Spybot v Virtumonde

Well it is possible that those filenames mutate.

That file is bad as well, you can delete it via gmer.

Post back a fresh gmer log afterwards, please.
 
Shaba
Couldn't delete c:\windows\system32\drivers\ovfsth.sys
When I hit the kill button I get error message "Reached the end of the file"
L5
 
That is strange because you have norton and not kaspersky.

Please disable norton and try again.
 
Deleted all gmer
Downloaded gmer
Turned off Norton and Windows Defender.
Ran gmer.
Gmer crashed at \Device\HarddiskVolumeShadowCopy22
windows says there is a problem with the program.
or sometimes goes to blue screen shutdown
 
So let's try this one:

Download Rooter.exe to your desktop.
  • Then double-click it to start the tool.
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here.
 
When I try to open Rooter.exe I get message
Find String (QGREP) Utility has stopped working
Tried opening in safe mode and got same message
 
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
 
Here is the Kaspersky Scan result

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, April 24, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 23, 2009 19:23:33
Records in database: 2073015
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 128674
Threat name: 1
Infected objects: 0
Suspicious objects: 1
Duration of the scan: 02:11:05


File name / Threat name / Threats count
C:\Users\Carl\AppData\Local\Temp\ovfsthpotcqebndu.tmp Suspicious: Trojan.Win32.Patched.dy 1

The selected area was scanned.





And the Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:00 AM, on 24/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [PS121v2] "C:\Program Files\NETGEAR\PS121v2\PS121v2.exe" /hide
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"
O4 - HKLM\..\Run: [lxdnamon] "C:\Program Files\Lexmark 2600 Series\lxdnamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [*LogMeInRescue_3091639056] "C:\Users\Carl\AppData\Local\Temp\LMI6C0C.tmp\lmi_rescue.exe" -runonce -gui (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [*LogMeInRescue_3091639056] "C:\Users\Carl\AppData\Local\Temp\LMI6C0C.tmp\lmi_rescue.exe" -runonce -gui (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.terrace.qld.edu.au/dwa7W.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\Windows\system32\lxdncoms.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9548 bytes
 
OK, as combofix didn't work let's try this.

Move combofix.exe to c: root (c:\)

Restart computer and start tapping F8 before windows logo until you see menu.
Choose safe mode with command prompt from that menu.

When it is in command prompt, type:

cd\ (enter)
combofix (enter)

Let me know if it works now.
 
Hallelujah
Combofix ran ok in safe mode (I had to download it again)
Here is the log

ComboFix 09-04-24.01 - Carl 24/04/2009 20:21.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2045.1645 [GMT 10:00]
Running from: C:\ComboFix.exe
Command switches used :: combofix
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsth.sys

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-24 10:12 . 2009-04-24 10:12 2999256 ----a-r C:\ComboFix.exe
2009-04-23 08:19 . 2009-04-23 09:25 -------- d-----w C:\Rooter$
2009-04-18 05:12 . 2009-04-18 05:13 108032 ----a-w c:\windows\system32\winsetup66.exe
2009-04-18 05:07 . 2009-04-18 05:07 118 ----a-w c:\windows\system32\MRT.INI
2009-04-18 05:01 . 2009-04-18 05:01 -------- d-sh--w c:\windows\system32\%APPDATA%
2009-04-18 04:23 . 2009-04-18 04:24 -------- d-----w C:\rsit
2009-04-18 04:15 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-18 04:15 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-18 04:15 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-18 04:15 . 2009-03-03 04:46 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-04-18 04:15 . 2009-03-03 04:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-04-18 04:15 . 2009-03-03 04:46 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-04-18 04:15 . 2009-03-03 04:39 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-04-18 04:15 . 2009-03-03 04:39 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-04-18 04:15 . 2009-03-03 04:37 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-04-18 04:15 . 2009-03-03 03:04 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-04-18 04:14 . 2009-03-03 04:37 54784 ----a-w c:\windows\system32\iasads.dll
2009-04-18 04:14 . 2009-03-03 04:37 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-04-18 04:14 . 2009-03-03 02:38 17408 ----a-w c:\windows\system32\iashost.exe
2009-04-18 04:13 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-18 04:13 . 2009-02-13 08:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-04-18 04:13 . 2009-03-17 03:38 13824 ----a-w c:\windows\system32\apilogen.dll
2009-04-18 04:13 . 2009-03-17 03:38 24064 ----a-w c:\windows\system32\amxread.dll
2009-04-12 03:03 . 2009-04-12 03:03 -------- d-----w c:\program files\Trend Micro
2009-04-11 06:29 . 2009-03-19 06:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-11 06:29 . 2008-04-17 02:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\program files\iPod
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\users\All Users\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\program files\iTunes
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 06:26 . 2009-04-11 06:26 -------- d-----w c:\program files\Bonjour
2009-04-08 13:03 . 2009-04-08 13:03 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-08 13:00 . 2009-04-08 13:00 -------- d-----w c:\users\Carl\AppData\Roaming\InstallShield
2009-04-03 16:02 . 2009-04-03 18:03 128000 ----a-w c:\windows\system32\winsetup63.exe
2009-03-31 11:45 . 2009-03-31 12:57 66 ----a-w c:\windows\system32\waverspw.dat
2009-03-31 11:45 . 2009-03-31 12:57 66 ----a-w c:\windows\system32\pcadg.dat
2009-03-31 11:45 . 2009-03-31 12:57 66 ----a-w c:\windows\system32\ogldrcsg.dat
2009-03-31 11:45 . 2009-03-31 11:45 153 ----a-w c:\windows\system32\KBDHE2D0.dat
2009-03-31 11:45 . 2009-03-31 11:45 0 ----a-w c:\windows\system32\psbape.dat
2009-03-31 11:45 . 2009-03-31 11:45 139264 ----a-w c:\windows\system32\mfr532.exe
2009-03-29 00:45 . 2009-03-29 00:44 25136 ----a-r c:\windows\system32\drivers\SymIMV.sys
2009-03-29 00:45 . 2009-03-29 00:45 -------- d-----w c:\program files\Symantec
2009-03-29 00:45 . 2009-03-29 00:45 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-29 00:45 . 2009-03-29 00:45 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-29 00:45 . 2009-03-29 00:45 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-29 00:44 . 2009-03-29 00:44 -------- d-----w c:\windows\system32\drivers\NAV
2009-03-29 00:43 . 2009-03-29 00:44 -------- d-----w c:\program files\Norton AntiVirus
2009-03-29 00:43 . 2009-03-29 00:46 -------- d-----w c:\users\All Users\Norton
2009-03-29 00:43 . 2009-03-29 00:46 -------- d-----w c:\progra~2\Norton
2009-03-29 00:40 . 2009-03-29 00:40 -------- d-sh--w C:\$RECYCLE.BIN
2009-03-29 00:30 . 2009-03-29 00:41 -------- d-----w c:\users\All Users\NortonInstaller
2009-03-29 00:30 . 2009-03-29 00:41 -------- d-----w c:\progra~2\NortonInstaller
2009-03-29 00:30 . 2009-03-29 00:30 -------- d-----w c:\program files\NortonInstaller
2009-03-28 05:25 . 2009-03-28 05:25 -------- d-----w c:\users\Carl\AppData\Roaming\Malwarebytes
2009-03-28 05:25 . 2009-03-28 05:25 -------- d-----w c:\users\All Users\Malwarebytes
2009-03-28 05:25 . 2009-03-28 05:25 -------- d-----w c:\progra~2\Malwarebytes
2009-03-27 05:52 . 2009-03-27 05:52 -------- d-----w c:\program files\AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 09:52 . 2007-06-23 07:24 12978 ----a-w c:\users\Carl\AppData\Roaming\nvModes.dat
2009-04-23 09:06 . 2007-07-02 12:08 1356 ----a-w c:\users\Carl\AppData\Local\d3d9caps.dat
2009-04-21 13:56 . 2007-02-26 23:40 -------- d-----w c:\program files\Java
2009-04-18 05:26 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-18 05:05 . 2007-02-27 00:44 -------- d-----w c:\progra~2\Microsoft Help
2009-04-12 00:35 . 2008-12-17 07:30 -------- d-----w c:\progra~2\Lx_cats
2009-04-11 06:28 . 2007-07-03 06:45 -------- d-----w c:\program files\Common Files\Apple
2009-04-09 21:51 . 2009-04-09 21:51 271455 ----a-w c:\users\All Users\SPL3E76.tmp
2009-04-09 21:51 . 2009-04-09 21:51 271455 ----a-w c:\progra~2\SPL3E76.tmp
2009-04-08 11:49 . 2008-06-03 02:49 -------- d-----w c:\users\Carl\AppData\Roaming\LimeWire
2009-04-07 11:03 . 2007-06-23 05:45 121112 ----a-w c:\users\Carl\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-07 10:51 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-07 10:51 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-07 10:51 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat
2009-04-07 10:50 . 2009-01-23 12:23 -------- d-----w c:\program files\Common Files\Nokia
2009-04-01 21:33 . 2009-04-01 21:33 249997 ----a-w c:\users\All Users\SPLE44.tmp
2009-04-01 21:33 . 2009-04-01 21:33 249997 ----a-w c:\progra~2\SPLE44.tmp
2009-03-29 06:47 . 2008-08-13 09:00 -------- d-----w c:\progra~2\Symantec
2009-03-29 00:52 . 2007-06-23 06:00 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 08:37 . 2007-08-23 00:59 -------- d-----w c:\program files\Google
2009-03-27 23:19 . 2009-03-27 23:19 84654 ----a-w c:\users\All Users\SPL47F7.tmp
2009-03-27 23:19 . 2009-03-27 23:19 84654 ----a-w c:\progra~2\SPL47F7.tmp
2009-03-27 23:03 . 2009-03-27 23:03 84654 ----a-w c:\users\All Users\SPLB0DB.tmp
2009-03-27 23:03 . 2009-03-27 23:03 84654 ----a-w c:\progra~2\SPLB0DB.tmp
2009-03-20 07:00 . 2009-03-20 07:00 -------- d-----w c:\program files\Common Files\supportsoft
2009-03-20 06:58 . 2009-03-20 06:53 -------- d-----w c:\progra~2\Intuit
2009-03-20 06:55 . 2009-03-20 06:53 -------- d-----w c:\program files\Common Files\Intuit
2009-03-20 06:54 . 2009-03-20 06:54 -------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2009-03-20 06:53 . 2009-03-20 06:53 -------- d-----w c:\program files\Intuit
2009-03-20 06:51 . 2009-03-20 06:51 -------- d-----w c:\progra~2\COMMON FILES
2009-03-19 06:18 . 2008-12-07 22:59 -------- d-----w c:\program files\PeerGuardian2
2009-03-19 05:32 . 2007-09-03 01:52 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-17 03:38 . 2009-04-18 04:13 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 02:23 . 2007-02-26 22:31 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-17 01:44 . 2007-07-19 04:20 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-16 17:48 . 2007-06-24 01:01 -------- d-----w c:\program files\Common Files\Adobe
2009-03-14 00:53 . 2009-03-14 00:53 -------- d-----w c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 00:49 . 2009-03-14 00:48 -------- d-----w c:\program files\QuickTime
2009-03-08 23:18 . 2007-06-27 04:26 -------- d-----w c:\program files\Call of Duty Game of the Year Edition
2009-03-08 19:19 . 2008-12-13 14:11 410984 ----a-w c:\windows\System32\deploytk.dll
2009-03-08 11:34 . 2009-03-31 07:22 914944 ----a-w c:\windows\System32\wininet.dll
2009-03-08 11:34 . 2009-03-31 07:22 43008 ----a-w c:\windows\System32\licmgr10.dll
2009-03-08 11:33 . 2009-03-31 07:22 18944 ----a-w c:\windows\System32\corpol.dll
2009-03-08 11:33 . 2009-03-31 07:22 109056 ----a-w c:\windows\System32\iesysprep.dll
2009-03-08 11:33 . 2009-03-31 07:22 109568 ----a-w c:\windows\System32\PDMSetup.exe
2009-03-08 11:33 . 2009-03-31 07:22 132608 ----a-w c:\windows\System32\ieUnatt.exe
2009-03-08 11:33 . 2009-03-31 07:22 107520 ----a-w c:\windows\System32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-03-31 07:22 107008 ----a-w c:\windows\System32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-03-31 07:22 103936 ----a-w c:\windows\System32\SetDepNx.exe
2009-03-08 11:33 . 2009-03-31 07:22 420352 ----a-w c:\windows\System32\vbscript.dll
2009-03-08 11:32 . 2009-03-31 07:22 72704 ----a-w c:\windows\System32\admparse.dll
2009-03-08 11:32 . 2009-03-31 07:22 71680 ----a-w c:\windows\System32\iesetup.dll
2009-03-08 11:32 . 2009-03-31 07:22 66560 ----a-w c:\windows\System32\wextract.exe
2009-03-08 11:32 . 2009-03-31 07:22 169472 ----a-w c:\windows\System32\iexpress.exe
2009-03-08 11:31 . 2009-03-31 07:22 34816 ----a-w c:\windows\System32\imgutil.dll
2009-03-08 11:31 . 2009-03-31 07:22 48128 ----a-w c:\windows\System32\mshtmler.dll
2009-03-08 11:31 . 2009-03-31 07:22 45568 ----a-w c:\windows\System32\mshta.exe
2009-03-08 11:22 . 2009-03-31 07:22 156160 ----a-w c:\windows\System32\msls31.dll
2009-03-04 10:51 . 2007-09-07 07:20 -------- d-----w c:\program files\DOOM 3
2009-03-04 00:56 . 2007-07-05 11:05 -------- d-----w c:\program files\Brownie
2009-03-04 00:56 . 2008-12-17 07:16 -------- d-----w c:\program files\Abbyy FineReader 6.0 Sprint
2009-03-04 00:55 . 2007-07-19 04:20 -------- d-----w c:\progra~2\Spybot - Search & Destroy
2009-03-04 00:55 . 2009-01-20 13:00 -------- d-----w c:\program files\PC Connectivity Solution
2009-03-04 00:55 . 2007-06-23 05:39 -------- d-----w c:\program files\Protector Suite QL
2009-03-04 00:55 . 2007-02-27 00:48 -------- d-----w c:\program files\Microsoft Works
2009-03-01 11:55 . 2008-11-20 07:11 -------- d-----w c:\users\Carl\AppData\Roaming\FrostWire
2009-02-09 03:10 . 2009-03-11 04:07 2033152 ----a-w c:\windows\System32\win32k.sys
2008-12-29 08:08 . 2008-12-29 08:08 34056 ----a-w c:\users\All Users\SPL1C47.tmp
2008-12-29 08:08 . 2008-12-29 08:08 34056 ----a-w c:\progra~2\SPL1C47.tmp
2008-12-29 08:06 . 2008-12-29 08:06 34056 ----a-w c:\users\All Users\SPL273.tmp
2008-12-29 08:06 . 2008-12-29 08:06 34056 ----a-w c:\progra~2\SPL273.tmp
2008-12-29 06:52 . 2008-12-29 06:52 129662 ----a-w c:\users\All Users\SPLA4C6.tmp
2008-12-29 06:52 . 2008-12-29 06:52 129662 ----a-w c:\progra~2\SPLA4C6.tmp
2008-12-28 22:37 . 2008-12-28 22:37 129662 ----a-w c:\users\All Users\SPL26E4.tmp
2008-12-28 22:37 . 2008-12-28 22:37 129662 ----a-w c:\progra~2\SPL26E4.tmp
2008-12-28 22:35 . 2008-12-28 22:35 129662 ----a-w c:\users\All Users\SPL9E9A.tmp
2008-12-28 22:35 . 2008-12-28 22:35 129662 ----a-w c:\progra~2\SPL9E9A.tmp
2008-05-27 04:35 . 2007-11-25 21:52 22328 ----a-w c:\users\Carl\AppData\Roaming\PnkBstrK.sys
2008-05-24 01:55 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-11-25 22:02 . 2007-11-25 22:02 92 ----a-w c:\users\Carl\AppData\Local\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\kbdhe2d0]
@="{C2F2E748-E7D6-0E58-35E0-D780ABE07D4C}"
[HKEY_CLASSES_ROOT\CLSID\{C2F2E748-E7D6-0E58-35E0-D780ABE07D4C}]
2006-11-02 09:39 126976 ----a-w c:\windows\system32\KBDHE2D0.dIl

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-11-14 02:22 3186440 ----a-w c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-11-14 02:22 3186440 ----a-w c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-06-02 1457152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-02-13 405504]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-01-19 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 534648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-19 1316136]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"PS121v2"="c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2006-08-25 724992]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-26 204800]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-11-14 49416]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2007-12-17 660136]
"lxdnamon"="c:\program files\Lexmark 2600 Series\lxdnamon.exe" [2007-12-17 16040]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-12-17 320168]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-13 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-13 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-13 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-01-18 4349952]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-2-2 2756608]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-8-16 118784]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-30 969792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-11-14 02:07 96008 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{22EFF41D-631D-40C9-989D-2712EF8D50A0}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= UDP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"UDP Query User{DAF6DF97-1477-4D7D-A48F-B853C976638A}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= TCP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"TCP Query User{F8658306-F07E-42BB-B00A-8D25053DA4E4}c:\\program files\\msn messenger\\msnmsgr.exe"= UDP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"UDP Query User{B08A1C9C-5466-4A99-83B5-B29606D574E9}c:\\program files\\msn messenger\\msnmsgr.exe"= TCP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"TCP Query User{C262F8E5-9AD3-4FA5-81D3-D7AAA951F14A}c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"= UDP:c:\windows\system32\spool\drivers\w32x86\3\lxdnpswx.exe:Printer Status Window Interface
"UDP Query User{FBA97FCB-AE9B-4A09-A619-C3C842206897}c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"= TCP:c:\windows\system32\spool\drivers\w32x86\3\lxdnpswx.exe:Printer Status Window Interface
"TCP Query User{078EFE2F-F6A8-483B-BCEF-C6CC64A586B6}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= UDP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"UDP Query User{73C9C2C1-6022-49E7-810A-F7C36548FB22}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= TCP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"TCP Query User{596CF229-D0B6-4322-A74C-EB5EC1A616A2}c:\\users\\carl\\appdata\\local\\temp\\lmi6c0c.tmp\\lmi_rescue.exe"= UDP:c:\users\carl\appdata\local\temp\lmi6c0c.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{D8F09C2A-6EAD-4CE8-9D25-25ABE7EED859}c:\\users\\carl\\appdata\\local\\temp\\lmi6c0c.tmp\\lmi_rescue.exe"= TCP:c:\users\carl\appdata\local\temp\lmi6c0c.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{56EF1469-FCC7-4931-AF1A-BD2C1B92B8F1}c:\\users\\temp\\appdata\\local\\temp\\lmic5b0.tmp\\lmi_rescue.exe"= UDP:c:\users\temp\appdata\local\temp\lmic5b0.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{580923D4-ED9E-467C-9FEA-989B9276ED30}c:\\users\\temp\\appdata\\local\\temp\\lmic5b0.tmp\\lmi_rescue.exe"= TCP:c:\users\temp\appdata\local\temp\lmic5b0.tmp\lmi_rescue.exe:LogMeIn Rescue
"{C33BE070-A998-41CB-BACE-8C60A8A0EF51}"= UDP:c:\users\TEMP\AppData\Local\Temp\7zSCFB.tmp\SymNRT.exe:Norton Removal Tool
"{FA88B3A9-6139-42D9-B7A6-04C37DA5C339}"= TCP:c:\users\TEMP\AppData\Local\Temp\7zSCFB.tmp\SymNRT.exe:Norton Removal Tool
"TCP Query User{80264584-7F58-4ABF-B9C5-320A685B756C}c:\\users\\carl\\appdata\\local\\temp\\lmi83f0.tmp\\lmi_rescue.exe"= UDP:c:\users\carl\appdata\local\temp\lmi83f0.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{4C564DC5-23E1-4372-80F8-01975EC8EBE0}c:\\users\\carl\\appdata\\local\\temp\\lmi83f0.tmp\\lmi_rescue.exe"= TCP:c:\users\carl\appdata\local\temp\lmi83f0.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{868DF9FD-4144-4420-9CA6-3407D74B657B}c:\\users\\carl\\appdata\\local\\temp\\lmi67c9.tmp\\lmi_rescue.exe"= UDP:c:\users\carl\appdata\local\temp\lmi67c9.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{79930D5F-60F2-44F1-BE6A-3E4DFF4EA24D}c:\\users\\carl\\appdata\\local\\temp\\lmi67c9.tmp\\lmi_rescue.exe"= TCP:c:\users\carl\appdata\local\temp\lmi67c9.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{0983364B-1583-4A6B-8C0D-D7691316EEA4}c:\\program files\\msn messenger\\msnmsgr.exe"= UDP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"UDP Query User{4554DACF-6B06-4781-B56E-9B463BF38268}c:\\program files\\msn messenger\\msnmsgr.exe"= TCP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"TCP Query User{712C9F86-FB44-4CDB-AE61-5E61471A71AD}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{AF6CD684-2B19-4C66-A844-DF67C48C555C}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{E5C44461-D1BC-4DD4-9BCE-97B59B2131F6}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B8349452-B959-44E6-B871-956E454EB8DC}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{225DADB3-12AE-4BDB-A386-A027B6F633F5}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1941303B-DA35-4EBB-9A9E-A3DCAE43B1B9}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{3366980F-648C-4DE1-AC9F-1890073D4019}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E66F7B7A-9FCD-416C-A009-9329CCFD157C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F79F2373-27D2-4239-B302-D9034484898B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{0DA2CFD5-C10A-4F09-A2EF-553FC6DDF668}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe [2007-12-05 98984]
R3 MBAMSwissArmy;MBAMSwissArmy; [x]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R3 NETGEARUCOMP;NETGEAR Network USB Composite Device;c:\windows\system32\DRIVERS\NETGEARUCOMP.sys [2006-08-17 11648]
R3 TpChoice;Touch Pad Detection Filter driver; [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SYMEFA.SYS [2009-03-29 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-29 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\ccHPx86.sys [2009-03-29 482352]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090414.001\IDSvix86.sys [2009-03-29 292912]
S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [2007-12-05 594600]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-29 115560]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-29 101936]
S3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\DRIVERS\NETGEARUHOST.sys [2006-08-17 10752]
S3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\DRIVERS\NETGEARUHUB.sys [2006-08-17 37120]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\NAV\1005000.086\SYMNDISV.SYS [2009-03-29 39984]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55f7c04d-a50f-11dc-b9b1-0016d4f956e8}]
\shell\1\Command - RUNAUT~1\autorun.pif
\shell\2\Command - RUNAUT~1\autorun.pif
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-*LogMeInRescue_3091639056 - c:\users\Carl\AppData\Local\Temp\LMI6C0C.tmp\lmi_rescue.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 20:30
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infql2.dll

- - - - - - - > 'Explorer.exe'(3712)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infql2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\audiodg.exe
c:\program files\Protector Suite QL\upeksvr.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Lexmark 2600 Series\lxdnmsdmon.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\tosBtProc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2009-04-24 20:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-24 10:35

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 122,992,062,464 bytes free

351 --- E O F --- 2009-04-23 19:00
 
When I woke up this morning the sun was shining.
I started the computer all my pictures and wallpaper were back
Combofix ran in normal mode.
Things are improving...
Here is the log

ComboFix 09-04-25.03 - Carl 25/04/2009 8:44.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2045.1042 [GMT 10:00]
Running from: c:\users\Carl\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-24 10:12 . 2009-04-24 10:12 2999256 ----a-r C:\ComboFix.exe
2009-04-23 08:19 . 2009-04-23 09:25 -------- d-----w C:\Rooter$
2009-04-18 05:12 . 2009-04-18 05:13 108032 ----a-w c:\windows\system32\winsetup66.exe
2009-04-18 05:07 . 2009-04-18 05:07 118 ----a-w c:\windows\system32\MRT.INI
2009-04-18 05:01 . 2009-04-18 05:01 -------- d-sh--w c:\windows\system32\%APPDATA%
2009-04-18 04:23 . 2009-04-18 04:24 -------- d-----w C:\rsit
2009-04-18 04:15 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-18 04:15 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-18 04:15 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-18 04:15 . 2009-03-03 04:46 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-04-18 04:15 . 2009-03-03 04:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-04-18 04:15 . 2009-03-03 04:46 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-04-18 04:15 . 2009-03-03 04:39 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-04-18 04:15 . 2009-03-03 04:39 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-04-18 04:15 . 2009-03-03 04:37 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-04-18 04:15 . 2009-03-03 03:04 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-04-18 04:14 . 2009-03-03 04:37 54784 ----a-w c:\windows\system32\iasads.dll
2009-04-18 04:14 . 2009-03-03 04:37 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-04-18 04:14 . 2009-03-03 02:38 17408 ----a-w c:\windows\system32\iashost.exe
2009-04-18 04:13 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-18 04:13 . 2009-02-13 08:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-04-18 04:13 . 2009-03-17 03:38 13824 ----a-w c:\windows\system32\apilogen.dll
2009-04-18 04:13 . 2009-03-17 03:38 24064 ----a-w c:\windows\system32\amxread.dll
2009-04-12 03:03 . 2009-04-12 03:03 -------- d-----w c:\program files\Trend Micro
2009-04-11 06:29 . 2009-03-19 06:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-11 06:29 . 2008-04-17 02:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\program files\iPod
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\users\All Users\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\program files\iTunes
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 06:26 . 2009-04-11 06:26 -------- d-----w c:\program files\Bonjour
2009-04-08 13:03 . 2009-04-08 13:03 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-08 13:00 . 2009-04-08 13:00 -------- d-----w c:\users\Carl\AppData\Roaming\InstallShield
2009-04-03 16:02 . 2009-04-03 18:03 128000 ----a-w c:\windows\system32\winsetup63.exe
2009-03-31 11:45 . 2009-03-31 12:57 66 ----a-w c:\windows\system32\waverspw.dat
2009-03-31 11:45 . 2009-03-31 12:57 66 ----a-w c:\windows\system32\pcadg.dat
2009-03-31 11:45 . 2009-03-31 12:57 66 ----a-w c:\windows\system32\ogldrcsg.dat
2009-03-31 11:45 . 2009-03-31 11:45 153 ----a-w c:\windows\system32\KBDHE2D0.dat
2009-03-31 11:45 . 2009-03-31 11:45 0 ----a-w c:\windows\system32\psbape.dat
2009-03-31 11:45 . 2009-03-31 11:45 139264 ----a-w c:\windows\system32\mfr532.exe
2009-03-29 00:45 . 2009-03-29 00:44 25136 ----a-r c:\windows\system32\drivers\SymIMV.sys
2009-03-29 00:45 . 2009-03-29 00:45 -------- d-----w c:\program files\Symantec
2009-03-29 00:45 . 2009-03-29 00:45 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-29 00:45 . 2009-03-29 00:45 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-29 00:45 . 2009-03-29 00:45 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-29 00:44 . 2009-03-29 00:44 -------- d-----w c:\windows\system32\drivers\NAV
2009-03-29 00:43 . 2009-03-29 00:44 -------- d-----w c:\program files\Norton AntiVirus
2009-03-29 00:43 . 2009-03-29 00:46 -------- d-----w c:\users\All Users\Norton
2009-03-29 00:43 . 2009-03-29 00:46 -------- d-----w c:\progra~2\Norton
2009-03-29 00:40 . 2009-03-29 00:40 -------- d-sh--w C:\$RECYCLE.BIN
2009-03-29 00:30 . 2009-03-29 00:41 -------- d-----w c:\users\All Users\NortonInstaller
2009-03-29 00:30 . 2009-03-29 00:41 -------- d-----w c:\progra~2\NortonInstaller
2009-03-29 00:30 . 2009-03-29 00:30 -------- d-----w c:\program files\NortonInstaller
2009-03-28 05:25 . 2009-03-28 05:25 -------- d-----w c:\users\Carl\AppData\Roaming\Malwarebytes
2009-03-28 05:25 . 2009-03-28 05:25 -------- d-----w c:\users\All Users\Malwarebytes
2009-03-28 05:25 . 2009-03-28 05:25 -------- d-----w c:\progra~2\Malwarebytes
2009-03-27 05:52 . 2009-03-27 05:52 -------- d-----w c:\program files\AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 11:13 . 2007-06-23 07:24 12978 ----a-w c:\users\Carl\AppData\Roaming\nvModes.dat
2009-04-23 09:06 . 2007-07-02 12:08 1356 ----a-w c:\users\Carl\AppData\Local\d3d9caps.dat
2009-04-21 13:56 . 2007-02-26 23:40 -------- d-----w c:\program files\Java
2009-04-18 05:26 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-18 05:05 . 2007-02-27 00:44 -------- d-----w c:\progra~2\Microsoft Help
2009-04-12 00:35 . 2008-12-17 07:30 -------- d-----w c:\progra~2\Lx_cats
2009-04-11 06:28 . 2007-07-03 06:45 -------- d-----w c:\program files\Common Files\Apple
2009-04-09 21:51 . 2009-04-09 21:51 271455 ----a-w c:\users\All Users\SPL3E76.tmp
2009-04-09 21:51 . 2009-04-09 21:51 271455 ----a-w c:\progra~2\SPL3E76.tmp
2009-04-08 11:49 . 2008-06-03 02:49 -------- d-----w c:\users\Carl\AppData\Roaming\LimeWire
2009-04-07 11:03 . 2007-06-23 05:45 121112 ----a-w c:\users\Carl\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-07 10:51 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-07 10:51 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-07 10:51 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat
2009-04-07 10:50 . 2009-01-23 12:23 -------- d-----w c:\program files\Common Files\Nokia
2009-04-01 21:33 . 2009-04-01 21:33 249997 ----a-w c:\users\All Users\SPLE44.tmp
2009-04-01 21:33 . 2009-04-01 21:33 249997 ----a-w c:\progra~2\SPLE44.tmp
2009-03-29 06:47 . 2008-08-13 09:00 -------- d-----w c:\progra~2\Symantec
2009-03-29 00:52 . 2007-06-23 06:00 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 08:37 . 2007-08-23 00:59 -------- d-----w c:\program files\Google
2009-03-27 23:19 . 2009-03-27 23:19 84654 ----a-w c:\users\All Users\SPL47F7.tmp
2009-03-27 23:19 . 2009-03-27 23:19 84654 ----a-w c:\progra~2\SPL47F7.tmp
2009-03-27 23:03 . 2009-03-27 23:03 84654 ----a-w c:\users\All Users\SPLB0DB.tmp
2009-03-27 23:03 . 2009-03-27 23:03 84654 ----a-w c:\progra~2\SPLB0DB.tmp
2009-03-20 07:00 . 2009-03-20 07:00 -------- d-----w c:\program files\Common Files\supportsoft
2009-03-20 06:58 . 2009-03-20 06:53 -------- d-----w c:\progra~2\Intuit
2009-03-20 06:55 . 2009-03-20 06:53 -------- d-----w c:\program files\Common Files\Intuit
2009-03-20 06:54 . 2009-03-20 06:54 -------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2009-03-20 06:53 . 2009-03-20 06:53 -------- d-----w c:\program files\Intuit
2009-03-20 06:51 . 2009-03-20 06:51 -------- d-----w c:\progra~2\COMMON FILES
2009-03-19 06:18 . 2008-12-07 22:59 -------- d-----w c:\program files\PeerGuardian2
2009-03-19 05:32 . 2007-09-03 01:52 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-17 03:38 . 2009-04-18 04:13 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 02:23 . 2007-02-26 22:31 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-17 01:44 . 2007-07-19 04:20 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-16 17:48 . 2007-06-24 01:01 -------- d-----w c:\program files\Common Files\Adobe
2009-03-14 00:53 . 2009-03-14 00:53 -------- d-----w c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 00:49 . 2009-03-14 00:48 -------- d-----w c:\program files\QuickTime
2009-03-08 23:18 . 2007-06-27 04:26 -------- d-----w c:\program files\Call of Duty Game of the Year Edition
2009-03-08 19:19 . 2008-12-13 14:11 410984 ----a-w c:\windows\System32\deploytk.dll
2009-03-08 11:34 . 2009-03-31 07:22 914944 ----a-w c:\windows\System32\wininet.dll
2009-03-08 11:34 . 2009-03-31 07:22 43008 ----a-w c:\windows\System32\licmgr10.dll
2009-03-08 11:33 . 2009-03-31 07:22 18944 ----a-w c:\windows\System32\corpol.dll
2009-03-08 11:33 . 2009-03-31 07:22 109056 ----a-w c:\windows\System32\iesysprep.dll
2009-03-08 11:33 . 2009-03-31 07:22 109568 ----a-w c:\windows\System32\PDMSetup.exe
2009-03-08 11:33 . 2009-03-31 07:22 132608 ----a-w c:\windows\System32\ieUnatt.exe
2009-03-08 11:33 . 2009-03-31 07:22 107520 ----a-w c:\windows\System32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-03-31 07:22 107008 ----a-w c:\windows\System32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-03-31 07:22 103936 ----a-w c:\windows\System32\SetDepNx.exe
2009-03-08 11:33 . 2009-03-31 07:22 420352 ----a-w c:\windows\System32\vbscript.dll
2009-03-08 11:32 . 2009-03-31 07:22 72704 ----a-w c:\windows\System32\admparse.dll
2009-03-08 11:32 . 2009-03-31 07:22 71680 ----a-w c:\windows\System32\iesetup.dll
2009-03-08 11:32 . 2009-03-31 07:22 66560 ----a-w c:\windows\System32\wextract.exe
2009-03-08 11:32 . 2009-03-31 07:22 169472 ----a-w c:\windows\System32\iexpress.exe
2009-03-08 11:31 . 2009-03-31 07:22 34816 ----a-w c:\windows\System32\imgutil.dll
2009-03-08 11:31 . 2009-03-31 07:22 48128 ----a-w c:\windows\System32\mshtmler.dll
2009-03-08 11:31 . 2009-03-31 07:22 45568 ----a-w c:\windows\System32\mshta.exe
2009-03-08 11:22 . 2009-03-31 07:22 156160 ----a-w c:\windows\System32\msls31.dll
2009-03-04 10:51 . 2007-09-07 07:20 -------- d-----w c:\program files\DOOM 3
2009-03-04 00:56 . 2007-07-05 11:05 -------- d-----w c:\program files\Brownie
2009-03-04 00:56 . 2008-12-17 07:16 -------- d-----w c:\program files\Abbyy FineReader 6.0 Sprint
2009-03-04 00:55 . 2007-07-19 04:20 -------- d-----w c:\progra~2\Spybot - Search & Destroy
2009-03-04 00:55 . 2009-01-20 13:00 -------- d-----w c:\program files\PC Connectivity Solution
2009-03-04 00:55 . 2007-06-23 05:39 -------- d-----w c:\program files\Protector Suite QL
2009-03-04 00:55 . 2007-02-27 00:48 -------- d-----w c:\program files\Microsoft Works
2009-03-01 11:55 . 2008-11-20 07:11 -------- d-----w c:\users\Carl\AppData\Roaming\FrostWire
2009-02-09 03:10 . 2009-03-11 04:07 2033152 ----a-w c:\windows\System32\win32k.sys
2008-12-29 08:08 . 2008-12-29 08:08 34056 ----a-w c:\users\All Users\SPL1C47.tmp
2008-12-29 08:08 . 2008-12-29 08:08 34056 ----a-w c:\progra~2\SPL1C47.tmp
2008-12-29 08:06 . 2008-12-29 08:06 34056 ----a-w c:\users\All Users\SPL273.tmp
2008-12-29 08:06 . 2008-12-29 08:06 34056 ----a-w c:\progra~2\SPL273.tmp
2008-12-29 06:52 . 2008-12-29 06:52 129662 ----a-w c:\users\All Users\SPLA4C6.tmp
2008-12-29 06:52 . 2008-12-29 06:52 129662 ----a-w c:\progra~2\SPLA4C6.tmp
2008-12-28 22:37 . 2008-12-28 22:37 129662 ----a-w c:\users\All Users\SPL26E4.tmp
2008-12-28 22:37 . 2008-12-28 22:37 129662 ----a-w c:\progra~2\SPL26E4.tmp
2008-12-28 22:35 . 2008-12-28 22:35 129662 ----a-w c:\users\All Users\SPL9E9A.tmp
2008-12-28 22:35 . 2008-12-28 22:35 129662 ----a-w c:\progra~2\SPL9E9A.tmp
2008-05-27 04:35 . 2007-11-25 21:52 22328 ----a-w c:\users\Carl\AppData\Roaming\PnkBstrK.sys
2008-05-24 01:55 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-11-25 22:02 . 2007-11-25 22:02 92 ----a-w c:\users\Carl\AppData\Local\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-24_10.28.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-02-26 21:31 . 2009-04-24 22:38 78690 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2007-02-26 21:31 . 2009-04-24 10:29 78690 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-04-24 22:38 78110 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-06-23 05:46 . 2009-04-24 22:38 22322 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1882435643-3835081554-1223697280-1000_UserData.bin
- 2007-06-23 20:58 . 2009-04-24 10:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-23 20:58 . 2009-04-24 22:52 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-23 20:58 . 2009-04-24 10:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-06-23 20:58 . 2009-04-24 22:52 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-24 22:49 . 2009-04-24 22:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-24 22:49 . 2009-04-24 22:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2007-06-23 21:32 . 2009-04-24 11:13 316180 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2007-06-23 20:58 . 2009-04-24 22:52 245760 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-23 20:58 . 2009-04-24 10:28 245760 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 12:47 . 2009-04-24 22:53 262144 c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2006-11-02 12:47 . 2009-04-24 10:28 262144 c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2006-11-02 12:47 . 2009-04-24 10:28 262144 c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2006-11-02 12:47 . 2009-04-24 22:53 262144 c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-11-28 01:36 . 2009-04-24 10:15 2332936 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-11-28 01:36 . 2009-04-24 22:48 2332936 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\kbdhe2d0]
@="{C2F2E748-E7D6-0E58-35E0-D780ABE07D4C}"
[HKEY_CLASSES_ROOT\CLSID\{C2F2E748-E7D6-0E58-35E0-D780ABE07D4C}]
2006-11-02 09:39 126976 ----a-w c:\windows\system32\KBDHE2D0.dIl

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-11-14 02:22 3186440 ----a-w c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-11-14 02:22 3186440 ----a-w c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-06-02 1457152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-02-13 405504]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-01-19 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 534648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-19 1316136]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"PS121v2"="c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2006-08-25 724992]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-26 204800]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-11-14 49416]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2007-12-17 660136]
"lxdnamon"="c:\program files\Lexmark 2600 Series\lxdnamon.exe" [2007-12-17 16040]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-12-17 320168]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-13 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-13 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-13 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-01-18 4349952]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-2-2 2756608]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-8-16 118784]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-30 969792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-11-14 02:07 96008 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{22EFF41D-631D-40C9-989D-2712EF8D50A0}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= UDP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"UDP Query User{DAF6DF97-1477-4D7D-A48F-B853C976638A}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= TCP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"TCP Query User{F8658306-F07E-42BB-B00A-8D25053DA4E4}c:\\program files\\msn messenger\\msnmsgr.exe"= UDP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"UDP Query User{B08A1C9C-5466-4A99-83B5-B29606D574E9}c:\\program files\\msn messenger\\msnmsgr.exe"= TCP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"TCP Query User{C262F8E5-9AD3-4FA5-81D3-D7AAA951F14A}c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"= UDP:c:\windows\system32\spool\drivers\w32x86\3\lxdnpswx.exe:Printer Status Window Interface
"UDP Query User{FBA97FCB-AE9B-4A09-A619-C3C842206897}c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"= TCP:c:\windows\system32\spool\drivers\w32x86\3\lxdnpswx.exe:Printer Status Window Interface
"TCP Query User{078EFE2F-F6A8-483B-BCEF-C6CC64A586B6}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= UDP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"UDP Query User{73C9C2C1-6022-49E7-810A-F7C36548FB22}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= TCP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"TCP Query User{596CF229-D0B6-4322-A74C-EB5EC1A616A2}c:\\users\\carl\\appdata\\local\\temp\\lmi6c0c.tmp\\lmi_rescue.exe"= UDP:c:\users\carl\appdata\local\temp\lmi6c0c.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{D8F09C2A-6EAD-4CE8-9D25-25ABE7EED859}c:\\users\\carl\\appdata\\local\\temp\\lmi6c0c.tmp\\lmi_rescue.exe"= TCP:c:\users\carl\appdata\local\temp\lmi6c0c.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{56EF1469-FCC7-4931-AF1A-BD2C1B92B8F1}c:\\users\\temp\\appdata\\local\\temp\\lmic5b0.tmp\\lmi_rescue.exe"= UDP:c:\users\temp\appdata\local\temp\lmic5b0.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{580923D4-ED9E-467C-9FEA-989B9276ED30}c:\\users\\temp\\appdata\\local\\temp\\lmic5b0.tmp\\lmi_rescue.exe"= TCP:c:\users\temp\appdata\local\temp\lmic5b0.tmp\lmi_rescue.exe:LogMeIn Rescue
"{C33BE070-A998-41CB-BACE-8C60A8A0EF51}"= UDP:c:\users\TEMP\AppData\Local\Temp\7zSCFB.tmp\SymNRT.exe:Norton Removal Tool
"{FA88B3A9-6139-42D9-B7A6-04C37DA5C339}"= TCP:c:\users\TEMP\AppData\Local\Temp\7zSCFB.tmp\SymNRT.exe:Norton Removal Tool
"TCP Query User{80264584-7F58-4ABF-B9C5-320A685B756C}c:\\users\\carl\\appdata\\local\\temp\\lmi83f0.tmp\\lmi_rescue.exe"= UDP:c:\users\carl\appdata\local\temp\lmi83f0.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{4C564DC5-23E1-4372-80F8-01975EC8EBE0}c:\\users\\carl\\appdata\\local\\temp\\lmi83f0.tmp\\lmi_rescue.exe"= TCP:c:\users\carl\appdata\local\temp\lmi83f0.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{868DF9FD-4144-4420-9CA6-3407D74B657B}c:\\users\\carl\\appdata\\local\\temp\\lmi67c9.tmp\\lmi_rescue.exe"= UDP:c:\users\carl\appdata\local\temp\lmi67c9.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{79930D5F-60F2-44F1-BE6A-3E4DFF4EA24D}c:\\users\\carl\\appdata\\local\\temp\\lmi67c9.tmp\\lmi_rescue.exe"= TCP:c:\users\carl\appdata\local\temp\lmi67c9.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{0983364B-1583-4A6B-8C0D-D7691316EEA4}c:\\program files\\msn messenger\\msnmsgr.exe"= UDP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"UDP Query User{4554DACF-6B06-4781-B56E-9B463BF38268}c:\\program files\\msn messenger\\msnmsgr.exe"= TCP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"TCP Query User{712C9F86-FB44-4CDB-AE61-5E61471A71AD}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{AF6CD684-2B19-4C66-A844-DF67C48C555C}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{E5C44461-D1BC-4DD4-9BCE-97B59B2131F6}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B8349452-B959-44E6-B871-956E454EB8DC}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{225DADB3-12AE-4BDB-A386-A027B6F633F5}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1941303B-DA35-4EBB-9A9E-A3DCAE43B1B9}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{3366980F-648C-4DE1-AC9F-1890073D4019}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E66F7B7A-9FCD-416C-A009-9329CCFD157C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F79F2373-27D2-4239-B302-D9034484898B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{0DA2CFD5-C10A-4F09-A2EF-553FC6DDF668}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe [2007-12-05 98984]
R3 MBAMSwissArmy;MBAMSwissArmy; [x]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R3 NETGEARUCOMP;NETGEAR Network USB Composite Device;c:\windows\system32\DRIVERS\NETGEARUCOMP.sys [2006-08-17 11648]
R3 TpChoice;Touch Pad Detection Filter driver; [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SYMEFA.SYS [2009-03-29 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-29 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\ccHPx86.sys [2009-03-29 482352]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090414.001\IDSvix86.sys [2009-03-29 292912]
S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [2007-12-05 594600]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-29 115560]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-29 101936]
S3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\DRIVERS\NETGEARUHOST.sys [2006-08-17 10752]
S3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\DRIVERS\NETGEARUHUB.sys [2006-08-17 37120]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\NAV\1005000.086\SYMNDISV.SYS [2009-03-29 39984]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55f7c04d-a50f-11dc-b9b1-0016d4f956e8}]
\shell\1\Command - RUNAUT~1\autorun.pif
\shell\2\Command - RUNAUT~1\autorun.pif
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 08:53
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(888)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infql2.dll

- - - - - - - > 'Explorer.exe'(5624)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infql2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\audiodg.exe
c:\program files\Protector Suite QL\upeksvr.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\windows\System32\rundll32.exe
c:\program files\Lexmark 2600 Series\lxdnmsdmon.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\tosBtProc.exe
.
**************************************************************************
.
Completion time: 2009-04-24 8:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-24 22:56
ComboFix2.txt 2009-04-24 10:35

Pre-Run: 123,795,996,672 bytes free
Post-Run: 123,721,744,384 bytes free

369 --- E O F --- 2009-04-23 19:00
 
Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
c:\windows\system32\winsetup66.exe
c:\windows\system32\winsetup63.exe

Folder::
c:\users\Carl\AppData\Roaming\FrostWire

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55f7c04d-a50f-11dc-b9b1-0016d4f956e8}]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
ComboFix offered a newer version of itself then ran ok
Here is the log

ComboFix 09-04-25.A1 - Carl 25/04/2009 22:51.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2045.1102 [GMT 10:00]
Running from: c:\users\Carl\Desktop\ComboFix.exe
Command switches used :: c:\users\Carl\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\winsetup63.exe
c:\windows\system32\winsetup66.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Carl\AppData\Roaming\FrostWire
c:\users\Carl\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
c:\users\Carl\AppData\Roaming\FrostWire\checkandupdate.txt
c:\users\Carl\AppData\Roaming\FrostWire\createtimes.cache
c:\users\Carl\AppData\Roaming\FrostWire\downloads.dat
c:\users\Carl\AppData\Roaming\FrostWire\fileurns.bak
c:\users\Carl\AppData\Roaming\FrostWire\fileurns.cache
c:\users\Carl\AppData\Roaming\FrostWire\filters.props
c:\users\Carl\AppData\Roaming\FrostWire\frostwire.props
c:\users\Carl\AppData\Roaming\FrostWire\gnutella.net
c:\users\Carl\AppData\Roaming\FrostWire\installation.props
c:\users\Carl\AppData\Roaming\FrostWire\intent.props
c:\users\Carl\AppData\Roaming\FrostWire\library.dat
c:\users\Carl\AppData\Roaming\FrostWire\mojito.props
c:\users\Carl\AppData\Roaming\FrostWire\questions.props
c:\users\Carl\AppData\Roaming\FrostWire\responses.cache
c:\users\Carl\AppData\Roaming\FrostWire\simpp.xml
c:\users\Carl\AppData\Roaming\FrostWire\spam.dat
c:\users\Carl\AppData\Roaming\FrostWire\tables.props
c:\users\Carl\AppData\Roaming\FrostWire\themes\frostwirePro_theme.fwtp
c:\users\Carl\AppData\Roaming\FrostWire\themes\frostwirePro_theme\theme.txt
c:\users\Carl\AppData\Roaming\FrostWire\themes\frostwirePro_theme\version.txt
c:\users\Carl\AppData\Roaming\FrostWire\ttrees.cache
c:\users\Carl\AppData\Roaming\FrostWire\ttroot.cache
c:\users\Carl\AppData\Roaming\FrostWire\version.xml
c:\users\Carl\AppData\Roaming\FrostWire\xml\data\audio.sxml2
c:\users\Carl\AppData\Roaming\FrostWire\xml\data\image.sxml2
c:\users\Carl\AppData\Roaming\FrostWire\xml\data\video.sxml2
c:\windows\system32\winsetup63.exe
c:\windows\system32\winsetup66.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-24 10:12 . 2009-04-24 10:12 2999256 ----a-r C:\ComboFix.exe
2009-04-23 08:19 . 2009-04-23 09:25 -------- d-----w C:\Rooter$
2009-04-18 05:07 . 2009-04-18 05:07 118 ----a-w c:\windows\system32\MRT.INI
2009-04-18 05:01 . 2009-04-18 05:01 -------- d-sh--w c:\windows\system32\%APPDATA%
2009-04-18 04:23 . 2009-04-18 04:24 -------- d-----w C:\rsit
2009-04-18 04:15 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-18 04:15 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-18 04:15 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-18 04:15 . 2009-03-03 04:46 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-04-18 04:15 . 2009-03-03 04:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-04-18 04:15 . 2009-03-03 04:46 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-04-18 04:15 . 2009-03-03 04:39 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-04-18 04:15 . 2009-03-03 04:39 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-04-18 04:15 . 2009-03-03 04:37 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-04-18 04:15 . 2009-03-03 03:04 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-04-18 04:14 . 2009-03-03 04:37 54784 ----a-w c:\windows\system32\iasads.dll
2009-04-18 04:14 . 2009-03-03 04:37 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-04-18 04:14 . 2009-03-03 02:38 17408 ----a-w c:\windows\system32\iashost.exe
2009-04-18 04:13 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-18 04:13 . 2009-02-13 08:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-04-18 04:13 . 2009-03-17 03:38 13824 ----a-w c:\windows\system32\apilogen.dll
2009-04-18 04:13 . 2009-03-17 03:38 24064 ----a-w c:\windows\system32\amxread.dll
2009-04-12 03:03 . 2009-04-12 03:03 -------- d-----w c:\program files\Trend Micro
2009-04-11 06:29 . 2009-03-19 06:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-11 06:29 . 2008-04-17 02:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\program files\iPod
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\users\All Users\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 06:28 . 2009-04-11 06:28 -------- d-----w c:\program files\iTunes
2009-04-11 06:26 . 2009-04-11 06:26 -------- d-----w c:\program files\Bonjour
2009-04-08 13:03 . 2009-04-08 13:03 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-08 13:00 . 2009-04-08 13:00 -------- d-----w c:\users\Carl\AppData\Roaming\InstallShield
2009-03-31 11:45 . 2009-03-31 12:57 66 ----a-w c:\windows\system32\waverspw.dat
2009-03-31 11:45 . 2009-03-31 12:57 66 ----a-w c:\windows\system32\pcadg.dat
2009-03-31 11:45 . 2009-03-31 12:57 66 ----a-w c:\windows\system32\ogldrcsg.dat
2009-03-31 11:45 . 2009-03-31 11:45 153 ----a-w c:\windows\system32\KBDHE2D0.dat
2009-03-31 11:45 . 2009-03-31 11:45 0 ----a-w c:\windows\system32\psbape.dat
2009-03-31 11:45 . 2009-03-31 11:45 139264 ----a-w c:\windows\system32\mfr532.exe
2009-03-29 00:45 . 2009-03-29 00:44 25136 ----a-r c:\windows\system32\drivers\SymIMV.sys
2009-03-29 00:45 . 2009-03-29 00:45 -------- d-----w c:\program files\Symantec
2009-03-29 00:45 . 2009-03-29 00:45 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-29 00:45 . 2009-03-29 00:45 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-29 00:45 . 2009-03-29 00:45 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-29 00:44 . 2009-03-29 00:44 -------- d-----w c:\windows\system32\drivers\NAV
2009-03-29 00:43 . 2009-03-29 00:44 -------- d-----w c:\program files\Norton AntiVirus
2009-03-29 00:43 . 2009-03-29 00:46 -------- d-----w c:\users\All Users\Norton
2009-03-29 00:43 . 2009-03-29 00:46 -------- d-----w c:\programdata\Norton
2009-03-29 00:40 . 2009-03-29 00:40 -------- d-sh--w C:\$RECYCLE.BIN
2009-03-29 00:30 . 2009-03-29 00:41 -------- d-----w c:\users\All Users\NortonInstaller
2009-03-29 00:30 . 2009-03-29 00:41 -------- d-----w c:\programdata\NortonInstaller
2009-03-29 00:30 . 2009-03-29 00:30 -------- d-----w c:\program files\NortonInstaller
2009-03-28 05:25 . 2009-03-28 05:25 -------- d-----w c:\users\Carl\AppData\Roaming\Malwarebytes
2009-03-28 05:25 . 2009-03-28 05:25 -------- d-----w c:\users\All Users\Malwarebytes
2009-03-28 05:25 . 2009-03-28 05:25 -------- d-----w c:\programdata\Malwarebytes
2009-03-27 05:52 . 2009-03-27 05:52 -------- d-----w c:\program files\AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 12:39 . 2007-06-23 07:24 12978 ----a-w c:\users\Carl\AppData\Roaming\nvModes.dat
2009-04-23 09:06 . 2007-07-02 12:08 1356 ----a-w c:\users\Carl\AppData\Local\d3d9caps.dat
2009-04-21 13:56 . 2007-02-26 23:40 -------- d-----w c:\program files\Java
2009-04-18 05:26 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-18 05:05 . 2007-02-27 00:44 -------- d-----w c:\programdata\Microsoft Help
2009-04-12 00:35 . 2008-12-17 07:30 -------- d-----w c:\programdata\Lx_cats
2009-04-11 06:28 . 2007-07-03 06:45 -------- d-----w c:\program files\Common Files\Apple
2009-04-09 21:51 . 2009-04-09 21:51 271455 ----a-w c:\users\All Users\SPL3E76.tmp
2009-04-09 21:51 . 2009-04-09 21:51 271455 ----a-w c:\programdata\SPL3E76.tmp
2009-04-08 11:49 . 2008-06-03 02:49 -------- d-----w c:\users\Carl\AppData\Roaming\LimeWire
2009-04-07 11:03 . 2007-06-23 05:45 121112 ----a-w c:\users\Carl\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-07 10:51 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-07 10:51 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-07 10:51 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat
2009-04-07 10:50 . 2009-01-23 12:23 -------- d-----w c:\program files\Common Files\Nokia
2009-04-01 21:33 . 2009-04-01 21:33 249997 ----a-w c:\users\All Users\SPLE44.tmp
2009-04-01 21:33 . 2009-04-01 21:33 249997 ----a-w c:\programdata\SPLE44.tmp
2009-03-29 06:47 . 2008-08-13 09:00 -------- d-----w c:\programdata\Symantec
2009-03-29 00:52 . 2007-06-23 06:00 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 08:37 . 2007-08-23 00:59 -------- d-----w c:\program files\Google
2009-03-27 23:19 . 2009-03-27 23:19 84654 ----a-w c:\users\All Users\SPL47F7.tmp
2009-03-27 23:19 . 2009-03-27 23:19 84654 ----a-w c:\programdata\SPL47F7.tmp
2009-03-27 23:03 . 2009-03-27 23:03 84654 ----a-w c:\users\All Users\SPLB0DB.tmp
2009-03-27 23:03 . 2009-03-27 23:03 84654 ----a-w c:\programdata\SPLB0DB.tmp
2009-03-20 07:00 . 2009-03-20 07:00 -------- d-----w c:\program files\Common Files\supportsoft
2009-03-20 06:58 . 2009-03-20 06:53 -------- d-----w c:\programdata\Intuit
2009-03-20 06:55 . 2009-03-20 06:53 -------- d-----w c:\program files\Common Files\Intuit
2009-03-20 06:54 . 2009-03-20 06:54 -------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2009-03-20 06:53 . 2009-03-20 06:53 -------- d-----w c:\program files\Intuit
2009-03-20 06:51 . 2009-03-20 06:51 -------- d-----w c:\programdata\COMMON FILES
2009-03-19 06:18 . 2008-12-07 22:59 -------- d-----w c:\program files\PeerGuardian2
2009-03-19 05:32 . 2007-09-03 01:52 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-17 03:38 . 2009-04-18 04:13 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 02:23 . 2007-02-26 22:31 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-17 01:44 . 2007-07-19 04:20 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-16 17:48 . 2007-06-24 01:01 -------- d-----w c:\program files\Common Files\Adobe
2009-03-14 00:53 . 2009-03-14 00:53 -------- d-----w c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 00:49 . 2009-03-14 00:48 -------- d-----w c:\program files\QuickTime
2009-03-08 23:18 . 2007-06-27 04:26 -------- d-----w c:\program files\Call of Duty Game of the Year Edition
2009-03-08 19:19 . 2008-12-13 14:11 410984 ----a-w c:\windows\System32\deploytk.dll
2009-03-08 11:34 . 2009-03-31 07:22 914944 ----a-w c:\windows\System32\wininet.dll
2009-03-08 11:34 . 2009-03-31 07:22 43008 ----a-w c:\windows\System32\licmgr10.dll
2009-03-08 11:33 . 2009-03-31 07:22 18944 ----a-w c:\windows\System32\corpol.dll
2009-03-08 11:33 . 2009-03-31 07:22 109056 ----a-w c:\windows\System32\iesysprep.dll
2009-03-08 11:33 . 2009-03-31 07:22 109568 ----a-w c:\windows\System32\PDMSetup.exe
2009-03-08 11:33 . 2009-03-31 07:22 132608 ----a-w c:\windows\System32\ieUnatt.exe
2009-03-08 11:33 . 2009-03-31 07:22 107520 ----a-w c:\windows\System32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-03-31 07:22 107008 ----a-w c:\windows\System32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-03-31 07:22 103936 ----a-w c:\windows\System32\SetDepNx.exe
2009-03-08 11:33 . 2009-03-31 07:22 420352 ----a-w c:\windows\System32\vbscript.dll
2009-03-08 11:32 . 2009-03-31 07:22 72704 ----a-w c:\windows\System32\admparse.dll
2009-03-08 11:32 . 2009-03-31 07:22 71680 ----a-w c:\windows\System32\iesetup.dll
2009-03-08 11:32 . 2009-03-31 07:22 66560 ----a-w c:\windows\System32\wextract.exe
2009-03-08 11:32 . 2009-03-31 07:22 169472 ----a-w c:\windows\System32\iexpress.exe
2009-03-08 11:31 . 2009-03-31 07:22 34816 ----a-w c:\windows\System32\imgutil.dll
2009-03-08 11:31 . 2009-03-31 07:22 48128 ----a-w c:\windows\System32\mshtmler.dll
2009-03-08 11:31 . 2009-03-31 07:22 45568 ----a-w c:\windows\System32\mshta.exe
2009-03-08 11:22 . 2009-03-31 07:22 156160 ----a-w c:\windows\System32\msls31.dll
2009-03-04 10:51 . 2007-09-07 07:20 -------- d-----w c:\program files\DOOM 3
2009-03-04 00:56 . 2007-07-05 11:05 -------- d-----w c:\program files\Brownie
2009-03-04 00:56 . 2008-12-17 07:16 -------- d-----w c:\program files\Abbyy FineReader 6.0 Sprint
2009-03-04 00:55 . 2007-07-19 04:20 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-03-04 00:55 . 2009-01-20 13:00 -------- d-----w c:\program files\PC Connectivity Solution
2009-03-04 00:55 . 2007-06-23 05:39 -------- d-----w c:\program files\Protector Suite QL
2009-03-04 00:55 . 2007-02-27 00:48 -------- d-----w c:\program files\Microsoft Works
2009-02-09 03:10 . 2009-03-11 04:07 2033152 ----a-w c:\windows\System32\win32k.sys
2008-12-29 08:08 . 2008-12-29 08:08 34056 ----a-w c:\users\All Users\SPL1C47.tmp
2008-12-29 08:08 . 2008-12-29 08:08 34056 ----a-w c:\programdata\SPL1C47.tmp
2008-12-29 08:06 . 2008-12-29 08:06 34056 ----a-w c:\users\All Users\SPL273.tmp
2008-12-29 08:06 . 2008-12-29 08:06 34056 ----a-w c:\programdata\SPL273.tmp
2008-12-29 06:52 . 2008-12-29 06:52 129662 ----a-w c:\users\All Users\SPLA4C6.tmp
2008-12-29 06:52 . 2008-12-29 06:52 129662 ----a-w c:\programdata\SPLA4C6.tmp
2008-12-28 22:37 . 2008-12-28 22:37 129662 ----a-w c:\users\All Users\SPL26E4.tmp
2008-12-28 22:37 . 2008-12-28 22:37 129662 ----a-w c:\programdata\SPL26E4.tmp
2008-12-28 22:35 . 2008-12-28 22:35 129662 ----a-w c:\users\All Users\SPL9E9A.tmp
2008-12-28 22:35 . 2008-12-28 22:35 129662 ----a-w c:\programdata\SPL9E9A.tmp
2008-05-27 04:35 . 2007-11-25 21:52 22328 ----a-w c:\users\Carl\AppData\Roaming\PnkBstrK.sys
2008-05-24 01:55 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-11-25 22:02 . 2007-11-25 22:02 92 ----a-w c:\users\Carl\AppData\Local\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-24_10.28.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-02-26 21:31 . 2009-04-25 12:30 78690 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2007-02-26 21:31 . 2009-04-24 10:29 78690 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-04-25 13:00 78158 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-06-23 05:46 . 2009-04-25 12:30 22354 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1882435643-3835081554-1223697280-1000_UserData.bin
- 2007-06-23 20:58 . 2009-04-24 10:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-23 20:58 . 2009-04-25 12:59 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-23 20:58 . 2009-04-24 10:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-06-23 20:58 . 2009-04-25 12:59 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-25 12:56 . 2009-04-25 12:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-25 12:56 . 2009-04-25 12:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2007-06-23 21:32 . 2009-04-24 11:13 316180 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 12:43 . 2007-06-23 20:52 262144 c:\windows\System32\config\systemprofile\ntuser.dat
+ 2006-11-02 12:43 . 2009-04-25 12:50 262144 c:\windows\System32\config\systemprofile\ntuser.dat
- 2009-03-31 07:33 . 2009-04-24 10:02 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-03-31 07:33 . 2009-04-25 01:11 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2007-06-23 20:58 . 2009-04-24 10:28 245760 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-23 20:58 . 2009-04-25 12:59 245760 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 12:47 . 2009-04-24 10:28 262144 c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2006-11-02 12:47 . 2009-04-25 12:59 262144 c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2006-11-02 12:47 . 2009-04-24 10:28 262144 c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2006-11-02 12:47 . 2009-04-25 12:59 262144 c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-11-28 01:36 . 2009-04-24 10:15 2332936 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-11-28 01:36 . 2009-04-25 12:55 2332936 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\kbdhe2d0]
@="{C2F2E748-E7D6-0E58-35E0-D780ABE07D4C}"
[HKEY_CLASSES_ROOT\CLSID\{C2F2E748-E7D6-0E58-35E0-D780ABE07D4C}]
2006-11-02 09:39 126976 ----a-w c:\windows\system32\KBDHE2D0.dIl

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-11-14 02:22 3186440 ----a-w c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-11-14 02:22 3186440 ----a-w c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-06-02 1457152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-02-13 405504]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-01-19 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 534648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-19 1316136]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"PS121v2"="c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2006-08-25 724992]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-26 204800]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-11-14 49416]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2007-12-17 660136]
"lxdnamon"="c:\program files\Lexmark 2600 Series\lxdnamon.exe" [2007-12-17 16040]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-12-17 320168]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-13 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-13 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-13 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-01-18 4349952]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-2-2 2756608]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-8-16 118784]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-30 969792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-11-14 02:07 96008 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{22EFF41D-631D-40C9-989D-2712EF8D50A0}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= UDP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"UDP Query User{DAF6DF97-1477-4D7D-A48F-B853C976638A}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= TCP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"TCP Query User{F8658306-F07E-42BB-B00A-8D25053DA4E4}c:\\program files\\msn messenger\\msnmsgr.exe"= UDP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"UDP Query User{B08A1C9C-5466-4A99-83B5-B29606D574E9}c:\\program files\\msn messenger\\msnmsgr.exe"= TCP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"TCP Query User{C262F8E5-9AD3-4FA5-81D3-D7AAA951F14A}c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"= UDP:c:\windows\system32\spool\drivers\w32x86\3\lxdnpswx.exe:Printer Status Window Interface
"UDP Query User{FBA97FCB-AE9B-4A09-A619-C3C842206897}c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"= TCP:c:\windows\system32\spool\drivers\w32x86\3\lxdnpswx.exe:Printer Status Window Interface
"TCP Query User{078EFE2F-F6A8-483B-BCEF-C6CC64A586B6}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= UDP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"UDP Query User{73C9C2C1-6022-49E7-810A-F7C36548FB22}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= TCP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"TCP Query User{596CF229-D0B6-4322-A74C-EB5EC1A616A2}c:\\users\\carl\\appdata\\local\\temp\\lmi6c0c.tmp\\lmi_rescue.exe"= UDP:c:\users\carl\appdata\local\temp\lmi6c0c.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{D8F09C2A-6EAD-4CE8-9D25-25ABE7EED859}c:\\users\\carl\\appdata\\local\\temp\\lmi6c0c.tmp\\lmi_rescue.exe"= TCP:c:\users\carl\appdata\local\temp\lmi6c0c.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{56EF1469-FCC7-4931-AF1A-BD2C1B92B8F1}c:\\users\\temp\\appdata\\local\\temp\\lmic5b0.tmp\\lmi_rescue.exe"= UDP:c:\users\temp\appdata\local\temp\lmic5b0.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{580923D4-ED9E-467C-9FEA-989B9276ED30}c:\\users\\temp\\appdata\\local\\temp\\lmic5b0.tmp\\lmi_rescue.exe"= TCP:c:\users\temp\appdata\local\temp\lmic5b0.tmp\lmi_rescue.exe:LogMeIn Rescue
"{C33BE070-A998-41CB-BACE-8C60A8A0EF51}"= UDP:c:\users\TEMP\AppData\Local\Temp\7zSCFB.tmp\SymNRT.exe:Norton Removal Tool
"{FA88B3A9-6139-42D9-B7A6-04C37DA5C339}"= TCP:c:\users\TEMP\AppData\Local\Temp\7zSCFB.tmp\SymNRT.exe:Norton Removal Tool
"TCP Query User{80264584-7F58-4ABF-B9C5-320A685B756C}c:\\users\\carl\\appdata\\local\\temp\\lmi83f0.tmp\\lmi_rescue.exe"= UDP:c:\users\carl\appdata\local\temp\lmi83f0.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{4C564DC5-23E1-4372-80F8-01975EC8EBE0}c:\\users\\carl\\appdata\\local\\temp\\lmi83f0.tmp\\lmi_rescue.exe"= TCP:c:\users\carl\appdata\local\temp\lmi83f0.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{868DF9FD-4144-4420-9CA6-3407D74B657B}c:\\users\\carl\\appdata\\local\\temp\\lmi67c9.tmp\\lmi_rescue.exe"= UDP:c:\users\carl\appdata\local\temp\lmi67c9.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{79930D5F-60F2-44F1-BE6A-3E4DFF4EA24D}c:\\users\\carl\\appdata\\local\\temp\\lmi67c9.tmp\\lmi_rescue.exe"= TCP:c:\users\carl\appdata\local\temp\lmi67c9.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{0983364B-1583-4A6B-8C0D-D7691316EEA4}c:\\program files\\msn messenger\\msnmsgr.exe"= UDP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"UDP Query User{4554DACF-6B06-4781-B56E-9B463BF38268}c:\\program files\\msn messenger\\msnmsgr.exe"= TCP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"TCP Query User{712C9F86-FB44-4CDB-AE61-5E61471A71AD}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{AF6CD684-2B19-4C66-A844-DF67C48C555C}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{E5C44461-D1BC-4DD4-9BCE-97B59B2131F6}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B8349452-B959-44E6-B871-956E454EB8DC}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{225DADB3-12AE-4BDB-A386-A027B6F633F5}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1941303B-DA35-4EBB-9A9E-A3DCAE43B1B9}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{3366980F-648C-4DE1-AC9F-1890073D4019}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E66F7B7A-9FCD-416C-A009-9329CCFD157C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F79F2373-27D2-4239-B302-D9034484898B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{0DA2CFD5-C10A-4F09-A2EF-553FC6DDF668}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe [2007-12-05 98984]
R3 MBAMSwissArmy;MBAMSwissArmy; [x]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R3 NETGEARUCOMP;NETGEAR Network USB Composite Device;c:\windows\system32\DRIVERS\NETGEARUCOMP.sys [2006-08-17 11648]
R3 TpChoice;Touch Pad Detection Filter driver; [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SYMEFA.SYS [2009-03-29 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-29 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\ccHPx86.sys [2009-03-29 482352]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090420.001\IDSvix86.sys [2009-03-29 292912]
S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [2007-12-05 594600]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-29 115560]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-29 101936]
S3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\DRIVERS\NETGEARUHOST.sys [2006-08-17 10752]
S3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\DRIVERS\NETGEARUHUB.sys [2006-08-17 37120]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\NAV\1005000.086\SYMNDISV.SYS [2009-03-29 39984]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\User_Feed_Synchronization-{339872FA-415A-41ED-B597-6C343709253E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-31 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 22:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infql2.dll

- - - - - - - > 'Explorer.exe'(4348)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infql2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\audiodg.exe
c:\program files\Protector Suite QL\upeksvr.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Lexmark 2600 Series\lxdnmsdmon.exe
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\tosBtProc.exe
.
**************************************************************************
.
Completion time: 2009-04-25 23:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 13:05
ComboFix2.txt 2009-04-24 22:56
ComboFix3.txt 2009-04-24 10:35

Pre-Run: 123,390,238,720 bytes free
Post-Run: 123,257,839,616 bytes free

408 --- E O F --- 2009-04-23 19:00
 
And the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:16 PM, on 25/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [PS121v2] "C:\Program Files\NETGEAR\PS121v2\PS121v2.exe" /hide
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"
O4 - HKLM\..\Run: [lxdnamon] "C:\Program Files\Lexmark 2600 Series\lxdnamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.terrace.qld.edu.au/dwa7W.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\Windows\system32\lxdncoms.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7723 bytes
 
Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
 
Ran Kaspersky twice.
There was nothing on the report it created.
I hope this is good
Below is the hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:12 AM, on 27/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\NETGEAR\PS121v2\PS121v2.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [PS121v2] "C:\Program Files\NETGEAR\PS121v2\PS121v2.exe" /hide
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"
O4 - HKLM\..\Run: [lxdnamon] "C:\Program Files\Lexmark 2600 Series\lxdnamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.terrace.qld.edu.au/dwa7W.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\Windows\system32\lxdncoms.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8272 bytes
 
You must log in or register to reply here.
Back
Top