[Resolved] PC and User Overwhelmed with Malware

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

2 Pages

1 2 >

[Resolved] PC and User Overwhelmed with Malware

Options

jonwitte View Member Profile	Aug 4 2008, 09:32 AM Post #1
New Member Group: New Member Posts: 12 Joined: 4-August 08 Member No.: 80,745 Operating System: XP SP2	This is my wife's PC (for her real estate biz and personal use) which had been occasionally used by our 11 year old son. Opsys is XP sp2. ISP is att.net; their security suite is installed: firewall, antivirus, anti-spyware, and also their popup catcher. A few weeks ago, an app called Vista Antivirus 2008 infltrated the PC and now we have unwanted popups, redirects, web site problems, etc. Though the att suite, ad-aware and spybot search and destroy catch some items, the root cause has not been corrected. Now we get web site messages that cookies are not enabled even though Tools/Internet Options/Security-Privacy says they are. We get a Windows Security Alert that says automatic updates are disabled and we can't seem to turn them back on. The desktop wallpaper was changed to "Warning Spyware Deteced..." and we seemed to have lost the option to change the wallpaper to semething else. One or more of her web sites where she posts listings is not functioning normally on this PC but will work using another PC. Overall PC stability is diminished. Help! The HJT log which I just ran is below. Logfile of HijackThis v1.99.1 Scan saved at 10:39:31 AM, on 8/4/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\Program Files\Citrix\GoToMyPC\g2svc.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\Program Files\Citrix\GoToMyPC\g2comm.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\Program Files\Citrix\GoToMyPC\g2pre.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Citrix\GoToMyPC\g2tray.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\ups.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\NASDAK\OmniMouse Driver\4.06\MOUSE32A.EXE C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Blvd2009\blvdnews.exe C:\Program Files\ATT Internet Tools\blsloader.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Photo Viewer\album.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Handspring\HOTSYNC.EXE C:\Program Files\LivePerson\Expert\LPExpertMessenger.exe C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\psct8500.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prudentialgeorgia.com/prudential_ga/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.06\MOUSE32A.EXE O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN O4 - HKLM\..\Run: [AT&T Internet Security Suite] "C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [MSS_NewsFlash] "C:\Program Files\Blvd2009\blvdnews.exe" O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe" O4 - HKLM\..\Run: [PhotoViewer] C:\Program Files\Photo Viewer\album.exe O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon O4 - HKLM\..\Run: [7cb40ed3] rundll32.exe "C:\WINDOWS\system32\xcbgdtld.dll",b O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE O4 - Startup: LivePerson Expert Messenger.lnk = C:\Program Files\LivePerson\Expert\LPExpertMessenger.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: http://.realtytools.com O15 - Trusted Zone: .rexplorer.net O15 - Trusted Zone: http://.toolkitcma.com O15 - Trusted Zone: http://.toolkitcma2.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexplorer.net/iftw_install//iftwclix.cab O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://prudentialgeorgia.webex.com/client/...ent/ieatgpc.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O20 - AppInit_DLLs: rvinfj.dll cvknsa.dll mtppqy.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe Thank you in advance for your help! jonwitte

Tomk View Member Profile	Aug 4 2008, 11:22 AM Post #2
Extrication Intern Group: Malware Team Posts: 3,361 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	Hi jonwitte, and Welcome to WhatTheTech My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following: I will working be on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for the issues on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. A. Please download ComboFix by sUBs from HERE or HERE directly to your Desktop. Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version. B. Now we must disable some of your security programs so that they do not interfere with the running of our tools: SPYBOT TEATIMER Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected. On the left hand side, click on Tools, then click on the Resident Icon in the list. Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. Click on the "System Startup" icon in the List Uncheck the "TeaTimer" box and "OK" any prompts. If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted. Exit Spybot S&D when done. (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.] C.Go to -> Run -> copy/paste the following single line command in the runbox & click OK "%userprofile%\desktop\combofix.exe" /killall DO NOT USE your computer for any other purpose while ComboFix is running. ComboFix may restart your computer, this is normal. When finished, it will produce a log, ComboFix.txt. Please post ComboFix.txt in your next reply along with a new HijackThis log. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions. 3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

