Slow Computer When Browsing Internet

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:24 PM, on 9/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltel.net/newuser/benefits/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - blank (file missing)
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: (no name) - {5979FD29-B2E2-4D54-B7FE-BDC75B99F0A2} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\rnptuaep.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: 0 - {CDB08595-2CA3-40E4-6CAC-C7D41A9AAE62} - C:\Program Files\Windows Media Player\labunufix439.dll (file missing)
O2 - BHO: (no name) - {E2D02A47-A9FF-4B73-B96B-095606E3BA06} - C:\Program Files\WindowsUpdate\hopeted4444.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - blank (file missing)
O3 - Toolbar: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe "
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-21-2780696155-3392598108-3994112602-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'QBDataServiceUser18')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...opularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: rnptuaep - rnptuaep.dll (file missing)
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

--
End of file - 11538 bytes

 

Also my emachine model is t2824

 

Welcome to WindowsBBS

You have at the very least, remnants of infection. Lets go after that and go from there. Please download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

 

Ok i did both things, a lot of red!

Malwarebytes' Anti-Malware 1.28
Database version: 1153
Windows 5.1.2600 Service Pack 2

9/14/2008 11:47:08 PM
mbam-log-2008-09-14 (23-47-08).txt

Scan type: Quick Scan
Objects scanned: 61849
Time elapsed: 32 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 65
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 130

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rnptuaep (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{11b97cf9-c40e-4127-801d-0fe00eb35705} (Adware.AdSponsor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8fb5b012-e8cb-46cd-b6d2-ed428fae9043} (Adware.AdSponsor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{dbba22f6-4f42-436e-8893-b1b73b69d7a4} (Adware.AdSponsor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8fb5b012-e8cb-46cd-b6d2-ed428fae9043} (Adware.AdSponsor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mscontrolservice (Trojan.Zapchast) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mscontrolservice (Trojan.Zapchast) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mscontrolservice (Trojan.Zapchast) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Wallpaper (Adware.Comet) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\rnptuaep.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aavfcpjp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pjpcfvaa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\anydeqyn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nyqedyna.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bceoyigo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ogiyoecb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsryenpd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpneyrsb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\btkrinmi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\imnirktb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cgvcbfea.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aefbcvgc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dmhbmlfl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lflmbhmd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ectqcesf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fsecqtce.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\elxmbvde.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\edvbmxle.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\epneemns.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\snmeenpe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fgligxsp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psxgilgf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fppmabms.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smbamppf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jfykxyqr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqyxkyfj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jjltuvsd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dsvutljj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jjunhplg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\glphnujj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lbxshjwh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hwjhsxbl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\luihbcbt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tbcbhiul.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mhadhwar.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rawhdahm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ndxfabtj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jtbafxdn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nedcbpdx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xdpbcden.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nilceiyv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vyieclin.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\okdgiprj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jrpigdko.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\otlfqdgx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xgdqflto.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\owxxolyb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byloxxwo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\plmwyptt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ttpywmlp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qjgckcnd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dnckcgjq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qpxoovue.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\euvooxpq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qtrtehdk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kdhetrtq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qujhdrph.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hprdhjuq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qwtbnanq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qnanbtwq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regtgyhi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihygtger.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rnptuaep.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rvuajiax.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xaijauvr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rxgpqpoi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iopqpgxr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smxpglnl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lnlgpxms.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svadetnb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bntedavs.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tosvrjhx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xhjrvsot.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ttdetbxp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pxbtedtt.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulcspqiy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yiqpsclu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uqhdfyxu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uxyfdhqu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uypvicso.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oscivpyu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vnxjmmgb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bgmmjxnv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vsctminx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xnimtcsv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wgxotvyq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qyvtoxgw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wljwjkhl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lhkjwjlw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpdadkci.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ickdadpw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xjndejil.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lijednjx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xjvxuvqf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fqvuxvjx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Delete on reboot.
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu572.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\isakvqfp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jdlrvrac.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\apycssds.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bajuytuj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jrsjkgio.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kktkgvcj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njbksfut.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\windows (Trojan.Zapchast) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyyvuu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ijvgctbo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\ed barnette\Desktop\PLAY_MP3.exe (Adware.PlayMp3z) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\03187CF4.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\0A72E0CC.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Wallpaper\Federica Fontana.jpg (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Wallpaper\swpstart.exe (Adware.Comet) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMe333d2f0.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMe333d2f0.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oqtss.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oqtss.bak1 (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\b111.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b148.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ed barnette\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:17 PM, on 9/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltel.net/newuser/benefits/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - blank (file missing)
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: (no name) - {5979FD29-B2E2-4D54-B7FE-BDC75B99F0A2} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: 0 - {CDB08595-2CA3-40E4-6CAC-C7D41A9AAE62} - C:\Program Files\Windows Media Player\labunufix439.dll (file missing)
O2 - BHO: (no name) - {E2D02A47-A9FF-4B73-B96B-095606E3BA06} - C:\Program Files\WindowsUpdate\hopeted4444.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - blank (file missing)
O3 - Toolbar: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe "
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-21-2780696155-3392598108-3994112602-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'QBDataServiceUser18')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

--
End of file - 10831 bytes

 

Wow, lots of Vundo! Lets run another tool to see if there's any left. Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

her's the combofix log:ComboFix 08-09-15.02 - ed barnette 2008-09-16 11:48:10.1 - NTFSx86
Running from: C:\Documents and Settings\ed barnette\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\ed barnette\Application Data\install.dat
C:\Documents and Settings\ed barnette\Local Settings\Temporary Internet Files\index.dat
C:\Temp\1cb
C:\Temp\fse
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\adhagtrw.ini
C:\WINDOWS\system32\aqicaufy.ini
C:\WINDOWS\system32\aquuuevf.dll
C:\WINDOWS\system32\asooopdn.ini
C:\WINDOWS\system32\audlpklq.ini
C:\WINDOWS\system32\awhackvo.ini
C:\WINDOWS\system32\axubrmgp.ini
C:\WINDOWS\system32\aywdshwx.ini
C:\WINDOWS\system32\bbminaou.ini
C:\WINDOWS\system32\bkhrutjx.dll
C:\WINDOWS\system32\bpvlmhaf.dll
C:\WINDOWS\system32\bsuvyloo.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bwngounu.ini
C:\WINDOWS\system32\cgwhbctw.ini
C:\WINDOWS\system32\chcpcgwp.ini
C:\WINDOWS\system32\cnqydbec.ini
C:\WINDOWS\system32\cxtrscsd.ini
C:\WINDOWS\system32\dkqcppln.dll
C:\WINDOWS\system32\doahjfya.ini
C:\WINDOWS\system32\dowqkpls.ini
C:\WINDOWS\system32\dpewlups.ini
C:\WINDOWS\system32\dpflndpk.ini
C:\WINDOWS\system32\dywturfn.ini
C:\WINDOWS\system32\elvivqhp.ini
C:\WINDOWS\system32\emadyfbc.ini
C:\WINDOWS\system32\epghferk.ini
C:\WINDOWS\system32\ereduthh.ini
C:\WINDOWS\system32\esgppfds.dll
C:\WINDOWS\system32\etioxalc.dll
C:\WINDOWS\system32\ewpidxat.ini
C:\WINDOWS\system32\fbkvcgvf.ini
C:\WINDOWS\system32\flabdaaj.ini
C:\WINDOWS\system32\fralpsgg.ini
C:\WINDOWS\system32\fycyigtq.ini
C:\WINDOWS\system32\gbxfidco.ini
C:\WINDOWS\system32\gfjouddx.ini
C:\WINDOWS\system32\ggqrlbjv.ini
C:\WINDOWS\system32\gkmibnmo.dll
C:\WINDOWS\system32\glroexvq.ini
C:\WINDOWS\system32\gmfmvycl.dll
C:\WINDOWS\system32\grsmqwoh.ini
C:\WINDOWS\system32\gwrhiuay.ini
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\hcxkgayr.ini
C:\WINDOWS\system32\hmhavjeu.ini
C:\WINDOWS\system32\hnpqvglo.ini
C:\WINDOWS\system32\hnxayina.ini
C:\WINDOWS\system32\hrempnig.ini
C:\WINDOWS\system32\htondmtl.ini
C:\WINDOWS\system32\hwbielsv.ini
C:\WINDOWS\system32\hwclvitg.ini
C:\WINDOWS\system32\idrupktb.ini
C:\WINDOWS\system32\ijieuaja.ini
C:\WINDOWS\system32\imas3r
C:\WINDOWS\system32\iyenkhkq.dll
C:\WINDOWS\system32\jidlwqci.ini
C:\WINDOWS\system32\jwpsniou.ini
C:\WINDOWS\system32\kilidovy.ini
C:\WINDOWS\system32\kkinlgvp.ini
C:\WINDOWS\system32\knkeettr.ini
C:\WINDOWS\system32\kqxkcmoc.dll
C:\WINDOWS\system32\ktpdpcvn.dll
C:\WINDOWS\system32\kycxijjt.dll
C:\WINDOWS\system32\kygfyktr.ini
C:\WINDOWS\system32\lanwqjis.ini
C:\WINDOWS\system32\lbwhohxb.dll
C:\WINDOWS\system32\lelhugjg.ini
C:\WINDOWS\system32\lkdudnbi.ini
C:\WINDOWS\system32\lkkfdjhf.dll
C:\WINDOWS\system32\llstvgte.ini
C:\WINDOWS\system32\lmjcdhue.ini
C:\WINDOWS\system32\lunwvhoq.ini
C:\WINDOWS\system32\lwfxfsbl.ini
C:\WINDOWS\system32\lyvpulcs.ini
C:\WINDOWS\system32\maqgqklw.ini
C:\WINDOWS\system32\mbsrsavk.ini
C:\WINDOWS\system32\mfxikthx.ini
C:\WINDOWS\system32\mgtwtxgu.ini
C:\WINDOWS\system32\mlfngodw.ini
C:\WINDOWS\system32\mmmdrwkg.dll
C:\WINDOWS\system32\mncifllk.ini
C:\WINDOWS\system32\mqskuwqq.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mumymlnr.ini
C:\WINDOWS\system32\mwmgfetf.ini
C:\WINDOWS\system32\nbxobhwq.dll
C:\WINDOWS\system32\nirfvmfe.dll
C:\WINDOWS\system32\njlxslwp.ini
C:\WINDOWS\system32\nmbofthj.ini
C:\WINDOWS\system32\nmlgbllm.ini
C:\WINDOWS\system32\nnunjhlm.ini
C:\WINDOWS\system32\nrahcbnk.ini
C:\WINDOWS\system32\nvauecaj.ini
C:\WINDOWS\system32\nyamvhpd.ini
C:\WINDOWS\system32\oirntvhy.ini
C:\WINDOWS\system32\okowvptb.ini
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\osshtbhx.ini
C:\WINDOWS\system32\owhjowjq.ini
C:\WINDOWS\system32\oyknrhok.ini
C:\WINDOWS\system32\p1
C:\WINDOWS\system32\pajlkxnb.ini
C:\WINDOWS\system32\phgonooc.ini
C:\WINDOWS\system32\pittsmhs.ini
C:\WINDOWS\system32\pncqcree.dll
C:\WINDOWS\system32\pofvpoxi.ini
C:\WINDOWS\system32\ptdatyti.ini
C:\WINDOWS\system32\pxuleids.ini
C:\WINDOWS\system32\q21
C:\WINDOWS\system32\qdqkiqyl.ini
C:\WINDOWS\system32\qgffdiqr.ini
C:\WINDOWS\system32\qglxomop.ini
C:\WINDOWS\system32\qhbksemj.dll
C:\WINDOWS\system32\qirtnigr.ini
C:\WINDOWS\system32\qluxuhpq.dll
C:\WINDOWS\system32\qndfmjyg.ini
C:\WINDOWS\system32\qnwkbupp.ini
C:\WINDOWS\system32\qqlmxdsx.ini
C:\WINDOWS\system32\qrbdltto.ini
C:\WINDOWS\system32\qxfcllxe.ini
C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.tmp
C:\WINDOWS\system32\sdarueew.ini
C:\WINDOWS\system32\sflagifn.ini
C:\WINDOWS\system32\sftphosc.ini
C:\WINDOWS\system32\shumqjem.ini
C:\WINDOWS\system32\thddjbqh.ini
C:\WINDOWS\system32\ttkqutfb.ini
C:\WINDOWS\system32\tydjbmem.dll
C:\WINDOWS\system32\ueespeyk.dll
C:\WINDOWS\system32\uidxvcip.ini
C:\WINDOWS\system32\uirhedwr.dll
C:\WINDOWS\system32\ujhankre.ini
C:\WINDOWS\system32\uppbbhbv.ini
C:\WINDOWS\system32\utgdoasc.dll
C:\WINDOWS\system32\utrjyspb.ini
C:\WINDOWS\system32\vfhcjcfc.ini
C:\WINDOWS\system32\viauoyvr.ini
C:\WINDOWS\system32\vjmtktaj.ini
C:\WINDOWS\system32\vkrghpur.ini
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
C:\WINDOWS\system32\vodiicvh.ini
C:\WINDOWS\system32\vwdeeyct.ini
C:\WINDOWS\system32\vxbjmsmw.ini
C:\WINDOWS\system32\wawuhpko.dll
C:\WINDOWS\system32\wbaxjbaq.ini
C:\WINDOWS\system32\wbvhcpch.dll
C:\WINDOWS\system32\wkjbnkmo.ini
C:\WINDOWS\system32\wlatyeua.ini
C:\WINDOWS\system32\wqswjsvo.ini
C:\WINDOWS\system32\wtlepabs.ini
C:\WINDOWS\system32\wtvtakdf.dll
C:\WINDOWS\system32\wybymbaq.dll
C:\WINDOWS\system32\xeuaaiwq.ini
C:\WINDOWS\system32\xgaeyoyc.dll
C:\WINDOWS\system32\xhsnegxc.ini
C:\WINDOWS\system32\xnjlbdfi.dll
C:\WINDOWS\system32\xurapddi.ini
C:\WINDOWS\system32\yktambyu.ini
C:\WINDOWS\system32\yneaxidl.ini
C:\WINDOWS\system32\yqvmtfsb.dll
C:\WINDOWS\system32\yslopiol.dll
C:\WINDOWS\system32\yuojwqnu.ini
C:\WINDOWS\system32\yxghkcfi.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.

2008-09-15 22:23 . 2004-05-04 06:19 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser18\WINDOWS
2008-09-15 22:23 . 2004-05-04 06:19 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser18\Application Data\Symantec
2008-09-15 22:23 . 2008-09-15 22:23 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser18
2008-09-14 23:10 . 2008-09-14 23:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 23:10 . 2008-09-14 23:10 <DIR> d-------- C:\Documents and Settings\ed barnette\Application Data\Malwarebytes
2008-09-14 23:10 . 2008-09-14 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-14 23:10 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-14 23:10 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-14 22:25 . 2008-09-14 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-05 15:36 . 2008-09-05 15:36 <DIR> d-------- C:\Program Files\AWS
2008-09-05 15:36 . 2008-09-05 15:36 <DIR> d-------- C:\Documents and Settings\ed barnette\Application Data\WeatherBug
2008-09-05 15:35 . 2008-09-05 15:35 <DIR> d-------- C:\Program Files\AskSBar
2008-09-05 13:12 . 2008-09-05 14:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-03 12:53 . 2008-09-03 12:53 <DIR> d-------- C:\Program Files\Coupons
2008-09-03 12:53 . 2008-09-03 12:53 197,976 -ra------ C:\WINDOWS\system32\cpnprt2.cid
2008-08-31 14:33 . 2008-08-31 14:33 <DIR> d-------- C:\Program Files\LimeWire
2008-08-31 14:33 . 2008-09-16 23:37 <DIR> d-------- C:\Documents and Settings\ed barnette\Application Data\LimeWire
2008-08-18 00:19 . 2008-08-18 00:19 <DIR> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-17 03:37 --------- d-----w C:\Documents and Settings\ed barnette\Application Data\AdobeUM
2008-09-17 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\PGSoft
2008-09-12 04:39 --------- d-----w C:\Program Files\palmOne
2008-08-14 04:52 --------- d-----w C:\Documents and Settings\ed barnette\Application Data\Apple Computer
2008-08-14 04:51 --------- d-----w C:\Program Files\iTunes
2008-08-14 04:51 --------- d-----w C:\Program Files\iPod
2008-08-14 04:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-14 04:48 --------- d-----w C:\Program Files\Bonjour
2008-08-14 04:46 --------- d-----w C:\Program Files\QuickTime
2008-08-14 04:41 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 04:39 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-14 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-08-13 18:50 --------- d-----w C:\Documents and Settings\ed barnette\Application Data\Arcsoft
2008-07-31 04:29 --------- d-----w C:\Program Files\Realtime Landscaping Architect
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-18 18:34 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2005-12-17 13:38 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 04:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 563,984 2007-07-25 20:02:54 C:\Program Files\Common Files\LogiShrd\LComMgr\bak\Communications_Helper.exe

----a-w 180,269 2005-12-18 20:02:17 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 135,168 2004-03-12 05:18:54 C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe

----a-w 49,152 2005-06-01 16:35:55 C:\Program Files\Hewlett-Packard\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe

----a-w 49,152 2005-05-12 03:12:54 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe

----a-w 67,128 2007-07-25 18:15:05 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe

----a-w 2,027,792 2007-07-25 20:06:30 C:\Program Files\Logitech\QuickCam\bak\Quickcam.exe

----a-w 101,064 2005-11-06 03:25:42 C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe
----a-w 101,064 2005-11-06 02:25:42 C:\Program Files\Microsoft Location Finder\LocationFinder.exe

----a-w 282,624 2007-02-16 14:54:04 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-05-27 14:50:30 C:\Program Files\QuickTime\QTTask.exe

----a-w 224,248 2007-06-08 14:59:38 C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe

-c--a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 188,416 2002-11-27 11:29:22 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ISMPack6 "= "C:\Program Files\ISM2\ISMPack6.exe" [N/A]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Microsoft Location Finder "= "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2005-11-05 101064]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]
"Weather "= "C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"fssui "= "C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240]
"HotSync "= "C:\Program Files\PalmSource\Desktop\HotSync.exe" [N/A]
"AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"RegistryMechanic "=" " [N/A]
"VTTimer "= "VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]
"Mouse Suite 98 Daemon "= "ICO.EXE" [2003-11-20 C:\WINDOWS\system32\ico.exe]
"SoundMan "= "SOUNDMAN.EXE" [2005-08-17 C:\WINDOWS\soundman.exe]
"bikini "= "bikini.exe" [N/A]

C:\Documents and Settings\ed barnette\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-08-21 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-05-01 1742384]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2008-01-03 1392640]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe "=
"C:\WINDOWS\system32\rnadlosd.exe "= C:\WINDOWS\system32\rna
"C:\WINDOWS\system32\mcqctpjf.exe "= C:\WINDOWS\system32\mcq
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe "=

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 13696]
R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 43816]
R2 fsssvc;Windows Live OneCare Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 523816]
R2 QuickBooksDB18;QuickBooksDB18;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [2006-09-13 128536]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 36224]
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16384]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2004-05-21 10240]
S3 XIRLINK;Veo PC Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2002-03-12 899884]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{5979FD29-B2E2-4D54-B7FE-BDC75B99F0A2} - C:\WINDOWS\system32\sstqo.dll
BHO-{CDB08595-2CA3-40E4-6CAC-C7D41A9AAE62} - C:\Program Files\Windows Media Player\labunufix439.dll
BHO-{E2D02A47-A9FF-4B73-B96B-095606E3BA06} - C:\Program Files\WindowsUpdate\hopeted4444.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\ed barnette\Application Data\Mozilla\Firefox\Profiles\ujrb4jlf.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 12:01:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-16 12:17:10
ComboFix-quarantined-files.txt 2008-09-16 16:16:03

Pre-Run: 13,838,897,152 bytes free
Post-Run: 13,961,355,264 bytes free

337 --- E O F --- 2008-09-10 06:45:31


and the hj:

ComboFix 08-09-15.02 - ed barnette 2008-09-16 11:48:10.1 - NTFSx86
Running from: C:\Documents and Settings\ed barnette\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\ed barnette\Application Data\install.dat
C:\Documents and Settings\ed barnette\Local Settings\Temporary Internet Files\index.dat
C:\Temp\1cb
C:\Temp\fse
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\adhagtrw.ini
C:\WINDOWS\system32\aqicaufy.ini
C:\WINDOWS\system32\aquuuevf.dll
C:\WINDOWS\system32\asooopdn.ini
C:\WINDOWS\system32\audlpklq.ini
C:\WINDOWS\system32\awhackvo.ini
C:\WINDOWS\system32\axubrmgp.ini
C:\WINDOWS\system32\aywdshwx.ini
C:\WINDOWS\system32\bbminaou.ini
C:\WINDOWS\system32\bkhrutjx.dll
C:\WINDOWS\system32\bpvlmhaf.dll
C:\WINDOWS\system32\bsuvyloo.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bwngounu.ini
C:\WINDOWS\system32\cgwhbctw.ini
C:\WINDOWS\system32\chcpcgwp.ini
C:\WINDOWS\system32\cnqydbec.ini
C:\WINDOWS\system32\cxtrscsd.ini
C:\WINDOWS\system32\dkqcppln.dll
C:\WINDOWS\system32\doahjfya.ini
C:\WINDOWS\system32\dowqkpls.ini
C:\WINDOWS\system32\dpewlups.ini
C:\WINDOWS\system32\dpflndpk.ini
C:\WINDOWS\system32\dywturfn.ini
C:\WINDOWS\system32\elvivqhp.ini
C:\WINDOWS\system32\emadyfbc.ini
C:\WINDOWS\system32\epghferk.ini
C:\WINDOWS\system32\ereduthh.ini
C:\WINDOWS\system32\esgppfds.dll
C:\WINDOWS\system32\etioxalc.dll
C:\WINDOWS\system32\ewpidxat.ini
C:\WINDOWS\system32\fbkvcgvf.ini
C:\WINDOWS\system32\flabdaaj.ini
C:\WINDOWS\system32\fralpsgg.ini
C:\WINDOWS\system32\fycyigtq.ini
C:\WINDOWS\system32\gbxfidco.ini
C:\WINDOWS\system32\gfjouddx.ini
C:\WINDOWS\system32\ggqrlbjv.ini
C:\WINDOWS\system32\gkmibnmo.dll
C:\WINDOWS\system32\glroexvq.ini
C:\WINDOWS\system32\gmfmvycl.dll
C:\WINDOWS\system32\grsmqwoh.ini
C:\WINDOWS\system32\gwrhiuay.ini
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\hcxkgayr.ini
C:\WINDOWS\system32\hmhavjeu.ini
C:\WINDOWS\system32\hnpqvglo.ini
C:\WINDOWS\system32\hnxayina.ini
C:\WINDOWS\system32\hrempnig.ini
C:\WINDOWS\system32\htondmtl.ini
C:\WINDOWS\system32\hwbielsv.ini
C:\WINDOWS\system32\hwclvitg.ini
C:\WINDOWS\system32\idrupktb.ini
C:\WINDOWS\system32\ijieuaja.ini
C:\WINDOWS\system32\imas3r
C:\WINDOWS\system32\iyenkhkq.dll
C:\WINDOWS\system32\jidlwqci.ini
C:\WINDOWS\system32\jwpsniou.ini
C:\WINDOWS\system32\kilidovy.ini
C:\WINDOWS\system32\kkinlgvp.ini
C:\WINDOWS\system32\knkeettr.ini
C:\WINDOWS\system32\kqxkcmoc.dll
C:\WINDOWS\system32\ktpdpcvn.dll
C:\WINDOWS\system32\kycxijjt.dll
C:\WINDOWS\system32\kygfyktr.ini
C:\WINDOWS\system32\lanwqjis.ini
C:\WINDOWS\system32\lbwhohxb.dll
C:\WINDOWS\system32\lelhugjg.ini
C:\WINDOWS\system32\lkdudnbi.ini
C:\WINDOWS\system32\lkkfdjhf.dll
C:\WINDOWS\system32\llstvgte.ini
C:\WINDOWS\system32\lmjcdhue.ini
C:\WINDOWS\system32\lunwvhoq.ini
C:\WINDOWS\system32\lwfxfsbl.ini
C:\WINDOWS\system32\lyvpulcs.ini
C:\WINDOWS\system32\maqgqklw.ini
C:\WINDOWS\system32\mbsrsavk.ini
C:\WINDOWS\system32\mfxikthx.ini
C:\WINDOWS\system32\mgtwtxgu.ini
C:\WINDOWS\system32\mlfngodw.ini
C:\WINDOWS\system32\mmmdrwkg.dll
C:\WINDOWS\system32\mncifllk.ini
C:\WINDOWS\system32\mqskuwqq.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mumymlnr.ini
C:\WINDOWS\system32\mwmgfetf.ini
C:\WINDOWS\system32\nbxobhwq.dll
C:\WINDOWS\system32\nirfvmfe.dll
C:\WINDOWS\system32\njlxslwp.ini
C:\WINDOWS\system32\nmbofthj.ini
C:\WINDOWS\system32\nmlgbllm.ini
C:\WINDOWS\system32\nnunjhlm.ini
C:\WINDOWS\system32\nrahcbnk.ini
C:\WINDOWS\system32\nvauecaj.ini
C:\WINDOWS\system32\nyamvhpd.ini
C:\WINDOWS\system32\oirntvhy.ini
C:\WINDOWS\system32\okowvptb.ini
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\osshtbhx.ini
C:\WINDOWS\system32\owhjowjq.ini
C:\WINDOWS\system32\oyknrhok.ini
C:\WINDOWS\system32\p1
C:\WINDOWS\system32\pajlkxnb.ini
C:\WINDOWS\system32\phgonooc.ini
C:\WINDOWS\system32\pittsmhs.ini
C:\WINDOWS\system32\pncqcree.dll
C:\WINDOWS\system32\pofvpoxi.ini
C:\WINDOWS\system32\ptdatyti.ini
C:\WINDOWS\system32\pxuleids.ini
C:\WINDOWS\system32\q21
C:\WINDOWS\system32\qdqkiqyl.ini
C:\WINDOWS\system32\qgffdiqr.ini
C:\WINDOWS\system32\qglxomop.ini
C:\WINDOWS\system32\qhbksemj.dll
C:\WINDOWS\system32\qirtnigr.ini
C:\WINDOWS\system32\qluxuhpq.dll
C:\WINDOWS\system32\qndfmjyg.ini
C:\WINDOWS\system32\qnwkbupp.ini
C:\WINDOWS\system32\qqlmxdsx.ini
C:\WINDOWS\system32\qrbdltto.ini
C:\WINDOWS\system32\qxfcllxe.ini
C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.tmp
C:\WINDOWS\system32\sdarueew.ini
C:\WINDOWS\system32\sflagifn.ini
C:\WINDOWS\system32\sftphosc.ini
C:\WINDOWS\system32\shumqjem.ini
C:\WINDOWS\system32\thddjbqh.ini
C:\WINDOWS\system32\ttkqutfb.ini
C:\WINDOWS\system32\tydjbmem.dll
C:\WINDOWS\system32\ueespeyk.dll
C:\WINDOWS\system32\uidxvcip.ini
C:\WINDOWS\system32\uirhedwr.dll
C:\WINDOWS\system32\ujhankre.ini
C:\WINDOWS\system32\uppbbhbv.ini
C:\WINDOWS\system32\utgdoasc.dll
C:\WINDOWS\system32\utrjyspb.ini
C:\WINDOWS\system32\vfhcjcfc.ini
C:\WINDOWS\system32\viauoyvr.ini
C:\WINDOWS\system32\vjmtktaj.ini
C:\WINDOWS\system32\vkrghpur.ini
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
C:\WINDOWS\system32\vodiicvh.ini
C:\WINDOWS\system32\vwdeeyct.ini
C:\WINDOWS\system32\vxbjmsmw.ini
C:\WINDOWS\system32\wawuhpko.dll
C:\WINDOWS\system32\wbaxjbaq.ini
C:\WINDOWS\system32\wbvhcpch.dll
C:\WINDOWS\system32\wkjbnkmo.ini
C:\WINDOWS\system32\wlatyeua.ini
C:\WINDOWS\system32\wqswjsvo.ini
C:\WINDOWS\system32\wtlepabs.ini
C:\WINDOWS\system32\wtvtakdf.dll
C:\WINDOWS\system32\wybymbaq.dll
C:\WINDOWS\system32\xeuaaiwq.ini
C:\WINDOWS\system32\xgaeyoyc.dll
C:\WINDOWS\system32\xhsnegxc.ini
C:\WINDOWS\system32\xnjlbdfi.dll
C:\WINDOWS\system32\xurapddi.ini
C:\WINDOWS\system32\yktambyu.ini
C:\WINDOWS\system32\yneaxidl.ini
C:\WINDOWS\system32\yqvmtfsb.dll
C:\WINDOWS\system32\yslopiol.dll
C:\WINDOWS\system32\yuojwqnu.ini
C:\WINDOWS\system32\yxghkcfi.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.

2008-09-15 22:23 . 2004-05-04 06:19 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser18\WINDOWS
2008-09-15 22:23 . 2004-05-04 06:19 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser18\Application Data\Symantec
2008-09-15 22:23 . 2008-09-15 22:23 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser18
2008-09-14 23:10 . 2008-09-14 23:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 23:10 . 2008-09-14 23:10 <DIR> d-------- C:\Documents and Settings\ed barnette\Application Data\Malwarebytes
2008-09-14 23:10 . 2008-09-14 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-14 23:10 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-14 23:10 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-14 22:25 . 2008-09-14 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-05 15:36 . 2008-09-05 15:36 <DIR> d-------- C:\Program Files\AWS
2008-09-05 15:36 . 2008-09-05 15:36 <DIR> d-------- C:\Documents and Settings\ed barnette\Application Data\WeatherBug
2008-09-05 15:35 . 2008-09-05 15:35 <DIR> d-------- C:\Program Files\AskSBar
2008-09-05 13:12 . 2008-09-05 14:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-03 12:53 . 2008-09-03 12:53 <DIR> d-------- C:\Program Files\Coupons
2008-09-03 12:53 . 2008-09-03 12:53 197,976 -ra------ C:\WINDOWS\system32\cpnprt2.cid
2008-08-31 14:33 . 2008-08-31 14:33 <DIR> d-------- C:\Program Files\LimeWire
2008-08-31 14:33 . 2008-09-16 23:37 <DIR> d-------- C:\Documents and Settings\ed barnette\Application Data\LimeWire
2008-08-18 00:19 . 2008-08-18 00:19 <DIR> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-17 03:37 --------- d-----w C:\Documents and Settings\ed barnette\Application Data\AdobeUM
2008-09-17 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\PGSoft
2008-09-12 04:39 --------- d-----w C:\Program Files\palmOne
2008-08-14 04:52 --------- d-----w C:\Documents and Settings\ed barnette\Application Data\Apple Computer
2008-08-14 04:51 --------- d-----w C:\Program Files\iTunes
2008-08-14 04:51 --------- d-----w C:\Program Files\iPod
2008-08-14 04:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-14 04:48 --------- d-----w C:\Program Files\Bonjour
2008-08-14 04:46 --------- d-----w C:\Program Files\QuickTime
2008-08-14 04:41 --------- d-----w C:\Program Files\Apple Software Update
2008-08-14 04:39 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-14 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-08-13 18:50 --------- d-----w C:\Documents and Settings\ed barnette\Application Data\Arcsoft
2008-07-31 04:29 --------- d-----w C:\Program Files\Realtime Landscaping Architect
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-18 18:34 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2005-12-17 13:38 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 04:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 563,984 2007-07-25 20:02:54 C:\Program Files\Common Files\LogiShrd\LComMgr\bak\Communications_Helper.exe

----a-w 180,269 2005-12-18 20:02:17 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 135,168 2004-03-12 05:18:54 C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe

----a-w 49,152 2005-06-01 16:35:55 C:\Program Files\Hewlett-Packard\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe

----a-w 49,152 2005-05-12 03:12:54 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe

----a-w 67,128 2007-07-25 18:15:05 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe

----a-w 2,027,792 2007-07-25 20:06:30 C:\Program Files\Logitech\QuickCam\bak\Quickcam.exe

----a-w 101,064 2005-11-06 03:25:42 C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe
----a-w 101,064 2005-11-06 02:25:42 C:\Program Files\Microsoft Location Finder\LocationFinder.exe

----a-w 282,624 2007-02-16 14:54:04 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-05-27 14:50:30 C:\Program Files\QuickTime\QTTask.exe

----a-w 224,248 2007-06-08 14:59:38 C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe

-c--a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 188,416 2002-11-27 11:29:22 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ISMPack6 "= "C:\Program Files\ISM2\ISMPack6.exe" [N/A]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Microsoft Location Finder "= "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2005-11-05 101064]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]
"Weather "= "C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"fssui "= "C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240]
"HotSync "= "C:\Program Files\PalmSource\Desktop\HotSync.exe" [N/A]
"AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"RegistryMechanic "=" " [N/A]
"VTTimer "= "VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]
"Mouse Suite 98 Daemon "= "ICO.EXE" [2003-11-20 C:\WINDOWS\system32\ico.exe]
"SoundMan "= "SOUNDMAN.EXE" [2005-08-17 C:\WINDOWS\soundman.exe]
"bikini "= "bikini.exe" [N/A]

C:\Documents and Settings\ed barnette\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-08-21 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-05-01 1742384]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2008-01-03 1392640]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe "=
"C:\WINDOWS\system32\rnadlosd.exe "= C:\WINDOWS\system32\rna
"C:\WINDOWS\system32\mcqctpjf.exe "= C:\WINDOWS\system32\mcq
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe "=

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 13696]
R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 43816]
R2 fsssvc;Windows Live OneCare Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 523816]
R2 QuickBooksDB18;QuickBooksDB18;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [2006-09-13 128536]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 36224]
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16384]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2004-05-21 10240]
S3 XIRLINK;Veo PC Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2002-03-12 899884]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{5979FD29-B2E2-4D54-B7FE-BDC75B99F0A2} - C:\WINDOWS\system32\sstqo.dll
BHO-{CDB08595-2CA3-40E4-6CAC-C7D41A9AAE62} - C:\Program Files\Windows Media Player\labunufix439.dll
BHO-{E2D02A47-A9FF-4B73-B96B-095606E3BA06} - C:\Program Files\WindowsUpdate\hopeted4444.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\ed barnette\Application Data\Mozilla\Firefox\Profiles\ujrb4jlf.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 12:01:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-16 12:17:10
ComboFix-quarantined-files.txt 2008-09-16 16:16:03

Pre-Run: 13,838,897,152 bytes free
Post-Run: 13,961,355,264 bytes free

337 --- E O F --- 2008-09-10 06:45:31

 

Please download FindAWF
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, awf.txt will open. Please post it's contents here.

 

ok here you go


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 09/17/2008
The current time is: 16:49:58.84


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\EMACHI~1\BAK

03/12/2004 01:18 AM 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

11/05/2005 11:25 PM 101,064 LocationFinder.exe
1 File(s) 101,064 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/16/2007 10:54 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

05/11/2005 11:12 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\LOGITECH\QUICKCAM\BAK

07/25/2007 04:06 PM 2,027,792 Quickcam.exe
1 File(s) 2,027,792 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007 10:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGISHRD\LCOMMGR\BAK

07/25/2007 04:02 PM 563,984 Communications_Helper.exe
1 File(s) 563,984 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

12/18/2005 04:02 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\{33D6C~1\BAK

06/01/2005 12:35 PM 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/07/2005 12:46 AM 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

07/25/2007 02:15 PM 67,128 LogitechDesktopMessenger.exe
1 File(s) 67,128 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

11/27/2002 07:29 AM 188,416 hpztsb07.exe
1 File(s) 188,416 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

135168 Mar 12 2004 "C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe "
101064 Nov 5 2005 "C:\Program Files\Microsoft Location Finder\LocationFinder.exe "
101064 Nov 5 2005 "C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe "
413696 May 27 2008 "C:\Program Files\QuickTime\QTTask.exe "
282624 Feb 16 2007 "C:\Program Files\QuickTime\bak\qttask.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe "
15360 Apr 13 2008 "C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe "
49152 May 11 2005 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe "
2027792 Jul 25 2007 "C:\Program Files\Logitech\QuickCam\bak\Quickcam.exe "
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe "
563984 Jul 25 2007 "C:\Program Files\Common Files\LogiShrd\LComMgr\bak\Communications_Helper.exe "
180269 Dec 18 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
49152 Jun 1 2005 "C:\Program Files\Hewlett-Packard\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe "
57344 Sep 9 2005 "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe "
57344 Jun 7 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe "
67128 Jul 25 2007 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe "
188416 Nov 27 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe "


end of report

 

You had an AWF infection that replaced legitmate files on your system with rogue copies and placed the originals in a different location. Lets get them restored.

Highlight and copy the list of files to be restored from the code box below below, all quotes included.

Code:

 "C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe "
 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe "
 "C:\Program Files\Logitech\QuickCam\bak\Quickcam.exe "
 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe "
 "C:\Program Files\Common Files\LogiShrd\LComMgr\bak\Communications_Helper.exe "
 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
 "C:\Program Files\Hewlett-Packard\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe "
 "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe "
 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe "
 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe "
 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe "

Double-click the FindAWF icon once again.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file will open called: files.txt
Click below the line then right click and paste the list of files to be restored.

Next, close files.txt and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log. Please post the contents of the new awf.txt log here.

 

wow man, i really appreciate your help. i wont to do this on my grandmothers laptop as well. heres the log:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Fri 09/19/2008
The current time is: 0:33:02.03


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\EMACHI~1\BAK

03/12/2004 01:18 AM 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

11/05/2005 11:25 PM 101,064 LocationFinder.exe
1 File(s) 101,064 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/16/2007 10:54 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

05/11/2005 11:12 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\LOGITECH\QUICKCAM\BAK

07/25/2007 04:06 PM 2,027,792 Quickcam.exe
1 File(s) 2,027,792 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007 10:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGISHRD\LCOMMGR\BAK

07/25/2007 04:02 PM 563,984 Communications_Helper.exe
1 File(s) 563,984 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

12/18/2005 04:02 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\{33D6C~1\BAK

06/01/2005 12:35 PM 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/07/2005 12:46 AM 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

07/25/2007 02:15 PM 67,128 LogitechDesktopMessenger.exe
1 File(s) 67,128 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

11/27/2002 07:29 AM 188,416 hpztsb07.exe
1 File(s) 188,416 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

135168 Mar 12 2004 "C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe "
101064 Nov 5 2005 "C:\Program Files\Microsoft Location Finder\LocationFinder.exe "
101064 Nov 5 2005 "C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe "
413696 May 27 2008 "C:\Program Files\QuickTime\QTTask.exe "
282624 Feb 16 2007 "C:\Program Files\QuickTime\bak\qttask.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe "
15360 Apr 13 2008 "C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe "
49152 May 11 2005 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
49152 May 11 2005 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe "
2027792 Jul 25 2007 "C:\Program Files\Logitech\QuickCam\Quickcam.exe "
2027792 Jul 25 2007 "C:\Program Files\Logitech\QuickCam\bak\Quickcam.exe "
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe "
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe "
563984 Jul 25 2007 "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe "
563984 Jul 25 2007 "C:\Program Files\Common Files\LogiShrd\LComMgr\bak\Communications_Helper.exe "
180269 Dec 18 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe "
180269 Dec 18 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
49152 Jun 1 2005 "C:\Program Files\Hewlett-Packard\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe "
49152 Jun 1 2005 "C:\Program Files\Hewlett-Packard\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe "
57344 Sep 9 2005 "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe "
57344 Jun 7 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
57344 Jun 7 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe "
67128 Jul 25 2007 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe "
67128 Jul 25 2007 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe "
188416 Nov 27 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe "
188416 Nov 27 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe "


end of report

 

Navigate to C:\Program Files\eMachines Bay Reader\bak, right click shwiconem.exe and select Copy.
Now go back 1 folder, to C:\Program Files\eMachines Bay Reader, right click a blank space and select Paste.

Once that's done, do the following.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Highlight and copy the following bolded list of folders to be removed from the code box below.

Code:

C:\PROGRA~1\EMACHI~1\BAK
C:\PROGRA~1\MESSEN~1\BAK
C:\PROGRA~1\MICROS~4\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK
C:\PROGRA~1\LOGITECH\QUICKCAM\BAK
C:\PROGRA~1\YAHOO!\SEARCH~1\BAK
C:\PROGRA~1\COMMON~1\LOGISHRD\LCOMMGR\BAK
C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
C:\PROGRA~1\HEWLET~1\DIGITA~1\{33D6C~1\BAK
C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK
C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

Click below the line of folders.txt and paste the list.
Close folders.txt and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log. Please post the contents of the new awf.txt log here.

 

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Fri 09/19/2008
The current time is: 1:20:34.17


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

 

Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

The AWF infection generally adds entries to the registry that can give trusted permissions to many bad domains. Lets make sure we remove those.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
then press 1 to continue at the next screen.
This removes all entries from the domain zones.
At the next screen, press 1 to return to the main screen or E to exit, Press E then Enter to EXIT

Now, please reboot the computer.

• Once again, please disable any realtime protection applications.
• Double click combofix.exe and follow the prompts.
• **NOTE - Allow ComboFix to update if prompted.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall