see if you can now remove the C:\Program Files\AskSBar folder.

 

Finally!

Okay, I did that and it seems that it is gone, along with all the p2p programs. This is the log. I hope that this is the end of it so that you can help other people. I really appreciate your diligence with this problem.

Sincerely,
Living Life

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:33, on 03/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.andrewtrojner.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe "/Trigger RunAtLogon "
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.carpages.ca/js/aurigma/resources/ImageUploader5.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://gtroj73.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9679 bytes

 

Looks good. Good move clearing out the P2P.

I'm happy to have helped. You're quite welcome.