jonwitte View Member Profile	Aug 4 2008, 01:07 PM Post #3
New Member Group: New Member Posts: 12 Joined: 4-August 08 Member No.: 80,745 Operating System: XP SP2	Thank you Tomk. Here are the logs you requested, starting with combofix.txt: ComboFix 08-08-03.05 - Judy Wittenberg 2008-08-04 14:24:23.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2121 [GMT -4:00] Running from: C:\Documents and Settings\Judy Wittenberg\desktop\combofix.exe Command switches used :: /killall * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Judy Wittenberg\Application Data\macromedia\Flash Player\#SharedObjects\VVDGRSLJ\interclick.com C:\Documents and Settings\Judy Wittenberg\Application Data\macromedia\Flash Player\#SharedObjects\VVDGRSLJ\interclick.com\ud.sol C:\Documents and Settings\Judy Wittenberg\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Judy Wittenberg\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Judy Wittenberg\Favorites\.url C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\system32\awtQjKdc.dll C:\WINDOWS\system32\bakwfqkd.ini C:\WINDOWS\system32\cavmeymj.dll C:\WINDOWS\system32\cdKjQtwa.ini C:\WINDOWS\SYSTEM32\cdKjQtwa.ini2 C:\WINDOWS\system32\cfyyar.dll C:\WINDOWS\system32\cjmncnmq.ini C:\WINDOWS\system32\cmixjdur.ini C:\WINDOWS\system32\ctjqzg.dll C:\WINDOWS\system32\cvbfrtfm.ini C:\WINDOWS\system32\cyosjo.dll C:\WINDOWS\system32\cyrgexxv.ini C:\WINDOWS\system32\dltdgbcx.ini C:\WINDOWS\SYSTEM32\dndktuhx.ini C:\WINDOWS\system32\dpxkwxsc.ini C:\WINDOWS\SYSTEM32\Egikmnpo.ini C:\WINDOWS\SYSTEM32\Egikmnpo.ini2 C:\WINDOWS\system32\eydpuygo.ini C:\WINDOWS\system32\fpyynq.dll C:\WINDOWS\system32\gdtipy.dll C:\WINDOWS\system32\hcybndaa.dll C:\WINDOWS\system32\hemppt.dll C:\WINDOWS\system32\hgtilvhl.ini C:\WINDOWS\SYSTEM32\ihsssgqe.ini C:\WINDOWS\system32\iitstktf.dll C:\WINDOWS\system32\ipwlbf.dll C:\WINDOWS\system32\khfETmjk.dll C:\WINDOWS\SYSTEM32\kollwxmj.ini C:\WINDOWS\system32\lrrhqibk.ini C:\WINDOWS\system32\machukjk.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\SYSTEM32\mdgkqnyx.ini C:\WINDOWS\SYSTEM32\MVuEgfii.ini C:\WINDOWS\SYSTEM32\MVuEgfii.ini2 C:\WINDOWS\system32\odsfqggm.ini C:\WINDOWS\system32\opnmkigE.dll C:\WINDOWS\system32\phcr88j0e9bv.bmp C:\WINDOWS\system32\pvbscfuk.ini C:\WINDOWS\system32\qelbbifi.ini C:\WINDOWS\SYSTEM32\QtvDKRqr.ini C:\WINDOWS\SYSTEM32\rtcawekv.ini C:\WINDOWS\system32\sstzph.dll C:\WINDOWS\system32\tqavoukg.dll C:\WINDOWS\system32\trmyhdwh.dll C:\WINDOWS\system32\ubhgfliq.ini C:\WINDOWS\system32\uhodmfip.dll C:\WINDOWS\system32\vmptwecb.ini C:\WINDOWS\system32\wxdxhbvc.dll C:\WINDOWS\system32\xvgigolx.ini C:\WINDOWS\system32\yaywvvtR.dll C:\WINDOWS\system32\yddsvqty.dll C:\WINDOWS\system32\yooxwy.dll C:\WINDOWS\temp\perflib_perfdata_1cc.dat . ((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 ))))))))))))))))))))))))))))))) . 2008-08-04 14:35 . 2008-08-04 14:36 294 ---hs---- C:\WINDOWS\SYSTEM32\dltdgbcx.ini 2008-08-03 20:40 . 2008-08-03 20:40 98,688 --a------ C:\WINDOWS\SYSTEM32\xcbgdtld.dll 2008-08-03 20:37 . 2008-08-03 20:37 130,432 --a------ C:\WINDOWS\SYSTEM32\mtppqy.dll 2008-08-03 20:37 . 2008-08-03 20:37 130,432 --a------ C:\WINDOWS\SYSTEM32\moxuvtbw.dll 2008-08-03 20:10 . 2008-08-03 20:10 130,432 --a------ C:\WINDOWS\SYSTEM32\wpbthxyq.dll 2008-08-03 20:10 . 2008-08-03 20:10 130,432 --a------ C:\WINDOWS\SYSTEM32\cvknsa.dll 2008-08-03 11:36 . 2008-08-03 11:36 130,432 --a------ C:\WINDOWS\SYSTEM32\vstyinsq.dll 2008-08-03 11:36 . 2008-08-03 11:36 130,432 --a------ C:\WINDOWS\SYSTEM32\rvinfj.dll 2008-08-03 11:34 . 2008-08-03 11:34 0 --a------ C:\WINDOWS\SYSTEM32\0^? 2008-07-31 18:47 . 2008-07-31 18:47 99,712 --a------ C:\WINDOWS\SYSTEM32\eqgssshi.dll 2008-07-31 17:42 . 2008-07-31 17:42 <DIR> d-------- C:\Program Files\Photo Viewer 2008-07-27 11:37 . 2008-07-27 11:37 9,062 --a------ C:\WINDOWS\SYSTEM32\small1.ico 2008-07-27 11:37 . 2008-07-27 11:37 9,062 --a------ C:\WINDOWS\SYSTEM32\small.ico 2008-07-27 11:36 . 2008-07-27 11:36 <DIR> d-------- C:\temp 2008-07-27 11:36 . 2008-07-27 11:50 <DIR> d-------- C:\Program Files\ATT Internet Tools 2008-07-27 00:50 . 2008-07-27 00:50 <DIR> d-------- C:\Program Files\LivePerson 2008-07-25 00:38 . 2008-07-25 00:38 <DIR> d-------- C:\Program Files\Lavasoft 2008-07-25 00:38 . 2008-07-25 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-07-25 00:05 . 2008-07-25 00:05 94,848 --a------ C:\WINDOWS\SYSTEM32\xynqkgdm.dll 2008-07-24 18:02 . 2008-07-24 18:02 94,848 --a------ C:\WINDOWS\SYSTEM32\mggqfsdo.dll 2008-07-24 18:01 . 2008-07-24 18:01 323,584 --a------ C:\WINDOWS\SYSTEM32\iifgEuVM.dll 2008-07-22 00:04 . 2008-07-22 00:04 43,521 --ahs---- C:\WINDOWS\SYSTEM32\svvnennc.ini 2008-07-20 12:09 . 2008-07-20 12:09 <DIR> d-------- C:\WINDOWS\BBSTORE 2008-07-20 00:06 . 2008-07-20 00:06 152,064 --a------ C:\WINDOWS\SYSTEM32\brbdiqll.exe 2008-07-06 00:11 . 2008-07-06 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-27 16:00 --------- d-----w C:\Program Files\Java 2008-07-27 15:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-07-27 15:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-25 04:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-07-25 04:29 --------- d-----w C:\Documents and Settings\Judy Wittenberg\Application Data\Lavasoft 2008-07-18 22:53 --------- d-----w C:\Program Files\Common Files\Scanner 2008-06-23 00:58 --------- d-----w C:\Program Files\Blvd2009 2008-06-23 00:57 --------- d-----w C:\Program Files\Common Files\Business Objects 2008-06-23 00:57 --------- d-----w C:\Program Files\Business Objects 2008-06-23 00:57 --------- d-----w C:\Program Files\Blvd 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-15 06:21 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-06-14 00:42 724,984 ----a-w C:\Documents and Settings\Judy Wittenberg\gotomypc_437.exe 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-02-29 03:52 724,984 ----a-w C:\Documents and Settings\Admin\gotomypc_437.exe 2007-05-07 01:05 157,208 ----a-w C:\Documents and Settings\Judy Wittenberg\Application Data\GDIPFONTCACHEV1.DAT 2007-03-18 20:13 722,176 ----a-w C:\Documents and Settings\Judy Wittenberg\gotomypc_428.exe 2006-10-08 18:58 3,167,744 ----a-w C:\Documents and Settings\Judy Wittenberg\gosetup.exe 2006-02-15 02:37 774,144 ----a-w C:\Program Files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3c5dfda1-522d-4b28-8a83-56a4d58b115b}] 2008-08-03 20:37 130432 --a------ C:\WINDOWS\system32\mtppqy.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-07 18:20 68856] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-08 23:26 98304] "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016] "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 10:50 131072] "mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 10:50 53248] "LWBMOUSE"="C:\Program Files\NASDAK\OmniMouse Driver\4.06\MOUSE32A.EXE" [2001-11-09 02:47 356352] "LWBKEYBOARD"="C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe" [2004-05-12 11:10 380928] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 18:54 57344] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05 127035] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52 339968] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-03-19 00:30 184320] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-03-19 00:29 212992] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18 49152] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384] "ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 14:12 2061816] "AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 17:09 310000] "-FreedomNeedsReboot"="C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 17:09 13552] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544] "MSS_NewsFlash"="C:\Program Files\Blvd2009\blvdnews.exe" [2008-02-01 12:07 87336] "blspcloader"="C:\Program Files\ATT Internet Tools\blsloader.exe" [2008-07-27 11:37 98304] "PhotoViewer"="C:\Program Files\Photo Viewer\album.exe" [2006-10-25 08:16 217088] "GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 12:09 258856] "7cb40ed3"="C:\WINDOWS\system32\xcbgdtld.dll" [2008-08-03 20:40 98688] C:\Documents and Settings\Judy Wittenberg\Start Menu\Programs\Startup\ HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2006-05-10 18:53:05 299008] LivePerson Expert Messenger.lnk - C:\Program Files\LivePerson\Expert\LPExpertMessenger.exe [2008-04-22 15:38:48 5160960] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624] HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 13:00:54 73728] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-09-03 08:45:28 176128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gotomypc] 2007-06-20 12:09 10536 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=rvinfj.dll cvknsa.dll mtppqy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= Pvmjpg21.dll "VIDC.PIM1"= pclepim1.dll "VIDC.PIXL"= pclepixl.dll "VIDC.NTN1"= NUVision.ax [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\DOM\\Xm.exe"= S3 keychain;M Three KeyChain Driver 03/09/2005, 1.0.0.2;C:\WINDOWS\system32\DRIVERS\keychain.sys [2005-10-04 05:16] S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-12-03 12:55] S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-04 07:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\setup.exe . Contents of the 'Scheduled Tasks' folder 2008-08-04 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [] . - - - - ORPHANS REMOVED - - - - HKCU-Run-SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe MSConfigStartUp-Antivirus - C:\Program Files\VAV\vav.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.prudentialgeorgia.com/prudential_ga/ R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 R0 -: HKLM-Main,Search Bar = R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O15 -: Trusted Zone: .rexplorer.net *********************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-04 14:35:21 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\dltdgbcx.ini 1382137 bytes scan completed successfully hidden files: 1 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\xcbgdtld.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\ati2evxx.exe C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\Program Files\Citrix\GoToMyPC\g2comm.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\Program Files\Citrix\GoToMyPC\g2pre.exe C:\Program Files\Citrix\GoToMyPC\g2tray.exe C:\WINDOWS\SYSTEM32\WSCNTFY.EXE C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterr.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe . ************************************************************************ . Completion time: 2008-08-04 14:42:39 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-04 18:42:30 Pre-Run: 23,956,017,152 bytes free Post-Run: 26,722,603,008 bytes free 271 --- E O F --- 2008-07-13 07:05:00 Logfile of HijackThis v1.99.1 Scan saved at 14:56, on 2008-08-04 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\Program Files\Citrix\GoToMyPC\g2svc.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\Program Files\Citrix\GoToMyPC\g2comm.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Citrix\GoToMyPC\g2pre.exe C:\Program Files\Citrix\GoToMyPC\g2tray.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\NASDAK\OmniMouse Driver\4.06\MOUSE32A.EXE C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Blvd2009\blvdnews.exe C:\Program Files\ATT Internet Tools\blsloader.exe C:\Program Files\Photo Viewer\album.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Handspring\HOTSYNC.EXE C:\Program Files\LivePerson\Expert\LPExpertMessenger.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prudentialgeorgia.com/prudential_ga/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\ATT Internet Tools\blspc.dll O2 - BHO: {b511b85d-4a65-38a8-82b4-d2251adfd5c3} - {3c5dfda1-522d-4b28-8a83-56a4d58b115b} - C:\WINDOWS\system32\mtppqy.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.06\MOUSE32A.EXE O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN O4 - HKLM\..\Run: [AT&T Internet Security Suite] "C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [MSS_NewsFlash] "C:\Program Files\Blvd2009\blvdnews.exe" O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe" O4 - HKLM\..\Run: [PhotoViewer] C:\Program Files\Photo Viewer\album.exe O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon O4 - HKLM\..\Run: [7cb40ed3] rundll32.exe "C:\WINDOWS\system32\xcbgdtld.dll",b O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE O4 - Startup: LivePerson Expert Messenger.lnk = C:\Program Files\LivePerson\Expert\LPExpertMessenger.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: http://.realtytools.com O15 - Trusted Zone: .rexplorer.net O15 - Trusted Zone: http://.toolkitcma.com O15 - Trusted Zone: http://.toolkitcma2.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexplorer.net/iftw_install//iftwclix.cab O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://prudentialgeorgia.webex.com/client/...ent/ieatgpc.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O20 - AppInit_DLLs: rvinfj.dll cvknsa.dll mtppqy.dll O20 - Winlogon Notify: gotomypc - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe Some observations: I apparently had uninstalled Spybot Search and Destroy previously, as I no longer found the program in the program list or in Add/Remove Programs. The desktop wallpaper is clean now and a right-click on the desktop Properties now shows the Desktop and Screen Saver tabs which had been missing. Signs of progress! Thanks and I look forward to your response. - jonwitte

Tomk View Member Profile	Aug 4 2008, 01:45 PM Post #4
Extrication Intern Group: Malware Team Posts: 3,361 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	jonwitte, We definitely got some of it. But not all. Please open HijackThis and run Do a system scan only Check the boxes next to ONLY the entries listed below(if present): R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) Close all programs except for HijackThis. Click on Fix checked A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. Next COMBOFIX-Script Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: CODE KILLALL:: File:: C:\WINDOWS\SYSTEM32\dltdgbcx.ini C:\WINDOWS\SYSTEM32\xcbgdtld.dll C:\WINDOWS\SYSTEM32\mtppqy.dll C:\WINDOWS\SYSTEM32\moxuvtbw.dll C:\WINDOWS\SYSTEM32\wpbthxyq.dll C:\WINDOWS\SYSTEM32\cvknsa.dll C:\WINDOWS\SYSTEM32\vstyinsq.dll C:\WINDOWS\SYSTEM32\rvinfj.dll C:\WINDOWS\SYSTEM32\0^? C:\WINDOWS\SYSTEM32\eqgssshi.dll C:\WINDOWS\SYSTEM32\xynqkgdm.dll C:\WINDOWS\SYSTEM32\mggqfsdo.dll C:\WINDOWS\SYSTEM32\iifgEuVM.dll C:\WINDOWS\SYSTEM32\svvnennc.ini C:\WINDOWS\SYSTEM32\brbdiqll.exe Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3c5dfda1-522d-4b28-8a83-56a4d58b115b}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "7cb40ed3"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Then Please go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. In your next reply please provide: ComboFix.txt Kaspersky report New HijackThis log taken after everything else completed

jonwitte

Aug 4 2008, 06:26 PM

Post #5

New Member

Group: New Member
Posts: 12
Joined: 4-August 08
Member No.: 80,745
Operating System: XP SP2

Hello Tomk, here are the latest reports after completing the requested steps:

ComboFix 08-08-03.05 - Judy Wittenberg 2008-08-04 16:18:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2126 [GMT -4:00]
Running from: C:\Documents and Settings\Judy Wittenberg\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Judy Wittenberg\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\dltdgbcx.ini
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-03 20:40 . 2008-08-03 20:40 98,688 --a------ C:\WINDOWS\SYSTEM32\xcbgdtld.dll
2008-08-03 20:37 . 2008-08-03 20:37 130,432 --a------ C:\WINDOWS\SYSTEM32\mtppqy.dll
2008-08-03 20:37 . 2008-08-03 20:37 130,432 --a------ C:\WINDOWS\SYSTEM32\moxuvtbw.dll
2008-08-03 20:10 . 2008-08-03 20:10 130,432 --a------ C:\WINDOWS\SYSTEM32\wpbthxyq.dll
2008-08-03 20:10 . 2008-08-03 20:10 130,432 --a------ C:\WINDOWS\SYSTEM32\cvknsa.dll
2008-08-03 11:36 . 2008-08-03 11:36 130,432 --a------ C:\WINDOWS\SYSTEM32\vstyinsq.dll
2008-08-03 11:36 . 2008-08-03 11:36 130,432 --a------ C:\WINDOWS\SYSTEM32\rvinfj.dll
2008-08-03 11:34 . 2008-08-03 11:34 0 --a------ C:\WINDOWS\SYSTEM32\0^?
2008-07-31 18:47 . 2008-07-31 18:47 99,712 --a------ C:\WINDOWS\SYSTEM32\eqgssshi.dll
2008-07-31 17:42 . 2008-07-31 17:42 <DIR> d-------- C:\Program Files\Photo Viewer
2008-07-27 11:37 . 2008-07-27 11:37 9,062 --a------ C:\WINDOWS\SYSTEM32\small1.ico
2008-07-27 11:37 . 2008-07-27 11:37 9,062 --a------ C:\WINDOWS\SYSTEM32\small.ico
2008-07-27 11:36 . 2008-07-27 11:36 <DIR> d-------- C:\temp
2008-07-27 11:36 . 2008-07-27 11:50 <DIR> d-------- C:\Program Files\ATT Internet Tools
2008-07-27 00:50 . 2008-07-27 00:50 <DIR> d-------- C:\Program Files\LivePerson
2008-07-25 00:38 . 2008-07-25 00:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-25 00:38 . 2008-07-25 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 00:05 . 2008-07-25 00:05 94,848 --a------ C:\WINDOWS\SYSTEM32\xynqkgdm.dll
2008-07-24 18:02 . 2008-07-24 18:02 94,848 --a------ C:\WINDOWS\SYSTEM32\mggqfsdo.dll
2008-07-24 18:01 . 2008-07-24 18:01 323,584 --a------ C:\WINDOWS\SYSTEM32\iifgEuVM.dll
2008-07-22 00:04 . 2008-07-22 00:04 43,521 --ahs---- C:\WINDOWS\SYSTEM32\svvnennc.ini
2008-07-20 12:09 . 2008-07-20 12:09 <DIR> d-------- C:\WINDOWS\BBSTORE
2008-07-20 00:06 . 2008-07-20 00:06 152,064 --a------ C:\WINDOWS\SYSTEM32\brbdiqll.exe
2008-07-06 00:11 . 2008-07-06 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-27 16:00 --------- d-----w C:\Program Files\Java
2008-07-27 15:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-27 15:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 04:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-25 04:29 --------- d-----w C:\Documents and Settings\Judy Wittenberg\Application Data\Lavasoft
2008-07-18 22:53 --------- d-----w C:\Program Files\Common Files\Scanner
2008-06-23 00:58 --------- d-----w C:\Program Files\Blvd2009
2008-06-23 00:57 --------- d-----w C:\Program Files\Common Files\Business Objects
2008-06-23 00:57 --------- d-----w C:\Program Files\Business Objects
2008-06-23 00:57 --------- d-----w C:\Program Files\Blvd
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 06:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-14 00:42 724,984 ----a-w C:\Documents and Settings\Judy Wittenberg\gotomypc_437.exe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-02-29 03:52 724,984 ----a-w C:\Documents and Settings\Admin\gotomypc_437.exe
2007-05-07 01:05 157,208 ----a-w C:\Documents and Settings\Judy Wittenberg\Application Data\GDIPFONTCACHEV1.DAT
2007-03-18 20:13 722,176 ----a-w C:\Documents and Settings\Judy Wittenberg\gotomypc_428.exe
2006-10-08 18:58 3,167,744 ----a-w C:\Documents and Settings\Judy Wittenberg\gosetup.exe
2006-02-15 02:37 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-07 18:20 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 153