WiredWX Hobby Weather ToolsLog in

 


descriptionDr. Guard and other stuff EmptyDr. Guard and other stuff

more_horiz
Daughter was on my laptop (yeah...I know)...called me and said some message popped up that I had a virus and did it want to click this button to clean it. I told her no, but it had already infiltrated my computer.

I can't even boot my computer in regular mode, so I'm in safe mode (I'm writing this on our desktop). The only thing I see different is a new program called Dr. Guard.

I know this is going to be difficult using two different computers...

Help!

Jackie

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
Hello! We need to do some diagnostics to get started.

1. Please download Profiles by noahdfear.
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply


2. Download Win32kDiag by ad13 and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


3. Please download Cheetah-Anti-Rogue by me, and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


4. In your next reply, please post the following logs for my review:
  • Profiles log (1)
  • Win32kDiag log (2)
  • Cheetah log (3)


Thanks! Smile...

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
How do I do all of this while on a different computer? My laptop will only go into safe mode...I'm on a different computer right now.

Thanks.

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
I was able to burn the programs to a CD and put them onto my laptop, but I can't post the logs because I don't know how to get them back off my laptop Let me think CD burner doesn't work in Safe Mode I'm guessing?

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
I"m running Win32kDiag.exe on my laptop right now and it seems to have stopped at

Cannot access: C:\WINDOWS\system32\drivers\nptly.sys

Any thoughts? It has been there for at least the last 10 minutes...

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
Only because it is easy to type - the Cheetah-Anti-Rogue log is this:

Microsoft Windows XP (version 5.1.2600)
date: 3/10/2010 - Time: 15:55:54 - Arch.: x86 (note by me...my clock never updates itself...dumb clock)

-- Malware removal tools check --

Malwarebytes' Anti-Malware
SUPERAntiSpyware

--Known infection--

C:\Program Files\Internet Explorer\wmpscfgs.exe (Trj.Agent)
C:\DOCUME~1\Mine\LOCALS~1\Temp\asr64_ldm.exe (Dr. Guard.RGE)
C:\Program Files\Dr. Guard (Dr. Guard.RGE)

Extra message: Detection only.


EOF

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
Please download ComboFix Dr. Guard and other stuff Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Dr. Guard and other stuff Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Dr. Guard and other stuff RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
ComboFix 10-03-13.01 - Mine 03/13/2010 17:20:36.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.695 [GMT -6:00]
Running from: c:\documents and settings\Mine\desktop\commy.exe
Command switches used :: /stepdel

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
c:\documents and settings\Mine\Local Settings\Application Data\Windows Server\mlthnj.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Mine\Local Settings\Application Data\Windows Server\mlthnj.dll
c:\program files\Dr. Guard
c:\recycler\S-1-5-21-1624380954-1207379783-2283124489-1003
c:\windows\system32\hetiluso.dll
c:\windows\system32\sisifeme.exe
c:\windows\TEMP\logishrd\LVPrcInj02.dll
c:\docume~1\Mine\LOCALS~1\Temp\lsass.exe
c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll
c:\documents and settings\Mine\agrsmmsg .exe
c:\documents and settings\Mine\cfsserv .exe
c:\documents and settings\Mine\Local Settings\Application Data\av.exe
c:\documents and settings\Mine\Local Settings\Application Data\Windows Server\mlthnj.dll
c:\documents and settings\Mine\Local Settings\Temporary Internet Files\k01oP03m.jpg
c:\documents and settings\Mine\Local Settings\Temporary Internet Files\m1B6MM81.jpg
c:\documents and settings\Mine\Local Settings\Temporary Internet Files\OByMa.jpg
c:\documents and settings\Mine\Local Settings\Temporary Internet Files\YXbNmYaa.jpg
c:\documents and settings\Mine\My Documents\ZbThumbnail.info
c:\documents and settings\Mine\ndstray .exe
c:\documents and settings\Mine\rundll32 .exe
c:\documents and settings\Mine\rundll32.exe
c:\documents and settings\Mine\tctrliohook .exe
c:\documents and settings\Mine\tdispvol .exe
c:\documents and settings\Mine\tfncky .exe
c:\documents and settings\Mine\tpsmain .exe
c:\documents and settings\Mine\zoominghook .exe
C:\LOG136.tmp
C:\LOG19A.tmp
C:\LOG1E5.tmp
c:\program files\Adobe\acrotray .exe
c:\program files\Dr. Guard\about.ico
c:\program files\Dr. Guard\activate.ico
c:\program files\Dr. Guard\buy.ico
c:\program files\Dr. Guard\drg.db
c:\program files\Dr. Guard\drgext.dll
c:\program files\Dr. Guard\drghook.dll
c:\program files\Dr. Guard\drguard.exe
c:\program files\Dr. Guard\help.ico
c:\program files\Dr. Guard\scan.ico
c:\program files\Dr. Guard\settings.ico
c:\program files\Dr. Guard\uninstall.exe
c:\program files\Dr. Guard\update.ico
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\recycler\S-1-5-21-1624380954-1207379783-2283124489-1003\desktop.ini
c:\recycler\S-1-5-21-1624380954-1207379783-2283124489-1003\INFO2
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\_VOIDefulelscfb.dll
c:\windows\system32\_VOIDfqfmoionio.dat
c:\windows\system32\_VOIDhdrubwgfcq.dll
c:\windows\system32\_VOIDjgitddmvoe.dll
c:\windows\system32\_VOIDmfeklnmal.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\certstore.dat
c:\windows\system32\chhbym.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\dmeshw.dll
c:\windows\system32\fesxo1i.dll
c:\windows\system32\hkcmd .exe
c:\windows\system32\Iasex.dll
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\ldyuoc.dll
c:\windows\system32\miropubi.dll
c:\windows\system32\powermgr.sys
c:\windows\system32\rundll32 .exe
c:\windows\system32\tctrliohook .exe
c:\windows\system32\tdispvol .exe
c:\windows\system32\Thumbs.db
c:\windows\system32\tpsmain .exe
c:\windows\system32\uhglov.dll
c:\windows\system32\zijevari.dll
c:\windows\system32\zoominghook .exe
c:\windows\system32\zumefipo.dll
c:\windows\Tasks\jbkpfnoa.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy__VOIDd.sys
-------\Legacy__VOIDEPMKPYLBEQ
-------\Legacy__VOIDHXJIPORNSI
-------\Service__VOIDd.sys
-------\Service__VOIDepmkpylbeq
-------\Service__VOIDhxjipornsi
-------\Service_6to4
-------\Service_Ias
-------\Legacy_powermgr
-------\Service_powermgr


((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))
.

2010-03-13 23:36 . 2010-03-13 23:36 -------- d-----w- c:\windows\LastGood
2010-03-13 23:36 . 2010-03-13 23:36 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-03-11 00:48 . 2010-03-11 00:48 102400 --sh--w- c:\windows\system32\pafuhudi.dll
2010-03-11 00:48 . 2010-03-11 00:48 90112 --sh--w- c:\windows\system32\fatifera.dll
2010-03-11 00:48 . 2010-03-11 00:48 49152 --sh--w- c:\windows\system32\desedefi.dll
2010-03-11 00:46 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\cfsserv.exe
2010-03-11 00:46 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\tdispvol.exe
2010-03-11 00:46 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\tfncky.exe
2010-03-11 00:46 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\tctrliohook.exe
2010-03-11 00:45 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\zoominghook.exe
2010-03-11 00:45 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\tpsmain.exe
2010-03-11 00:45 . 2010-03-13 23:56 823296 ----a-w- c:\windows\system32\drivers\nptly.sys
2010-03-11 00:45 . 2010-03-13 23:56 40448 ----a-w- c:\documents and settings\Mine\ndstray.exe
2010-03-11 00:45 . 2010-03-13 23:56 40448 ----a-w- c:\documents and settings\Mine\agrsmmsg.exe
2010-03-11 00:45 . 2010-03-11 00:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-11 00:45 . 2010-03-11 00:45 -------- d-----w- c:\windows\_VOIDhxjipornsi
2010-03-11 00:45 . 2010-03-11 00:45 -------- d-----w- c:\windows\_VOIDepmkpylbeq
2010-03-11 00:44 . 2010-03-13 23:21 -------- d-----w- c:\documents and settings\Mine\Local Settings\Application Data\Windows Server
2010-03-10 22:03 . 2010-03-10 21:44 -------- d-----w- C:\Commy
2010-03-10 22:02 . 2010-03-10 22:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-03-10 22:01 . 2010-03-10 22:01 40448 ----a-w- c:\windows\system32\cfsserv.exe
2010-03-10 22:01 . 2010-03-10 22:01 40448 ----a-w- c:\windows\system32\tfncky.exe
2010-03-10 22:01 . 2010-03-10 22:01 40448 ----a-w- c:\windows\system32\ndstray.exe
2010-03-10 22:01 . 2010-03-10 22:01 40448 ----a-w- c:\windows\system32\agrsmmsg.exe
2010-03-10 21:47 . 2010-03-13 23:12 -------- d-----w- C:\Commy31524C
2010-03-10 21:45 . 2010-03-10 21:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-03-04 14:25 . 2010-03-04 14:33 23109 ----a-w- c:\windows\hpqins15.dat
2010-03-04 14:14 . 2010-03-04 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-03-04 14:01 . 2010-03-04 14:25 77374 ----a-w- c:\windows\hpqins05.dat
2010-03-02 02:11 . 2010-03-02 02:11 -------- d-----w- c:\documents and settings\Mine\Application Data\FCTB000060497
1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\program files\1315234.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 00:00 . 2008-12-27 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2010-03-13 23:59 . 2008-09-08 00:18 -------- d-----w- c:\documents and settings\Mine\Application Data\Skype
2010-03-13 23:58 . 2008-09-08 00:19 -------- d-----w- c:\documents and settings\Mine\Application Data\skypePM
2010-03-13 23:58 . 2010-03-13 23:56 40448 ----a-w- c:\documents and settings\Mine\rundll32.exe
2010-03-13 23:57 . 2010-02-05 22:31 -------- d-----w- c:\program files\iTunes
2010-03-13 23:57 . 2010-02-05 22:24 -------- d-----w- c:\program files\QuickTime
2010-03-13 23:57 . 2008-12-27 03:16 -------- d-----w- c:\program files\ATT-SST
2010-03-13 23:57 . 2007-07-08 22:46 -------- d-----w- c:\program files\Lexmark 9300 Series
2010-03-13 23:56 . 2005-12-29 18:44 -------- d-----w- c:\program files\ltmoh
2010-03-13 23:56 . 2005-12-29 18:26 -------- d-----w- c:\program files\Apoint2K
2010-03-13 23:56 . 2006-01-03 00:30 40448 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-13 23:56 . 2006-01-03 00:30 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-13 23:56 . 2010-03-13 23:56 40448 ----a-w- c:\documents and settings\Mine\rundll32 .exe
2010-03-13 23:56 . 2008-08-24 22:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-11 00:47 . 2008-12-27 03:17 -------- d-----w- c:\documents and settings\Mine\Application Data\ATTToolbar
2010-03-10 21:45 . 2006-01-03 00:30 40448 ----a-w- c:\windows\system32\igfxpers .exe
2010-03-10 21:45 . 2006-01-03 00:30 40448 ----a-w- c:\windows\system32\hkcmd .exe
2010-03-08 12:46 . 2009-12-13 21:08 63272 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-04 21:31 . 2009-06-16 16:27 -------- d-----w- c:\documents and settings\Mine\Application Data\HPAppData
2010-03-04 21:25 . 2009-04-20 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-03-04 14:33 . 2009-08-21 12:24 -------- d-----w- c:\documents and settings\Mine\Application Data\HpUpdate
2010-03-04 14:22 . 2006-08-17 18:28 79584 ----a-w- c:\documents and settings\Mine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-26 01:52 . 2008-09-12 01:02 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-02-26 01:52 . 2008-09-12 01:02 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-25 16:03 . 2009-08-03 14:42 -------- d-----w- c:\program files\MyPoints Toolbar 2.0
2010-02-05 22:32 . 2006-08-27 23:00 -------- d-----w- c:\program files\iPod
2010-02-05 22:31 . 2007-07-03 16:17 -------- d-----w- c:\program files\Common Files\Apple
2010-02-01 13:16 . 2010-02-01 13:16 -------- d-----w- c:\program files\Cozi Express
2010-02-01 13:16 . 2008-12-08 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Cozi
2010-01-13 22:34 . 2010-01-13 22:34 934704 ----a-w- c:\windows\system32\CoziScreensaver.scr
2010-01-07 22:07 . 2008-08-24 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2008-08-24 22:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2005-12-29 06:28 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2005-12-29 06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-12-29 17:18 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-12-29 06:28 33280 ------w- c:\windows\system32\csrsrv.dll
1601-01-01 00:03 . 1601-01-01 00:03 70656 --sha-w- c:\windows\system32\darekove.dll
2009-03-20 15:18 . 1601-01-01 00:12 95232 --sha-w- c:\windows\system32\fogiguzu.dll
2009-03-20 15:18 . 1601-01-01 00:12 127488 --sha-w- c:\windows\system32\gipekoji.dll
2009-03-21 22:12 . 1601-01-01 00:12 129536 --sha-w- c:\windows\system32\jisideso.dll
1601-01-01 00:03 . 1601-01-01 00:03 47616 --sha-w- c:\windows\system32\kelarozo.dll
2009-03-21 22:09 . 1601-01-01 00:12 94720 --sha-w- c:\windows\system32\malaruwo.dll
2009-03-21 22:08 . 1601-01-01 00:12 128000 --sha-w- c:\windows\system32\noripipi.dll
2009-03-21 22:08 . 1601-01-01 00:12 94720 --sha-w- c:\windows\system32\tefifohi.dll
2009-03-21 22:09 . 1601-01-01 00:12 129536 --sha-w- c:\windows\system32\wevejaga.dll
2009-03-21 22:12 . 1601-01-01 00:12 94720 --sha-w- c:\windows\system32\yepizidu.dll
.

