WIN32.TDSS.reg

Status
Not open for further replies.
R

rickmc11

New member
spybot found two things in a safe mode scan labeled as WIN32.TDSS.reg. Looking these up on the web I find that WIN32.TDSS.reg is listed as a trojan. Here are the details from the scan.

[SBI $E1CA682C] System Service
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLS...

[SBI $6A195635] SYSTEM SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLS...

Is it safe to manually remove these through regedit.exe? I'm not sure what to do with them. My system has been super slow lately. No other virus scans found these, only spybot.

Thanks
 
Hello rickmc11

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

TDSS is a very serious infection and needs to be removed.



Download Trendmicros Hijackthis to your desktop.
  • Double click it to install
  • Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
 
logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:54 AM, on 7/4/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Rick
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JS...4/&filename=jinstall-6u13-windows-i586-jc.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10662 bytes
 
Thanks

And thanks, Ken, for helping me out. None of my virus protection software even found this thing. Took spybot in safe mode to find it and it couldn't get rid of it. I'm a doctoral student and my life is on this computer.

Thanks again
 
Good Morning,

Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect
Please do not proceed until the TeaTimer is disabled




Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.




Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
new log reports

Here is the log file for combofix:

ComboFix 09-07-04.02 - Rick 07/04/2009 15:12.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.1861 [GMT -5:00]
Running from: c:\users\Rick\Downloads\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *disabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1cdea.msi
c:\windows\Installer\235086b.msi
c:\windows\system32\kungsfnlpqbito.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Service_kungsfvoymdbqx


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 20:21 . 2009-07-04 20:24 -------- d-----w- c:\users\Rick\AppData\Local\temp
2009-07-04 08:16 . 2009-07-04 08:16 -------- d-----w- c:\program files\Trend Micro
2009-07-02 17:33 . 2009-07-02 17:33 -------- d-----w- c:\users\Rick\AppData\Roaming\Safer Networking
2009-07-02 17:32 . 2009-07-02 17:32 -------- d-----w- c:\program files\Safer Networking
2009-07-01 16:31 . 2009-07-01 16:35 -------- d-----w- c:\users\Rick\Resume & Cover
2009-06-29 06:30 . 2009-06-29 06:31 -------- d-----w- c:\program files\Stellar Phoenix Photo Recovery
2009-06-29 06:22 . 2009-06-29 06:32 -------- d-----w- c:\program files\CardRecovery
2009-06-29 03:28 . 2009-06-29 03:28 -------- d-----w- c:\program files\SoftAmbulance
2009-06-29 03:09 . 2009-06-29 03:09 746744 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-25 06:43 . 2009-06-25 06:43 29352 ----a-w- c:\programdata\Microsoft\OC\Channels\ch2\HTML\item_templ\common\fixes\HASFix058456.dll
2009-06-25 06:43 . 2009-06-25 06:43 23720 ----a-w- c:\programdata\Microsoft\OC\Channels\ch2\HTML\item_templ\common\fixes\HelpAndSupport_TestContent.dll
2009-06-25 06:43 . 2009-06-25 06:43 23056 ----a-w- c:\programdata\Microsoft\OC\Channels\ch2\HTML\item_templ\common\fixes\HASFix101001.dll
2009-06-25 06:43 . 2009-06-25 06:43 221208 ----a-w- c:\programdata\Microsoft\OC\Channels\ch2\HTML\item_templ\common\fixes\HelpAndSupportCommon.dll
2009-06-25 06:43 . 2009-06-25 06:43 21160 ----a-w- c:\programdata\Microsoft\OC\Channels\ch2\HTML\item_templ\common\fixes\HASFix056479.dll
2009-06-25 06:43 . 2009-06-25 06:43 110248 ----a-w- c:\programdata\Microsoft\OC\Channels\ch2\HTML\item_templ\common\fixes\HelpAndSupportInterface.dll
2009-06-25 06:18 . 2007-11-28 03:44 37440 ----a-w- c:\windows\system32\drivers\msfwhlpr.sys
2009-06-25 06:18 . 2007-11-28 03:45 91200 ----a-w- c:\windows\system32\drivers\msfwdrv.sys
2009-06-25 06:18 . 2009-06-25 06:18 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-06-25 06:17 . 2008-05-15 21:15 53168 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2009-06-25 06:12 . 2009-07-04 19:26 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-24 23:24 . 2009-06-24 23:24 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-18 23:44 . 2009-06-18 23:48 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-06-18 23:44 . 2009-06-18 23:48 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-06-18 23:43 . 2009-06-18 23:48 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-06-18 23:43 . 2009-06-18 23:43 -------- d-----w- c:\windows\Replay Media Catcher
2009-06-18 23:33 . 2009-06-19 02:43 -------- d-----w- c:\users\Rick\AppData\Local\FLVService
2009-06-18 23:33 . 2009-06-18 23:33 -------- d-----w- c:\windows\Ask & Record Toolbar
2009-06-18 23:33 . 2009-06-19 02:48 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-06-18 11:26 . 2009-06-18 11:28 -------- d-----w- c:\users\Rick\AppData\Roaming\Windows Live Writer
2009-06-18 11:26 . 2009-06-18 11:27 -------- d-----w- c:\users\Rick\AppData\Local\Windows Live Writer
2009-06-17 20:57 . 2009-06-17 20:57 -------- d-----w- c:\users\Rick\AppData\Roaming\acccore
2009-06-17 20:50 . 2009-06-17 20:50 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-06-14 03:56 . 2009-06-14 03:56 -------- d-----w- C:\Windows Sidebar
2009-06-14 03:50 . 2009-06-14 03:50 36864 ----a-w- c:\programdata\TEMP\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
2009-06-14 03:47 . 2009-06-14 03:47 10134 ----a-r- c:\users\Rick\AppData\Roaming\Microsoft\Installer\{FE250486-0A4C-9689-FDCD-D8C82EDE989E}\ARPPRODUCTICON.exe
2009-06-14 02:24 . 2009-06-14 02:24 -------- d-----w- c:\programdata\ATI
2009-06-13 23:08 . 2009-06-13 23:08 -------- d-----w- c:\program files\DIFX
2009-06-13 23:03 . 2009-06-13 23:03 -------- d-----w- c:\windows\system32\SRSLabs
2009-06-13 23:02 . 2008-09-11 16:54 389120 ----a-w- c:\windows\system32\drivers\stwrt.sys
2009-06-13 23:02 . 2008-09-11 16:54 404480 ----a-w- c:\windows\system32\stcplx.dll
2009-06-13 23:02 . 2008-09-11 16:50 427008 ----a-w- c:\windows\system32\stapi32.dll
2009-06-11 16:41 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 16:41 . 2009-06-11 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 16:41 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 15:26 . 2009-06-11 15:27 -------- d-----w- c:\windows\system32\ca-ES
2009-06-11 15:26 . 2009-06-11 15:27 -------- d-----w- c:\windows\system32\eu-ES
2009-06-11 15:26 . 2009-06-11 15:27 -------- d-----w- c:\windows\system32\vi-VN
2009-06-11 12:51 . 2009-06-11 12:51 -------- d-----w- c:\users\Rick\AppData\Roaming\gtk-2.0
2009-06-11 12:48 . 2009-06-11 12:51 -------- d-----w- c:\users\Rick\.gimp-2.6
2009-06-11 12:48 . 2009-06-11 12:48 -------- d-----w- c:\users\Rick\.gegl-0.0
2009-06-07 03:43 . 2009-06-07 03:48 -------- d-----w- C:\OneCareSupportData
2009-06-05 16:35 . 2008-06-19 22:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-05 16:35 . 2009-06-05 16:35 -------- d-----w- c:\program files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 19:40 . 2008-08-14 19:53 -------- d-----w- c:\program files\Viewpoint
2009-06-29 03:30 . 2009-06-29 03:30 562 ----a-w- c:\program files\SoftAmbulance - Shortcut.lnk
2009-06-18 13:07 . 2008-08-14 23:39 -------- d-----w- c:\program files\Google
2009-06-17 20:59 . 2008-08-14 19:52 -------- d-----w- c:\program files\Common Files\AOL
2009-06-17 20:51 . 2008-08-14 19:52 -------- d-----w- c:\programdata\AOL OCP
2009-06-17 20:50 . 2008-08-14 19:53 -------- d-----w- c:\programdata\Viewpoint
2009-06-16 03:27 . 2008-08-17 01:15 -------- d-----w- c:\program files\Picasa2
2009-06-14 03:51 . 2008-05-23 02:39 -------- d-----w- c:\program files\CyberLink
2009-06-13 23:20 . 2008-06-20 09:50 -------- d-----w- c:\program files\ATI Technologies
2009-06-13 23:04 . 2008-06-20 09:56 -------- d-----w- c:\program files\IDT
2009-06-12 01:58 . 2009-06-02 22:11 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-11 15:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-11 15:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-11 15:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-11 15:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-11 15:27 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-11 15:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-11 15:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-11 15:26 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-11 14:36 . 2008-05-23 02:31 -------- d-----w- c:\programdata\Microsoft Help
2009-06-07 03:48 . 2009-06-03 15:26 2715800 ----a-w- C:\OneCareSupportData.zip
2009-06-03 15:53 . 2009-06-03 15:53 -------- d-----w- c:\program files\Microsoft Easy Assist
2009-06-03 15:52 . 2009-06-03 15:52 -------- d-----w- c:\programdata\Applications
2009-06-03 13:23 . 2009-06-03 13:23 -------- d-----w- c:\users\Rick\AppData\Roaming\Malwarebytes
2009-06-03 13:23 . 2009-06-03 13:23 -------- d-----w- c:\programdata\Malwarebytes
2009-06-02 14:01 . 2009-06-02 14:01 -------- d-----w- c:\users\Rick\AppData\Roaming\Apple Computer
2009-06-02 13:15 . 2008-05-23 01:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-02 13:15 . 2009-06-02 13:15 -------- d-----w- c:\program files\QuickTime
2009-06-02 13:15 . 2009-06-02 13:15 -------- d-----w- c:\programdata\Apple Computer
2009-06-02 13:14 . 2009-06-02 13:12 -------- d-----w- c:\program files\Kodak
2009-06-02 13:13 . 2009-06-02 13:13 -------- d-----w- c:\program files\Common Files\Kodak
2009-06-02 13:12 . 2009-06-02 13:12 77824 ----a-w- c:\programdata\Kodak\EasyShareSetup\ESS\bindbins\BindBins.exe
2009-06-02 13:12 . 2009-06-02 13:12 14813832 ----a-w- c:\programdata\Kodak\EasyShareSetup\bonjour\BonjourSetup.exe
2009-06-02 13:12 . 2009-06-02 13:12 21249848 ----a-w- c:\programdata\Kodak\EasyShareSetup\QUICK\QuickTimeInstaller.exe
2009-06-02 13:12 . 2009-06-02 13:12 102400 ----a-w- c:\programdata\Kodak\EasyShareSetup\QUICK\procheck.exe
2009-06-02 13:11 . 2009-06-02 13:11 69632 ----a-w- c:\programdata\Kodak\EasyShareSetup\Ksu\ksustop.exe
2009-06-02 13:11 . 2009-06-02 13:11 167936 ----a-w- c:\programdata\Kodak\EasyShareSetup\CCS\CCSStop.exe
2009-06-02 13:11 . 2009-06-02 13:11 983040 ----a-w- c:\programdata\Kodak\EasyShareSetup\$SETUP_140010_14ae777\EasyShrx.Dll
2009-06-02 13:11 . 2009-06-02 13:11 -------- d-----w- c:\programdata\Kodak
2009-06-01 16:56 . 2009-06-01 16:56 -------- d-----w- c:\programdata\WindowsSearch
2009-05-15 21:19 . 2009-05-15 21:19 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-05-15 00:42 . 2009-01-21 01:54 -------- d-----w- c:\program files\VS Revo Group
2009-05-15 00:42 . 2008-05-23 02:08 -------- d-----w- c:\program files\Microsoft Works
2009-05-15 00:36 . 2008-10-25 22:35 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-05-15 00:36 . 2008-08-14 23:56 -------- d-----w- c:\program files\ArcSoft
2009-05-15 00:12 . 2009-05-15 00:12 0 ----a-w- c:\windows\nsreg.dat
2009-05-14 18:46 . 2008-08-15 21:48 932 ----a-w- c:\users\Rick\AppData\Roaming\wklnhst.dat
2009-05-09 05:50 . 2009-06-11 14:30 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 14:30 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-05-01 14:19 . 2008-08-14 19:56 74872 ----a-w- c:\users\Rick\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-23 12:15 . 2009-06-11 14:30 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:14 . 2009-06-11 14:30 623616 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:39 . 2009-06-11 14:30 2034688 ----a-w- c:\windows\system32\win32k.sys
2009-04-11 06:33 . 2009-06-02 22:14 986600 ----a-w- c:\windows\system32\winload.exe
2009-04-11 06:33 . 2009-06-02 22:14 926184 ----a-w- c:\windows\system32\winresume.exe
2009-04-11 06:33 . 2009-06-02 22:13 292840 ----a-w- c:\windows\system32\drivers\volmgrx.sys
2009-04-11 06:33 . 2009-06-02 22:14 897000 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-04-11 06:33 . 2009-06-02 22:14 614376 ----a-w- c:\windows\system32\ci.dll
2009-04-11 06:28 . 2009-06-02 22:14 56320 ----a-w- c:\windows\system32\xmlfilter.dll
2009-04-11 06:27 . 2009-06-02 22:15 441344 ----a-w- c:\windows\system32\SearchIndexer.exe
2009-04-11 06:22 . 2009-06-02 22:13 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2009-04-11 06:21 . 2009-06-02 22:13 37376 ----a-w- c:\windows\system32\cdd.dll
2009-04-11 05:42 . 2009-06-02 22:13 93696 ----a-w- c:\windows\system32\drivers\bridge.sys
2009-04-11 05:03 . 2009-06-02 22:15 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 05:03 . 2009-06-02 22:15 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 04:57 . 2009-06-02 22:13 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-04-11 04:54 . 2009-06-02 22:13 2048 ----a-w- c:\windows\system32\mferror.dll
2009-04-11 04:51 . 2009-06-02 22:13 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-04-11 04:47 . 2009-06-02 22:13 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2009-04-11 04:46 . 2009-06-02 22:13 69120 ----a-w- c:\windows\system32\drivers\rassstp.sys
2009-04-11 04:46 . 2009-06-02 22:13 121344 ----a-w- c:\windows\system32\drivers\ndiswan.sys
2009-04-11 04:46 . 2009-06-02 22:13 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys
2009-04-11 04:46 . 2009-06-02 22:13 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2009-04-11 04:46 . 2009-06-02 22:13 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2009-04-11 04:46 . 2009-06-02 22:13 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-04-11 04:45 . 2009-06-02 22:13 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2009-04-11 04:45 . 2009-06-02 22:13 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-04-11 04:45 . 2009-06-02 22:13 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2009-04-11 04:45 . 2009-06-02 22:13 401408 ----a-w- c:\windows\system32\drivers\http.sys
2009-04-11 04:45 . 2009-06-02 22:13 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-04-11 04:45 . 2009-06-02 22:13 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2009-04-11 04:43 . 2009-06-02 22:13 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-04-11 04:43 . 2009-06-02 22:14 196096 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-04-11 04:43 . 2009-06-02 22:13 236544 ----a-w- c:\windows\system32\drivers\HdAudio.sys
2009-04-11 04:42 . 2009-06-02 22:13 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-04-11 04:42 . 2009-06-02 22:13 25856 ----a-w- c:\windows\system32\drivers\USBCAMD2.sys
2009-04-11 04:42 . 2009-06-02 22:13 25856 ----a-w- c:\windows\system32\drivers\USBCAMD.sys
2009-04-11 04:42 . 2009-06-02 22:13 39936 ----a-w- c:\windows\system32\drivers\usbehci.sys
2009-04-11 04:42 . 2009-06-02 22:13 19456 ----a-w- c:\windows\system32\drivers\usbohci.sys
2009-04-11 04:42 . 2009-06-02 22:13 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-04-11 04:42 . 2009-06-02 22:13 12800 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-04-11 04:42 . 2009-06-02 22:13 39424 ----a-w- c:\windows\system32\drivers\hidclass.sys
2009-04-11 04:42 . 2009-06-02 22:13 52992 ----a-w- c:\windows\system32\drivers\stream.sys
2009-04-11 04:42 . 2009-06-02 22:15 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-04-11 04:39 . 2009-06-02 22:13 16384 ----a-w- c:\windows\system32\iscsilog.dll
2009-04-11 04:39 . 2009-06-02 22:13 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2009-04-11 04:39 . 2009-06-02 22:13 19456 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2009-04-11 04:38 . 2009-06-02 22:13 149504 ----a-w- c:\windows\system32\drivers\ks.sys
2009-04-11 04:38 . 2009-06-02 22:13 17408 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2008-01-21 02:23 . 2008-01-21 02:23 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6001.18000_none_f1582d884fb532fb\WinMail.exe
2008-01-21 02:23 . 2008-01-21 02:23 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6002.18005_none_f343a6944cd6fe47\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnhancedStorageShell]
@="{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}"
[HKEY_CLASSES_ROOT\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}]
2009-04-11 06:28 114176 ----a-w- c:\windows\System32\EhStorShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"ABBYY Community Agent"="c:\program files\ABBYY FineReader 5.0 Sprint\CAgent.exe" [2002-03-21 253952]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-11 446556]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2008-8-26 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"BindDirectlyToPropertySetStorage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):8d,b4,c1,b9,d3,e3,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1525753058-245050413-607280189-1000]
"EnableNotificationsRef"=dword:00000004

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AFB81D35-0D10-430F-9C6F-5A7D081D905C}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{1DD3AEF4-3D94-47E5-B620-4E3A5F5E6E54}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{52F0D097-4A39-437B-96FF-F6EA98DC6ADA}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9B04CD62-979C-42C8-BC42-585DAC9D2369}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{29AAF573-F7A5-4CB7-9EAC-979E8BB1FF27}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{AAF3C5B6-5575-4B8E-B5FC-E90048F76D09}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{9C0B5F7D-ED8E-4785-BD53-D9982A916AFD}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{60C92C4F-5725-499A-8AEC-98E1E43C8EF8}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C21030C5-4084-45ED-81DA-1E5B10315E58}"= UDP:c:\users\Rick\AppData\Local\Temp\.tt5533.tmp:enable
"{5DCB435F-D78C-420C-95DA-3E5BC8DE439A}"= TCP:c:\users\Rick\AppData\Local\Temp\.tt5533.tmp:enable
"TCP Query User{5726729C-37E2-4386-8EF2-5E6E8ACF163A}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{5AF3646B-B1A6-41C6-A106-742F2898BCBD}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java(TM) Platform SE binary
"{C3A81AA2-D487-4A75-830A-21C6AEC1D7B6}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A64A11ED-CA29-4E38-BB0E-9743A1412DB9}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{D0F65709-089A-42DD-AEAB-B75D3C5C7747}c:\\program files\\kodak\\kodak software updater\\7288971\\program\\kodak software updater.exe"= UDP:c:\program files\kodak\kodak software updater\7288971\program\kodak software updater.exe:Kodak Software Updater
"UDP Query User{BB4D7587-7F17-4BDF-83B7-92505914C55B}c:\\program files\\kodak\\kodak software updater\\7288971\\program\\kodak software updater.exe"= TCP:c:\program files\kodak\kodak software updater\7288971\program\kodak software updater.exe:Kodak Software Updater
"{3DE5A816-5822-496C-B896-F1417DD2B924}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{CF9ED663-9D3D-4BC2-8B20-26D750213918}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{8AC7514D-8E31-452E-B488-9B1A16602F64}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5E882174-FFA7-494B-BDCB-24E2DFC63CBC}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{56F1634F-CB39-4B2D-8446-356DF1FC430B}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{396A2E4C-67E9-437C-911F-FFB6564D653B}"= UDP:63331:Windows Live OneCare
"{13FBA3A7-A202-47A7-91E8-72F6BB97FEB8}"= UDP:63331:Windows Live OneCare
"{F2C43748-AF05-4573-9C11-9C160ACA618B}"= UDP:63331:Windows Live OneCare

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\System32\drivers\Amddfltr.sys [6/20/2008 5:00 AM 15416]
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [6/5/2009 11:35 AM 28544]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\AEstSrv.exe [6/13/2009 6:02 PM 77824]
R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [3/18/2008 6:24 PM 24880]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 10:59 AM 24936]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [5/22/2008 9:55 PM 341328]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2/7/2009 8:10 AM 809296]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/14/2008 2:53 PM 24652]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [9/4/2008 5:47 PM 54784]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [5/22/2008 8:38 PM 193840]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/31/2008 3:37 PM 33752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\HPCeeScheduleForRick.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-05-23 03:03]

2009-06-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-02-07 15:42]

2009-07-01 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-02-07 15:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: webwatcherdata.com\www
DPF: {233C1507-6A77-46A4-9443-F871F945D258}
FF - ProfilePath - c:\users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\3zglfi42.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 15:24
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\stacsv.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\wlanext.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-07-04 15:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 20:29

Pre-Run: 147,943,505,920 bytes free
Post-Run: 147,525,414,912 bytes free

399 --- E O F --- 2009-07-02 17:14




And here is the new log file for hijackthis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:45 PM, on 7/4/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JS...4/&filename=jinstall-6u13-windows-i586-jc.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9420 bytes

Thanks
 
Hello,

Combofix removed some nasty entries.

AUDIOGENIE2 <--Getting mixed results on this program, is this something you know about and use?


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe




Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.




Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a New Hijackthis log.
 
new log files

I have no idea what AUDIOGENIE2 is, never heard of it, never used it.

Here is the log file for Hijackthis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:49 PM, on 7/5/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JS...4/&filename=jinstall-6u13-windows-i586-jc.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\STacSV.exe

--
End of file - 9329 bytes



Here is the file for MBAM:

Malwarebytes' Anti-Malware 1.38
Database version: 2377
Windows 6.0.6002 Service Pack 2

7/5/2009 2:14:12 PM
mbam-log-2009-07-05 (14-14-12).txt

Scan type: Quick Scan
Objects scanned: 78432
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\Rick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DVDextraPL (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDextraPL (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)
 
Hi,

Audiogenie is considered Nagware, if will display advertising when you first use it. You most likely can uninstall it via the Add Remove Programs in the Control Panel.

All looks ok, how are things running now?
 
follow up

Seems to be running fine. I will delete the Audio file.

Man, I owe you dinner! You don't know how I appreciate this. I never knew this kind of help was available. Thanks so much. May I call on you directly should I have any other problems?

Thanks again
Rick
 
We have a very able bodied staff, if you have problems in the future, just start a new topic in the forum and if I don't get it, one of our other people will.


Well, I don't see it installed, just a file related to it.

AUDIOGENIE2.DLL, I hate to see you delete this, its possible that its needed by another program???

Lets check it

You need to enable windows to show all files and folders, instructions Here


Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

c:\windows\system32\AUDIOGENIE2.DLL
 
Virus Total

MD5: ff83cb462ba421228df5e520e511bd7b
First received: 2009.02.21 05:33:37 UTC
Date: 2009.04.15 01:29:33 UTC [>81D]
Results: 0/40
Permalink: analisis/45ef4078773cac62121464369629b4b58d029d2663b444c0316ccdddfb17d1b8-1239758973
 
Jotti

Jotti logo


Jotti's malware scan
Filename: AUDIOGENIE2.DLL
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 6 Jul 2009 04:31:58 (CET) Permalink

Additional info
File size: 323584 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: ff83cb462ba421228df5e520e511bd7b
SHA1: 2f453a91b73a703225884f212d6b62c895552c9b




Scanners
[ArcaVir]
2009-07-05 Found nothing
[G DATA]
2009-07-06 Found nothing
[A-Squared]
2009-07-06 Found nothing
[Ikarus]
2009-07-06 Found nothing
[Avast! antivirus]
2009-07-05 Found nothing
[Kaspersky Anti-Virus]
2009-07-06 Found nothing
[Grisoft AVG Anti-Virus]
2009-07-05 Found nothing
[ESET NOD32]
2009-07-05 Found nothing
[Avira AntiVir]
2009-07-05 Found nothing
[Norman Virus Control]
2009-07-04 Found nothing
[Softwin BitDefender]
2009-07-06 Found nothing
[Panda Antivirus]
2009-07-04 Found nothing
[ClamAV]
2009-07-03 Found nothing
[Quick Heal]
2009-07-03 Found nothing
[CPsecure]
2009-07-06 Found nothing
[Sophos]
2009-07-05 Found nothing
[Dr.Web]
2009-07-05 Found nothing
[VirusBlokAda VBA32]
2009-07-05 Found nothing
[Frisk F-Prot Antivirus]
2009-07-05 Found nothing
[VirusBuster]
2009-07-05 Found nothing
[F-Secure Anti-Virus]
2009-07-06 Found nothing



Scan a file - Hash search - Frequently Asked Questions - Privacy policy

© 2004-2009 Jotti <jotti@jotti.org>

Sponsored by Hotelscraper
 
Seems to run fine, can't tell any difference in speed of loading pages or internet surfing but I'm glad everything's gone. Thanks for the help, you're great.
 
Hello Rick,

Glad things are running better :bigthumb:



TFC <-- Yours to keep , run it about once a week to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • CF_Cleanup.png

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
 
Status
Not open for further replies.
Back
Top