I am trying to help my DH that has no time to fix this So I have followed the directions and here, I am Thank you so much for all your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:01 PM, on 6/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\200828222021_mcinfo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {09C6DF40-F20F-4C55-B6DE-8D94D878962E} - C:\WINDOWS\system32\rqRIcyXQ.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: (no name) - {60E7261A-8154-41EA-9112-D6885B093E93} - C:\WINDOWS\system32\nnnkLCtr.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {8A992B37-EDF8-4198-93CB-1F65203AF5F5} - C:\WINDOWS\system32\byXPICVp.dll (file missing)
O2 - BHO: (no name) - {A0D8F141-8D80-4BB1-84D2-FB334BAB4428} - C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EQMRP8AL\3077ahntdksr[1].dll (file missing)
O2 - BHO: (no name) - {C7F22C60-8FB9-4943-9EE0-754BCC59B5B4} - C:\WINDOWS\system32\urqPhigE.dll (file missing)
O2 - BHO: (no name) - {E707216F-6AFF-4BD4-962D-EC5CDBA812A1} - C:\WINDOWS\system32\cbXRJYrS.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\200828222021_mcinfo.exe /insfin
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BMebe8dbff] Rundll32.exe "C:\WINDOWS\system32\wnvxlmui.dll",s
O4 - HKLM\..\Run: [e8dbe863] rundll32.exe "C:\WINDOWS\system32\qlklqqfh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mnumsgsf] C:\Program Files\MyShoppingGenie\mnumsgsf.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203723070437
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: cbXRJYrS - C:\WINDOWS\SYSTEM32\cbXRJYrS.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 12234 bytes

Hello pooh0200

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Your infected with the Vundo Trojan and a few other parasites.


Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.





Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


Post the Malwarebytes log and a New HJT log please

Malwarebytes' Anti-Malware 1.17
Database version: 865

9:13:01 PM 6/17/2008
mbam-log-6-17-2008 (21-13-01).txt

Scan type: Quick Scan
Objects scanned: 49092
Time elapsed: 10 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cbXRJYrS.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUmkjHB.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3fb19a93-4c5a-41c8-939f-a68262a2e7ef} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3fb19a93-4c5a-41c8-939f-a68262a2e7ef} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e707216f-6aff-4bd4-962d-ec5cdba812a1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e707216f-6aff-4bd4-962d-ec5cdba812a1} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxrjyrs (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e8dbe863 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMebe8dbff (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e707216f-6aff-4bd4-962d-ec5cdba812a1} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wvUljGAt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tAGjlUvw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tAGjlUvw.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccyyArO.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJyxXro.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\madftjqb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\grsmsxir.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\cbXRJYrS.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yayxxwwt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUmkjHB.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:00 PM, on 6/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\200828222021_mcinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {09C6DF40-F20F-4C55-B6DE-8D94D878962E} - C:\WINDOWS\system32\rqRIcyXQ.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57D86803-1003-4673-89C2-FEF6AB40109E} - C:\WINDOWS\system32\wvUmkjHB.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: (no name) - {60E7261A-8154-41EA-9112-D6885B093E93} - C:\WINDOWS\system32\nnnkLCtr.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {8A992B37-EDF8-4198-93CB-1F65203AF5F5} - C:\WINDOWS\system32\byXPICVp.dll (file missing)
O2 - BHO: {b5d9704c-526c-f01a-1754-c636bffd21e8} - {8e12dffb-636c-4571-a10f-c625c4079d5b} - C:\WINDOWS\system32\bqfvmeng.dll
O2 - BHO: (no name) - {A0D8F141-8D80-4BB1-84D2-FB334BAB4428} - C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EQMRP8AL\3077ahntdksr[1].dll (file missing)
O2 - BHO: (no name) - {C7F22C60-8FB9-4943-9EE0-754BCC59B5B4} - C:\WINDOWS\system32\urqPhigE.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\200828222021_mcinfo.exe /insfin
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mnumsgsf] C:\Program Files\MyShoppingGenie\mnumsgsf.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203723070437
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 12064 bytes

Good Morning,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {09C6DF40-F20F-4C55-B6DE-8D94D878962E} - C:\WINDOWS\system32\rqRIcyXQ.dll (file missing)
O2 - BHO: (no name) - {57D86803-1003-4673-89C2-FEF6AB40109E} - C:\WINDOWS\system32\wvUmkjHB.dll (file missing)
O2 - BHO: (no name) - {60E7261A-8154-41EA-9112-D6885B093E93} - C:\WINDOWS\system32\nnnkLCtr.dll (file missing)
O2 - BHO: (no name) - {8A992B37-EDF8-4198-93CB-1F65203AF5F5} - C:\WINDOWS\system32\byXPICVp.dll (file missing)
O2 - BHO: {b5d9704c-526c-f01a-1754-c636bffd21e8} - {8e12dffb-636c-4571-a10f-c625c4079d5b} - C:\WINDOWS\system32\bqfvmeng.dll
O2 - BHO: (no name) - {A0D8F141-8D80-4BB1-84D2-FB334BAB4428} - C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EQMRP8AL\3077ahntdksr[1].dll (file missing)
O2 - BHO: (no name) - {C7F22C60-8FB9-4943-9EE0-754BCC59B5B4} - C:\WINDOWS\system32\urqPhigE.dll (file missing)




Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thank you so much for all your help.

ComboFix 08-06-16.5 - Owner 2008-06-18 5:12:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.445 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix2.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMebe8dbff.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BHjkmUvw.ini
C:\WINDOWS\system32\BHjkmUvw.ini2
C:\WINDOWS\system32\bqjtfdam.ini
C:\WINDOWS\system32\cbcicpqu.ini
C:\WINDOWS\system32\citedmao.ini
C:\WINDOWS\system32\EgihPqru.ini
C:\WINDOWS\system32\EgihPqru.ini2
C:\WINDOWS\system32\fcpxjjjo.ini
C:\WINDOWS\system32\gqovlegy.dll
C:\WINDOWS\system32\hfqqlklq.ini
C:\WINDOWS\system32\hfqqlklq.ini2
C:\WINDOWS\system32\hfqqlklq.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgyyggkh.ini
C:\WINDOWS\system32\pVCIPXyb.ini
C:\WINDOWS\system32\pVCIPXyb.ini2
C:\WINDOWS\system32\QXycIRqr.ini
C:\WINDOWS\system32\QXycIRqr.ini2
C:\WINDOWS\system32\rtCLknnn.ini
C:\WINDOWS\system32\rtCLknnn.ini2
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 20:55 . 2008-06-17 20:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-17 20:51 . 2008-06-17 20:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 20:51 . 2008-06-17 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 20:51 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 20:51 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 20:48 . 2008-06-17 20:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-17 12:11 . 2008-06-17 12:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 11:12 . 2008-02-08 22:26 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-17 11:12 . 2008-02-08 22:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-17 11:12 . 2008-02-08 22:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-17 11:12 . 2008-02-08 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-17 11:12 . 2008-06-17 11:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-17 09:35 . 2008-02-08 22:26 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\WINDOWS
2008-06-17 09:35 . 2008-02-08 22:52 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\You've Got Pictures Screensaver
2008-06-17 09:35 . 2008-02-08 22:51 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\SampleView
2008-06-17 09:35 . 2008-02-08 23:22 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\AOL
2008-06-17 09:35 . 2008-06-17 09:35 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC
2008-06-16 21:18 . 2008-06-17 09:35 <DIR> d-------- C:\Documents and Settings\TEMP
2008-06-15 20:19 . 2008-06-15 20:18 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-15 20:19 . 2008-06-15 20:19 2,542 --a------ C:\WINDOWS\unins000.dat
2008-06-15 20:08 . 2008-06-15 20:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-15 20:08 . 2008-06-15 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 09:24 . 2008-06-14 12:54 <DIR> d-------- C:\Program Files\LeeGTs Games
2008-06-13 14:55 . 2008-06-14 15:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-06-13 14:51 . 2008-06-14 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-13 14:24 . 2008-06-13 14:24 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-10 21:18 . 2008-04-14 06:30 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 21:18 . 2008-05-08 08:02 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-06 09:16 . 2008-06-06 09:16 <DIR> d-------- C:\Program Files\PopCap Games
2008-06-06 09:16 . 2008-06-08 13:42 16 --a------ C:\WINDOWS\popcinfot.dat
2008-06-06 09:16 . 2008-06-06 09:16 0 --a------ C:\WINDOWS\popcreg.dat
2008-06-04 09:47 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-05-29 22:17 . 2008-05-29 22:17 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-27 20:22 . 2008-05-27 20:22 0 --a------ C:\WINDOWS\QuickInstall.INI
2008-05-27 20:19 . 2008-05-27 20:20 <DIR> d-------- C:\Program Files\palmOne
2008-05-25 17:46 . 2008-05-25 17:46 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-25 16:19 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-25 16:11 . 2008-05-25 16:11 <DIR> d-------- C:\WINDOWS\EHome
2008-05-25 14:13 . 2008-04-13 18:12 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-05-25 14:12 . 2008-04-13 18:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\WINDOWS\MyShoppingGenie
2008-05-22 17:48 . 2008-05-25 16:34 <DIR> d-------- C:\Program Files\MyShoppingGenie
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\My Shopping Genie
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MnuMsgDat
2008-05-21 06:53 . 2006-10-06 09:35 90,112 --a------ C:\WINDOWS\system32\lfjbg13n.dll
2008-05-21 06:52 . 2006-10-06 09:35 246,272 --a------ C:\WINDOWS\system32\lfj2k13n.dll
2008-05-21 06:52 . 2006-10-18 14:52 189,976 --a------ C:\WINDOWS\system32\mfimgvwr.ocx
2008-05-21 06:51 . 2008-05-21 06:52 <DIR> d-------- C:\Program Files\MFInstall
2008-05-18 15:15 . 2008-05-18 15:15 <DIR> d-------- C:\temp_ps
2008-05-18 15:15 . 2008-05-18 20:57 <DIR> d-------- C:\Program Files\OrCAD_Demo
2008-05-18 15:15 . 1997-07-11 00:00 1,037,312 --a------ C:\WINDOWS\system32\msjet35.dll
2008-05-18 15:15 . 1996-11-08 03:48 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-05-18 15:15 . 1997-07-11 00:00 251,664 --a------ C:\WINDOWS\system32\msrd2x35.dll
2008-05-18 15:15 . 1997-07-11 00:00 121,104 --a------ C:\WINDOWS\system32\msjint35.dll
2008-05-18 15:15 . 1997-07-11 00:00 24,336 --a------ C:\WINDOWS\system32\msjter35.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 11:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-17 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-16 15:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-06-16 00:16 --------- d-----w C:\Program Files\Shop'NCook 3.4
2008-06-15 23:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-13 03:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-06-04 15:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 03:28 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-04 03:28 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-04 03:28 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-04 03:28 --------- d-----w C:\Program Files\Symantec
2008-05-30 11:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-28 03:18 --------- d-----w C:\Program Files\LimeWire
2008-05-26 02:11 --------- d-----w C:\Program Files\MSN Messenger
2008-05-25 22:53 --------- d-----w C:\Program Files\Microsoft Works
2008-05-24 22:35 --------- d-----w C:\Program Files\Quicken
2008-05-24 20:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-05-21 14:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-16 22:05 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-16 22:05 --------- d-----w C:\Program Files\Common Files\Real
2008-05-08 15:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 03:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-05-07 03:37 --------- d-----w C:\Program Files\GlobalSCAPE
2008-05-06 19:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-04 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-04-30 00:34 433,505 ------w C:\VistaPrint_Business_Cards.zip
2008-04-29 23:59 --------- d-----w C:\Program Files\MOJOSOFT
2008-04-29 23:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\mojosoft
2008-04-29 02:12 --------- d-----w C:\Program Files\Gallery Remote
2008-04-25 22:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-04-25 22:22 --------- d-----w C:\Program Files\Canon
2008-04-25 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-04-25 22:16 --------- d-----w C:\Program Files\Common Files\Canon
2008-04-21 01:22 --------- d-----w C:\Program Files\OpenCube
2008-04-20 03:57 --------- d-----w C:\Program Files\Netflix
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
.

<pre>
------w 89,088 2002-11-30 22:16:12 C:\Storage\Hardware Support\Palm Pilot Databases\Old Palm Files\best palm games .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-08 23:46 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"mnumsgsf"="C:\Program Files\MyShoppingGenie\mnumsgsf.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 05:01 32768]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-17 18:32 7204864]
"nwiz"="nwiz.exe" [2005-09-17 18:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-17 18:32 86016]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 550912 C:\WINDOWS\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53 714608]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 18:20 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-13 18:20 49152]
"WD Button Manager"="WDBtnMgr.exe" [2008-02-23 21:54 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"QuickCare2.2"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 08:21 198184]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 06:23 200704]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-16 16:05 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--------- 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--------- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2008-05-16 16:05 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [2006-09-13 10:32]
R2 sprtlisten;SupportSoft Listener Service;C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 13:02]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 12:47]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe [2008-01-08 13:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - Q:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 11:04:10 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 05:26:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Photodex\ProShowProducer\scsiaccess.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2008-06-18 5:47:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 11:47:05

Pre-Run: 54,871,658,496 bytes free
Post-Run: 54,787,395,584 bytes free

268 --- E O F --- 2008-06-11 09:05:33



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:03 AM, on 6/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\200828222021_mcinfo.exe /insfin
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mnumsgsf] C:\Program Files\MyShoppingGenie\mnumsgsf.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203723070437
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10865 bytes

Hello,

I am not finding much info on My Shopping Genie, the file is missing so lets get rid of it, if its something you use you can redownload and install it.

Remove this with HJT
O4 - HKCU\..\Run: [mnumsgsf] C:\Program Files\MyShoppingGenie\mnumsgsf.exe

Games from Pop Cap Loader are not recommended



Open Notepad ( this will only work in Notepad ), go to Start> All Programs> Assessories> Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::



RenV::
C:\Storage\Hardware Support\Palm Pilot Databases\Old Palm Files\best palm games .exe

Folder::
C:\Program Files\PopCap Games
C:\Program Files\MyShoppingGenie


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks again

ComboFix 08-06-16.5 - Owner 2008-06-18 9:16:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.463 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix2.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\MyShoppingGenie
C:\Program Files\PopCap Games
C:\Program Files\PopCap Games\moregames.ico
C:\Program Files\PopCap Games\Peggle Deluxe\bass.dll
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\aah.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\applause.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\approval.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\AwardFanfareV2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\ball_add.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\bubbles.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\buckethit.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\button.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\button2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\cannonshot.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\coin_freeball_denied.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\coin_spin.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\cymbal.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\dinghi.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\explode.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\extraball.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\extraball2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\extraball3.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\extremefever2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\feverhit.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\fireballbounce.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\FireBallLoopV4.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\fireballshoot.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\FireworkPop.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\fireworks1.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\fireworks2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\flip.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\flip2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\flipperbounce.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\flipperdown.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\flipperup.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\freeball2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\gapbonus1.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\gong.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\guncock.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\Koka_morning_finaledit.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\miss.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\missile.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\MnE_Dia_n.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\MnE_Dia_neg.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\MnE_Dia_pos.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\mouseoverV1.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\multiball.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\peghit.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\peghit_low.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\peghit_plus_mega9.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\peghit_plus4b.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\pegpop.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\penalty.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_fireball3.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_flippers_4.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_flowerpower2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_guide.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_luckyspin.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_multiball.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_pyramid.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_spaceblast.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_spooky1.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_spooky2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_spooky3.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_spooky4.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\powerup_zen3.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\rainbow.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\scorecounter.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\sigh.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\timpaniroll.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\ting.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\tone.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\tonehi.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\tonelo.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\tonesuperhi.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\typing2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\ultra2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\cached\sounds\xbump_mod2.wav
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\drm.xml
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\fonts\_Arial10.png
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\fonts\_Arial10Bold.png
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\fonts\_Arial12Bold.png
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\fonts\_Arial9.png
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\fonts\_Arial9Bold.png
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\fonts\Arial10.txt
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\fonts\Arial10Bold.txt
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\fonts\Arial12Bold.txt
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\fonts\Arial9.txt
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\fonts\Arial9Bold.txt
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\help.txt
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\bbb.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_buynow.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_buynow2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_cancel.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_cancel2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_close.PNG
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_close2.PNG
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_continue.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_continue2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_finish.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_finish2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_help.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_help_main.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_help_main2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_help2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_mask.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_play.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_play2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_play3.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_privacy.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_privacy_main.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_privacy_main2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_privacy2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_register.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_register2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_retry.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_retry2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_security.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_security_main.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_security_main2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_security2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_sendreceipt.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\btn_sendreceipt2.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\buyitnowfor.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\buyitnowfor_.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\ecomm_wrapper_background.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\ecomm_wrapper_background_centered.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\icon_complete.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\icon_connected.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\icon_connecting.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\ssframe.png
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\images\textlet.png
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\privacy.txt
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\Bullets.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\ClassLink.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\Common.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\Consts.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\Default.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\DProps.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\DRMApp.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\DRMButtonWidget.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\Layout.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\LuaApp.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\LuaCommonWidgets.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\LuaWidget.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\main.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\Screen.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\scripts\TextletWidget.luc
C:\Program Files\PopCap Games\Peggle Deluxe\drm\common\security.txt
C:\Program Files\PopCap Games\Peggle Deluxe\drm\custom\drm.xml
C:\Program Files\PopCap Games\Peggle Deluxe\drm\custom\images\bullet1.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\custom\images\bullet1_.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\custom\images\bullet2.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\custom\images\bullet2_.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\custom\images\bullet3.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\custom\images\bullet3_.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\custom\images\bullet4.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\custom\images\bullet4_.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\esrb.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\game.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\game_.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\logo.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\drm\logo_.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\price.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drm\price_.gif
C:\Program Files\PopCap Games\Peggle Deluxe\drmss.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\Install.log
C:\Program Files\PopCap Games\Peggle Deluxe\Install_props.xml
C:\Program Files\PopCap Games\Peggle Deluxe\j2k-codec.dll
C:\Program Files\PopCap Games\Peggle Deluxe\license.txt
C:\Program Files\PopCap Games\Peggle Deluxe\main.pak
C:\Program Files\PopCap Games\Peggle Deluxe\music\odetojoy.ogg
C:\Program Files\PopCap Games\Peggle Deluxe\music\opening.ogg
C:\Program Files\PopCap Games\Peggle Deluxe\music\PeggleBeats.mo3
C:\Program Files\PopCap Games\Peggle Deluxe\Peggle.exe
C:\Program Files\PopCap Games\Peggle Deluxe\PopUninstall.exe
C:\Program Files\PopCap Games\Peggle Deluxe\properties\partner.xml
C:\Program Files\PopCap Games\Peggle Deluxe\properties\partner.xml.sig
C:\Program Files\PopCap Games\Peggle Deluxe\properties\partner_logo.jpg
C:\Program Files\PopCap Games\Peggle Deluxe\userdata\highscores.dat
C:\Program Files\PopCap Games\Peggle Deluxe\userdata\stat_Leslie_484954f0.dat
C:\Program Files\PopCap Games\Peggle Deluxe\userdata\user1.dat
C:\Program Files\PopCap Games\Peggle Deluxe\userdata\users.dat

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 20:55 . 2008-06-17 20:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-17 20:51 . 2008-06-17 20:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 20:51 . 2008-06-17 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 20:51 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 20:51 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 20:48 . 2008-06-17 20:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-17 12:11 . 2008-06-17 12:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 11:12 . 2008-02-08 22:26 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-17 11:12 . 2008-02-08 22:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-17 11:12 . 2008-02-08 22:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-17 11:12 . 2008-02-08 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-17 11:12 . 2008-06-17 11:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-17 09:35 . 2008-02-08 22:26 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\WINDOWS
2008-06-17 09:35 . 2008-02-08 22:52 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\You've Got Pictures Screensaver
2008-06-17 09:35 . 2008-02-08 22:51 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\SampleView
2008-06-17 09:35 . 2008-02-08 23:22 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\AOL
2008-06-17 09:35 . 2008-06-17 09:35 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC
2008-06-16 21:18 . 2008-06-17 09:35 <DIR> d-------- C:\Documents and Settings\TEMP
2008-06-15 20:19 . 2008-06-15 20:18 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-15 20:19 . 2008-06-15 20:19 2,542 --a------ C:\WINDOWS\unins000.dat
2008-06-15 20:08 . 2008-06-15 20:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-15 20:08 . 2008-06-15 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 09:24 . 2008-06-14 12:54 <DIR> d-------- C:\Program Files\LeeGTs Games
2008-06-13 14:55 . 2008-06-14 15:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-06-13 14:51 . 2008-06-14 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-13 14:24 . 2008-06-13 14:24 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-10 21:18 . 2008-04-14 06:30 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 21:18 . 2008-05-08 08:02 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-06 09:16 . 2008-06-08 13:42 16 --a------ C:\WINDOWS\popcinfot.dat
2008-06-06 09:16 . 2008-06-06 09:16 0 --a------ C:\WINDOWS\popcreg.dat
2008-06-04 09:47 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-05-29 22:17 . 2008-05-29 22:17 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-27 20:22 . 2008-05-27 20:22 0 --a------ C:\WINDOWS\QuickInstall.INI
2008-05-27 20:19 . 2008-05-27 20:20 <DIR> d-------- C:\Program Files\palmOne
2008-05-25 17:46 . 2008-05-25 17:46 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-25 16:19 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-25 16:11 . 2008-05-25 16:11 <DIR> d-------- C:\WINDOWS\EHome
2008-05-25 14:13 . 2008-04-13 18:12 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-05-25 14:12 . 2008-04-13 18:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\WINDOWS\MyShoppingGenie
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\My Shopping Genie
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MnuMsgDat
2008-05-21 06:53 . 2006-10-06 09:35 90,112 --a------ C:\WINDOWS\system32\lfjbg13n.dll
2008-05-21 06:52 . 2006-10-06 09:35 246,272 --a------ C:\WINDOWS\system32\lfj2k13n.dll
2008-05-21 06:52 . 2006-10-18 14:52 189,976 --a------ C:\WINDOWS\system32\mfimgvwr.ocx
2008-05-21 06:51 . 2008-05-21 06:52 <DIR> d-------- C:\Program Files\MFInstall
2008-05-18 15:15 . 2008-05-18 15:15 <DIR> d-------- C:\temp_ps
2008-05-18 15:15 . 2008-05-18 20:57 <DIR> d-------- C:\Program Files\OrCAD_Demo
2008-05-18 15:15 . 1997-07-11 00:00 1,037,312 --a------ C:\WINDOWS\system32\msjet35.dll
2008-05-18 15:15 . 1996-11-08 03:48 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-05-18 15:15 . 1997-07-11 00:00 251,664 --a------ C:\WINDOWS\system32\msrd2x35.dll
2008-05-18 15:15 . 1997-07-11 00:00 121,104 --a------ C:\WINDOWS\system32\msjint35.dll
2008-05-18 15:15 . 1997-07-11 00:00 24,336 --a------ C:\WINDOWS\system32\msjter35.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 15:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-17 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-16 15:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-06-16 00:16 --------- d-----w C:\Program Files\Shop'NCook 3.4
2008-06-15 23:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-13 03:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-06-04 15:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 03:28 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-04 03:28 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-04 03:28 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-04 03:28 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-04 03:28 --------- d-----w C:\Program Files\Symantec
2008-05-30 11:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-28 03:18 --------- d-----w C:\Program Files\LimeWire
2008-05-26 02:11 --------- d-----w C:\Program Files\MSN Messenger
2008-05-25 22:53 --------- d-----w C:\Program Files\Microsoft Works
2008-05-24 22:35 --------- d-----w C:\Program Files\Quicken
2008-05-24 20:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-05-21 14:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-16 22:05 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-16 22:05 --------- d-----w C:\Program Files\Common Files\Real
2008-05-08 15:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 03:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-05-07 03:37 --------- d-----w C:\Program Files\GlobalSCAPE
2008-05-06 19:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-04 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-04-30 00:34 433,505 ------w C:\VistaPrint_Business_Cards.zip
2008-04-29 23:59 --------- d-----w C:\Program Files\MOJOSOFT
2008-04-29 23:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\mojosoft
2008-04-29 02:12 --------- d-----w C:\Program Files\Gallery Remote
2008-04-25 22:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-04-25 22:22 --------- d-----w C:\Program Files\Canon
2008-04-25 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-04-25 22:16 --------- d-----w C:\Program Files\Common Files\Canon
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 01:22 --------- d-----w C:\Program Files\OpenCube
2008-04-20 03:57 --------- d-----w C:\Program Files\Netflix
2008-04-14 11:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 11:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 11:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2008-03-26 03:29 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-26 03:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
.

<pre>
------w 89,088 2002-11-30 22:16:12 C:\Storage\Hardware Support\Palm Pilot Databases\Old Palm Files\best palm games .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-06-18_ 5.46.49.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-18 11:23:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-18 14:52:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-08 23:46 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"mnumsgsf"="C:\Program Files\MyShoppingGenie\mnumsgsf.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 05:01 32768]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-17 18:32 7204864]
"nwiz"="nwiz.exe" [2005-09-17 18:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-17 18:32 86016]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 550912 C:\WINDOWS\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53 714608]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 18:20 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-13 18:20 49152]
"WD Button Manager"="WDBtnMgr.exe" [2008-02-23 21:54 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"QuickCare2.2"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 08:21 198184]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 06:23 200704]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-16 16:05 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--------- 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--------- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2008-05-16 16:05 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [2006-09-13 10:32]
R2 sprtlisten;SupportSoft Listener Service;C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 13:02]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 12:47]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe [2008-01-08 13:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - Q:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 11:04:10 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 09:22:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-18 9:34:41
ComboFix-quarantined-files.txt 2008-06-18 15:34:34
ComboFix2.txt 2008-06-18 11:47:11

Pre-Run: 54,766,444,544 bytes free
Post-Run: 54,740,373,504 bytes free

453 --- E O F --- 2008-06-11 09:05:33


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:07 AM, on 6/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mnumsgsf] C:\Program Files\MyShoppingGenie\mnumsgsf.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203723070437
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10594 bytes

Remove this with HJT
O4 - HKCU\..\Run: [mnumsgsf] C:\Program Files\MyShoppingGenie\mnumsgsf.exe

Lets try this one again as this file is infected.

Open Notepad ( this will only work in Notepad ), go to Start> All Programs> Assessories> Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::



RenV::
C:\Storage\Hardware Support\Palm Pilot Databases\Old Palm Files\best palm games .exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

ComboFix 08-06-16.5 - Owner 2008-06-18 10:29:35.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.403 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix2.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 20:55 . 2008-06-17 20:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-17 20:51 . 2008-06-17 20:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 20:51 . 2008-06-17 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 20:51 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 20:51 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 20:48 . 2008-06-17 20:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-17 12:11 . 2008-06-17 12:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 11:12 . 2008-02-08 22:26 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-17 11:12 . 2008-02-08 22:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-17 11:12 . 2008-02-08 22:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-17 11:12 . 2008-02-08 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-17 11:12 . 2008-06-17 11:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-17 09:35 . 2008-02-08 22:26 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\WINDOWS
2008-06-17 09:35 . 2008-02-08 22:52 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\You've Got Pictures Screensaver
2008-06-17 09:35 . 2008-02-08 22:51 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\SampleView
2008-06-17 09:35 . 2008-02-08 23:22 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\AOL
2008-06-17 09:35 . 2008-06-17 09:35 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC
2008-06-16 21:18 . 2008-06-17 09:35 <DIR> d-------- C:\Documents and Settings\TEMP
2008-06-15 20:19 . 2008-06-15 20:18 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-15 20:19 . 2008-06-15 20:19 2,542 --a------ C:\WINDOWS\unins000.dat
2008-06-15 20:08 . 2008-06-15 20:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-15 20:08 . 2008-06-15 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 09:24 . 2008-06-14 12:54 <DIR> d-------- C:\Program Files\LeeGTs Games
2008-06-13 14:55 . 2008-06-14 15:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-06-13 14:51 . 2008-06-14 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-13 14:24 . 2008-06-13 14:24 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-10 21:18 . 2008-04-14 06:30 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 21:18 . 2008-05-08 08:02 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-06 09:16 . 2008-06-08 13:42 16 --a------ C:\WINDOWS\popcinfot.dat
2008-06-06 09:16 . 2008-06-06 09:16 0 --a------ C:\WINDOWS\popcreg.dat
2008-06-04 09:47 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-05-29 22:17 . 2008-05-29 22:17 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-27 20:22 . 2008-05-27 20:22 0 --a------ C:\WINDOWS\QuickInstall.INI
2008-05-27 20:19 . 2008-05-27 20:20 <DIR> d-------- C:\Program Files\palmOne
2008-05-25 17:46 . 2008-05-25 17:46 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-25 16:19 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-25 16:11 . 2008-05-25 16:11 <DIR> d-------- C:\WINDOWS\EHome
2008-05-25 14:13 . 2008-04-13 18:12 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-05-25 14:12 . 2008-04-13 18:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\WINDOWS\MyShoppingGenie
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\My Shopping Genie
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MnuMsgDat
2008-05-21 06:53 . 2006-10-06 09:35 90,112 --a------ C:\WINDOWS\system32\lfjbg13n.dll
2008-05-21 06:52 . 2006-10-06 09:35 246,272 --a------ C:\WINDOWS\system32\lfj2k13n.dll
2008-05-21 06:52 . 2006-10-18 14:52 189,976 --a------ C:\WINDOWS\system32\mfimgvwr.ocx
2008-05-21 06:51 . 2008-05-21 06:52 <DIR> d-------- C:\Program Files\MFInstall
2008-05-18 15:15 . 2008-05-18 15:15 <DIR> d-------- C:\temp_ps
2008-05-18 15:15 . 2008-05-18 20:57 <DIR> d-------- C:\Program Files\OrCAD_Demo
2008-05-18 15:15 . 1997-07-11 00:00 1,037,312 --a------ C:\WINDOWS\system32\msjet35.dll
2008-05-18 15:15 . 1996-11-08 03:48 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-05-18 15:15 . 1997-07-11 00:00 251,664 --a------ C:\WINDOWS\system32\msrd2x35.dll
2008-05-18 15:15 . 1997-07-11 00:00 121,104 --a------ C:\WINDOWS\system32\msjint35.dll
2008-05-18 15:15 . 1997-07-11 00:00 24,336 --a------ C:\WINDOWS\system32\msjter35.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 15:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-17 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-16 15:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-06-16 00:16 --------- d-----w C:\Program Files\Shop'NCook 3.4
2008-06-15 23:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-13 03:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-06-04 15:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 03:28 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-04 03:28 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-04 03:28 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-04 03:28 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-04 03:28 --------- d-----w C:\Program Files\Symantec
2008-05-30 11:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-28 03:18 --------- d-----w C:\Program Files\LimeWire
2008-05-26 02:11 --------- d-----w C:\Program Files\MSN Messenger
2008-05-25 22:53 --------- d-----w C:\Program Files\Microsoft Works
2008-05-24 22:35 --------- d-----w C:\Program Files\Quicken
2008-05-24 20:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-05-21 14:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-16 22:05 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-16 22:05 --------- d-----w C:\Program Files\Common Files\Real
2008-05-08 15:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 03:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-05-07 03:37 --------- d-----w C:\Program Files\GlobalSCAPE
2008-05-06 19:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-04 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-04-30 00:34 433,505 ------w C:\VistaPrint_Business_Cards.zip
2008-04-29 23:59 --------- d-----w C:\Program Files\MOJOSOFT
2008-04-29 23:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\mojosoft
2008-04-29 02:12 --------- d-----w C:\Program Files\Gallery Remote
2008-04-25 22:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-04-25 22:22 --------- d-----w C:\Program Files\Canon
2008-04-25 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-04-25 22:16 --------- d-----w C:\Program Files\Common Files\Canon
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 01:22 --------- d-----w C:\Program Files\OpenCube
2008-04-20 03:57 --------- d-----w C:\Program Files\Netflix
2008-04-14 11:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 11:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 11:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2008-03-26 03:29 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-26 03:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
.

<pre>
------w 89,088 2002-11-30 22:16:12 C:\Storage\Hardware Support\Palm Pilot Databases\Old Palm Files\best palm games .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-06-18_ 5.46.49.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-18 11:23:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-18 14:52:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-08 23:46 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"mnumsgsf"="C:\Program Files\MyShoppingGenie\mnumsgsf.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 05:01 32768]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-17 18:32 7204864]
"nwiz"="nwiz.exe" [2005-09-17 18:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-17 18:32 86016]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 550912 C:\WINDOWS\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53 714608]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 18:20 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-13 18:20 49152]
"WD Button Manager"="WDBtnMgr.exe" [2008-02-23 21:54 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"QuickCare2.2"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 08:21 198184]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 06:23 200704]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-16 16:05 185896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--------- 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--------- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2008-05-16 16:05 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [2006-09-13 10:32]
R2 sprtlisten;SupportSoft Listener Service;C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 13:02]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 12:47]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe [2008-01-08 13:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - Q:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 11:04:10 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 10:33:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-18 10:47:41
ComboFix-quarantined-files.txt 2008-06-18 16:47:36
ComboFix2.txt 2008-06-18 15:34:41
ComboFix3.txt 2008-06-18 11:47:11

Pre-Run: 54,736,510,976 bytes free
Post-Run: 54,714,957,824 bytes free

268 --- E O F --- 2008-06-11 09:05:33

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:51 AM, on 6/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mnumsgsf] C:\Program Files\MyShoppingGenie\mnumsgsf.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203723070437
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10562 bytes

Lets delete the old files.
C:\Storage\Hardware Support\Palm Pilot Databases\Old Palm Files\best palm games .exe

Then run Combofix again and post the log

ComboFix 08-06-16.5 - Owner 2008-06-18 14:54:38.5 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix2.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 20:55 . 2008-06-17 20:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-17 20:51 . 2008-06-17 20:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 20:51 . 2008-06-17 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 20:51 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 20:51 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 20:48 . 2008-06-17 20:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-17 12:11 . 2008-06-17 12:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 11:12 . 2008-02-08 22:26 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-17 11:12 . 2008-02-08 22:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-17 11:12 . 2008-02-08 22:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-17 11:12 . 2008-02-08 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-17 11:12 . 2008-06-17 11:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-17 09:35 . 2008-02-08 22:26 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\WINDOWS
2008-06-17 09:35 . 2008-02-08 22:52 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\You've Got Pictures Screensaver
2008-06-17 09:35 . 2008-02-08 22:51 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\SampleView
2008-06-17 09:35 . 2008-02-08 23:22 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC\Application Data\AOL
2008-06-17 09:35 . 2008-06-17 09:35 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser17.BRUCEPC
2008-06-16 21:18 . 2008-06-17 09:35 <DIR> d-------- C:\Documents and Settings\TEMP
2008-06-15 20:19 . 2008-06-15 20:18 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-15 20:19 . 2008-06-15 20:19 2,542 --a------ C:\WINDOWS\unins000.dat
2008-06-15 20:08 . 2008-06-15 20:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-15 20:08 . 2008-06-15 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 09:24 . 2008-06-14 12:54 <DIR> d-------- C:\Program Files\LeeGTs Games
2008-06-13 14:55 . 2008-06-14 15:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-06-13 14:51 . 2008-06-14 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-13 14:24 . 2008-06-13 14:24 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-10 21:18 . 2008-04-14 06:30 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 21:18 . 2008-05-08 08:02 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-06 09:16 . 2008-06-08 13:42 16 --a------ C:\WINDOWS\popcinfot.dat
2008-06-06 09:16 . 2008-06-06 09:16 0 --a------ C:\WINDOWS\popcreg.dat
2008-06-04 09:47 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-05-29 22:17 . 2008-05-29 22:17 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-27 20:22 . 2008-05-27 20:22 0 --a------ C:\WINDOWS\QuickInstall.INI
2008-05-27 20:19 . 2008-05-27 20:20 <DIR> d-------- C:\Program Files\palmOne
2008-05-25 17:46 . 2008-05-25 17:46 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-25 16:22 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-25 16:19 . 2008-05-25 16:22 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-25 16:11 . 2008-05-25 16:11 <DIR> d-------- C:\WINDOWS\EHome
2008-05-25 14:13 . 2008-04-13 18:12 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-05-25 14:12 . 2008-04-13 18:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\WINDOWS\MyShoppingGenie
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\My Shopping Genie
2008-05-22 17:48 . 2008-05-22 17:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MnuMsgDat
2008-05-21 06:53 . 2006-10-06 09:35 90,112 --a------ C:\WINDOWS\system32\lfjbg13n.dll
2008-05-21 06:52 . 2006-10-06 09:35 246,272 --a------ C:\WINDOWS\system32\lfj2k13n.dll
2008-05-21 06:52 . 2006-10-18 14:52 189,976 --a------ C:\WINDOWS\system32\mfimgvwr.ocx
2008-05-21 06:51 . 2008-05-21 06:52 <DIR> d-------- C:\Program Files\MFInstall
2008-05-18 15:15 . 2008-05-18 15:15 <DIR> d-------- C:\temp_ps
2008-05-18 15:15 . 2008-05-18 20:57 <DIR> d-------- C:\Program Files\OrCAD_Demo
2008-05-18 15:15 . 1997-07-11 00:00 1,037,312 --a------ C:\WINDOWS\system32\msjet35.dll
2008-05-18 15:15 . 1996-11-08 03:48 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-05-18 15:15 . 1997-07-11 00:00 251,664 --a------ C:\WINDOWS\system32\msrd2x35.dll
2008-05-18 15:15 . 1997-07-11 00:00 121,104 --a------ C:\WINDOWS\system32\msjint35.dll
2008-05-18 15:15 . 1997-07-11 00:00 24,336 --a------ C:\WINDOWS\system32\msjter35.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-18 15:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-16 15:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-06-16 00:16 --------- d-----w C:\Program Files\Shop'NCook 3.4
2008-06-15 23:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-13 03:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-06-04 15:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 03:28 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-04 03:28 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-04 03:28 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-04 03:28 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-04 03:28 --------- d-----w C:\Program Files\Symantec
2008-05-30 11:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-28 03:18 --------- d-----w C:\Program Files\LimeWire
2008-05-26 02:11 --------- d-----w C:\Program Files\MSN Messenger
2008-05-25 22:53 --------- d-----w C:\Program Files\Microsoft Works
2008-05-24 22:35 --------- d-----w C:\Program Files\Quicken
2008-05-24 20:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-05-21 14:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-16 22:05 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-16 22:05 --------- d-----w C:\Program Files\Common Files\Real
2008-05-08 15:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 03:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-05-07 03:37 --------- d-----w C:\Program Files\GlobalSCAPE
2008-05-06 19:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-04 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-04-30 00:34 433,505 ------w C:\VistaPrint_Business_Cards.zip
2008-04-29 23:59 --------- d-----w C:\Program Files\MOJOSOFT
2008-04-29 23:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\mojosoft
2008-04-29 02:12 --------- d-----w C:\Program Files\Gallery Remote
2008-04-25 22:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-04-25 22:22 --------- d-----w C:\Program Files\Canon
2008-04-25 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-04-25 22:16 --------- d-----w C:\Program Files\Common Files\Canon
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 01:22 --------- d-----w C:\Program Files\OpenCube
2008-04-20 03:57 --------- d-----w C:\Program Files\Netflix
2008-04-14 11:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 11:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 11:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2008-03-26 03:29 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-26 03:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-18_ 5.46.49.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-18 11:23:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-18 14:52:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-08 23:46 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"mnumsgsf"="C:\Program Files\MyShoppingGenie\mnumsgsf.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 05:01 32768]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-17 18:32 7204864]
"nwiz"="nwiz.exe" [2005-09-17 18:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-17 18:32 86016]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 550912 C:\WINDOWS\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53 714608]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 18:20 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-13 18:20 49152]
"WD Button Manager"="WDBtnMgr.exe" [2008-02-23 21:54 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"QuickCare2.2"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 08:21 198184]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 06:23 200704]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-16 16:05 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--------- 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--------- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2008-05-16 16:05 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [2006-09-13 10:32]
R2 sprtlisten;SupportSoft Listener Service;C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 13:02]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 12:47]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe [2008-01-08 13:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - Q:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 11:04:10 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 14:58:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-18 15:12:43
ComboFix-quarantined-files.txt 2008-06-18 21:12:39
ComboFix2.txt 2008-06-18 16:47:41
ComboFix3.txt 2008-06-18 15:34:41
ComboFix4.txt 2008-06-18 11:47:11

Pre-Run: 54,736,760,832 bytes free
Post-Run: 54,715,076,608 bytes free

261 --- E O F --- 2008-06-11 09:05:33

Looking Good, post one last HJT log and lets make sure nothing has returned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:20 PM, on 6/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6534
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mnumsgsf] C:\Program Files\MyShoppingGenie\mnumsgsf.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203723070437
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10515 bytes



------------------------------------------------------------------------
I have heard that after you have gotten rid of this retched virus, it is wise to wipe your hard drive after you have gotten you data off and reinstall the OS. Would you recommend this?

Hello,

Remove this with HJT
O4 - HKCU\..\Run: [mnumsgsf] C:\Program Files\MyShoppingGenie\mnumsgsf.exe

C:\Program Files\MyShoppingGenie <-- Delete this folder if its still present



Wiping or reformatting your hard drive and doing a fresh install of windows is an option you should have considered before we cleaned up your system, not after. There are certain infections going around that compromise your system, meaning the system is to be never trusted again security wise but that infection is not one that you had so doing a reformat is not needed but is totally up to you if you want to go that route.

Your log looks fine :bigthumb:

How are things running now??

It is good to hear that the reformat is not necessary! Things seem to be back to normal. Thanks for all the expert help! I did what was you said in that last post do I need to post another HJT log?

Your fine, only post a new log if that entry for Shopping Genie did not go away. Glad things are running well for you :bigthumb:

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.




How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs



Safe Surfn
Ken