Code:

<pre>
c:\program files\Adobe\acrotray .exe
c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Apoint2K\apoint .exe
c:\program files\ATT-SST\mccitrayapp .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\LogiShrd\LComMgr\communications_helper .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\HP\Digital Imaging\bin\hpqsrmon .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\LeapFrog\LeapFrog Connect\monitor .exe
c:\program files\Lexmark 9300 Series\ezprint .exe
c:\program files\Lexmark 9300 Series\fm3032 .exe
c:\program files\Lexmark 9300 Series\lxcqmon .exe
c:\program files\Logitech\QuickCam\quickcam .exe
c:\program files\ltmoh\ltmoh .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Shutterfly\Studio\Bin\sflystudio .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\SUPERAntiSpyware\rundll32 .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\Toshiba\E-KEY\ceekey .exe
c:\program files\Toshiba\TOSCDSPD\toscdspd .exe
c:\program files\Toshiba\TOSHIBA Applet\hwsetup .exe
c:\program files\Toshiba\TOSHIBA Zooming Utility\smoothview .exe
c:\program files\Toshiba\Touch and Launch\padexe .exe
c:\program files\Toshiba\TouchPad\tptray .exe
c:\program files\Toshiba\Tvs\tvstray .exe
c:\program files\Toshiba\Windows Utilities\svpwutil .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\DLA\dlactrlw .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{96b985b7-3cf9-456a-9db6-791710e60f5f}"= "c:\program files\MyPoints Toolbar 2.0\Helper.dll" [2010-02-25 242688]

[HKEY_CLASSES_ROOT\clsid\{96b985b7-3cf9-456a-9db6-791710e60f5f}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{9FEBEA6D-4801-4D23-97E7-A771B698E442}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2010-02-25 1505280]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2010-02-25 1505280]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2010-03-13 40448]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-13 40448]
"ShutterflyStudio"="c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2010-03-13 40448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-13 40448]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-13 40448]
"Remote System Protection"="c:\windows\system32\fesxo1i.dll" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2010-03-10 40448]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2010-03-13 40448]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2010-03-13 40448]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2010-03-13 40448]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2010-03-13 40448]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2010-03-13 40448]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2010-03-13 40448]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2010-03-13 40448]
"AGRSMMSG"="AGRSMMSG.exe" [2010-03-10 40448]
"NDSTray.exe"="NDSTray.exe" [2010-03-10 40448]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2010-03-13 40448]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2010-03-13 40448]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2010-03-13 40448]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2010-03-13 40448]
"TPSMain"="TPSMain.exe" [2010-03-10 40448]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2010-03-13 40448]
"ZoomingHook"="ZoomingHook.exe" [2010-03-10 40448]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2010-03-13 40448]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2010-03-13 40448]
"TCtryIOHook"="TCtrlIOHook.exe" [2010-03-10 40448]
"TFncKy"="TFncKy.exe" [2010-03-10 40448]
"TDispVol"="TDispVol.exe" [2010-03-10 40448]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2010-03-13 40448]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2010-03-13 40448]
"lxcqmon.exe"="c:\program files\Lexmark 9300 Series\lxcqmon.exe" [2010-03-13 40448]
"Lexmark 9300 Series Fax Server"="c:\program files\Lexmark 9300 Series\fm3032.exe" [2010-03-13 40448]
"EzPrint"="c:\program files\Lexmark 9300 Series\ezprint.exe" [2010-03-13 40448]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2010-03-13 40448]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2010-03-13 40448]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-03-13 40448]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-03-13 40448]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-03-13 40448]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-13 40448]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-13 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-13 40448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-13 40448]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2010-03-13 40448]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-13 40448]
"budinufufo"="miropubi.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-13 40448]
"Remote System Protection"="c:\windows\system32\fesxo1i.dll" [N/A]

c:\documents and settings\Mine\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-9-11 66864]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-29 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-11 18:31 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\Mine\Local Settings\Application Data\Windows Server\mlthnj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Mine\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\WINDOWS\\system32\\lxcqcoms.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Phone\\skype .exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"427:UDP"= 427:UDP:SLP_Port(427)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/19/2008 10:34 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/19/2008 10:34 PM 66632]
R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/8/2007 8:00 PM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/19/2008 10:34 PM 12872]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [3/11/2009 10:02 AM 18560]

--- Other Services/Drivers In Memory ---

*Deregistered* - nptly

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-13 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-14 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-14 c:\windows\Tasks\At25.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At26.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At27.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At28.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At29.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-13 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-14 c:\windows\Tasks\At30.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At31.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At32.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At33.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At34.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At35.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At36.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At37.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At38.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At39.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-13 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-14 c:\windows\Tasks\At40.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At41.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At42.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At43.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At44.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At45.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At46.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At47.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At48.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-13 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
TCP: {EAB43538-6B7F-426B-BE51-A4B71FE20334} = 217.23.14.75,4.2.2.1,192.168.1.254
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Mine\Application Data\Mozilla\Firefox\Profiles\bief2zjt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Web Search: PCH PROJECT GRADUATION 2012
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en|http://thepioneerwoman.com/tasty-kitchen/|http://mamaducky.proboards.com/index.cgi?|http://shamrocks04.proboards.com/index.cgi?|https://www.facebook.com/home.php?|http://www.stlmommy.com/|http://www.blogger.com/home?pli=1&pli=1|http://friedlands.shutterfly.com/|http://thepioneerwoman.com/cooking/|http://thespohrsaremultiplying.com/
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{4e503d72-5e35-4c59-928c-97a1ae41edd7} - zumefipo.dll
SharedTaskScheduler-{A3BA40A2-74F1-52BD-F434-00B15A2C8953} - c:\windows\system32\fesxo1i.dll
AddRemove-Boohbah Zone - c:\program files\Common Files\Polka Dot\Uninstall\BoohBahUn.exe
AddRemove-Flock - c:\program files\Flock\uninst.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-13 17:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ShutterflyStudio = c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly?: /RegServer??????????????????????????es\Shutterfly\Studio\BIN\mmpartner_langres.dll?AVA??????????udio Event - ?re?.????UNIQUE_GEN_LISTENER_LOCK_NAME?AM??????????????????iv??????????re????tt??fly\

scanning hidden files ...


c:\docume~1\Mine\LOCALS~1\Temp\etilqs_KmKceEBfmSn8SYU 0 bytes
c:\docume~1\Mine\LOCALS~1\Temp\etilqs_rfTGkEL8WU2f3jA 556032 bytes
c:\windows\system32\hkcmd .exe 40448 bytes executable
c:\windows\system32\igfxpers .exe 40448 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nptly]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dc,d0,79,d3,3b,39,a2,4d,83,1e,93,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dc,d0,79,d3,3b,39,a2,4d,83,1e,93,\

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* }]
"Path"="c:\\Documents and Settings\\Mine\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ U**]
"Path"="c:\\Documents and Settings\\Mine\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(11432)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
?:\windows\system32\odbcint.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxcqcoms.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\intel\wireless\bin\zcfgsvc .exe
c:\program files\intel\wireless\bin\ifrmewrk .exe
c:\windows\system32\dla\dlactrlw .exe
c:\program files\apoint2k\apoint .exe
c:\program files\ltmoh\ltmoh .exe
c:\program files\toshiba\tvs\tvstray .exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\toshiba\e-key\ceekey .exe
c:\program files\toshiba\touch and launch\padexe .exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\toshiba\touchpad\tptray .exe
c:\program files\toshiba\toshiba zooming utility\smoothview .exe
c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy .exe
c:\program files\lexmark 9300 series\lxcqmon .exe
c:\program files\lexmark 9300 series\ezprint .exe
c:\program files\common files\logishrd\lcommgr\communications_helper .exe
c:\program files\logitech\quickcam\quickcam .exe
c:\program files\att-sst\mccitrayapp .exe
c:\program files\leapfrog\leapfrog connect\monitor .exe
c:\program files\hp\hp software update\hpwuschd2 .exe
c:\program files\common files\real\update_ob\realsched .exe
c:\program files\java\jre6\bin\jusched .exe
c:\program files\itunes\ituneshelper .exe
c:\program files\shutterfly\studio\bin\sflystudio .exe
c:\program files\toshiba\toscdspd\toscdspd .exe
c:\program files\skype\phone\skype .exe
c:\program files\superantispyware\superantispyware .exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\docume~1\Mine\LOCALS~1\Temp\ctv1627.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\ATTToolbar\FDServer.exe
.
**************************************************************************
.
Completion time: 2010-03-13 18:11:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-14 00:10

Pre-Run: 16,933,384,192 bytes free
Post-Run: 16,973,983,744 bytes free

- - End Of File - - 3FF5E8B04C04E60DDB9B0F6BAC28BE4D

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
And I'm back on my own computer now - yay! So much easier to post logs.

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
Backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: http://www.viruslist.com/en/viruses/glossary?glossid=189208417
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

  • How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  • What Should I Do If I've Become A Victim Of Identity Theft?
  • Identity Theft Victims Guide - What to do

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

  • When should I re-format? How should I reinstall?
  • Help: I Got Hacked. Now What Do I Do?
  • Help: I Got Hacked. Now What Do I Do? Part II
  • Where to draw the line? When to recommend a format and reinstall?
Guides for format and reinstall: http://www.GeekPolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115

http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
Well - sounds like I don't have much of a choice - I'm assuming (Hoping) it is OK to move my data and picture files onto an external hard drive before reformatting? I haven't looked at all the links yet, but will in a bit.

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
Can I use the "Files and Settings Transfer Wizard" safely?

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
Yes, that tool will probably work.

You can safely move files, pictures, videos, etc. But, as for program files, please don't.

The tutorial that I pointed out will help:

Link 1: http://www.GeekPolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115

Link 2: http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143

descriptionDr. Guard and other stuff EmptyRe: Dr. Guard and other stuff

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum