10 replies to this topic

[jeninmaine]

I am running Windows XP SP2 and have just started getting those annoying forwards and popups for WinAntiVirusPro, SystemDoctor, some random job seeking site, and other such things.

I have run the following programs and cleaned what could be found:

Ad-Aware 2007
Spybot - Search and Destroy
stinger
ATF-Cleaner
AVG Anti-Spyware
VundoFix
HijackThis

in an attempt to remove whatever is causing this adware to fire but it keeps showing up. As I'm writing this, Spybot is sending me the following messages:

Spybot - Search & Destroy has detected an important registry entry that has been changed.
Category: Browser Helper Object
Change: Value Added
Entry: {0F59C1D6-04B7-4B49-AAEC-D974C25075B2}

Spybot - Search & Destroy has detected an important registry entry that has been changed.
Category: Winlogon Notifiers
Change: Value Added
Entry: mllmm

I keep denying these changes but they're continual. I'd like to post my HijackThis log before I try to clean anything further.


Logfile of HijackThis v1.99.1
Scan saved at 2:02:34 AM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jen\Desktop\VundoFix.exe
C:\Documents and Settings\Jen\Desktop\Spyware.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F59C1D6-04B7-4B49-AAEC-D974C25075B2} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: (no name) - {1B17A66D-2428-4576-8AEB-B0CABC48BBB8} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\xxyvuuv.dll
O2 - BHO: (no name) - {3EEDBBF3-0A5B-46E4-B35D-F3140015CDD0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsof...iveXClient1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O20 - Winlogon Notify: mllmm - C:\WINDOWS\system32\mllmm.dll
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xxyvuuv - C:\WINDOWS\SYSTEM32\xxyvuuv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Also the latest and greatest from VundoFix:

C:\\WINDOWS\system32\mllmm.dll
C:\\WINDOWS\system32\mllmm.bak1
C:\\WINDOWS\system32\mllmm.ini


Thank you in advance for your assistance,
- Jen

[Gary R]

Looking over your log, back ASAP.

[Gary R]

Hi jeninmaine,

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:

• Perform all actions in the order given.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Stick with it till you're given the all clear.
• Remember, absence of symptoms does not mean the infection is all gone.

If you can do these things, everything should go smoothly.

• Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
• Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

It's not clear from your log whether you're running HJT direct from your Desktop I suspect this line (C:\Documents and Settings\Jen\Desktop\Spyware.exe) is a re-named HJT, if it is, please create a new folder on your Desktop, name it HJT and put HijackThis.exe (Spyware.exe) inside it. HJT needs a folder to store backups in.

We need to disable Spybot S&D Teatimer as it will interfere with the removal of your infection.

To disable Spybot S&D TeaTimer

• Run Spybot-S&D
• Go to the Mode menu, and make sure Advanced Mode is selected.
• On the left hand side, choose Tools -> Resident
• Uncheck Resident TeaTimer and OK any prompts.
• Restart your computer.

• Download combofix.exe by sUBs
• Alternate Download
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt).

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Run a new scan with HJT and send me that log as well please.

[jeninmaine]

Thank you, Gary! I really, really appreciate the help. I won't feel comfortable VPNing to work until I get this cleared up. I am at work at the moment, so I can only answer two of your questions immediately: 1. Yes, I have three accounts for my XP install, but I can easily delete the two that aren't used. Should I do this? 2. Yes, I am running HijackThis from my desktop, I renamed it Spyware.exe as per the instructions for using VundoFix. Should I change the name back? I will put it in its own folder as you suggested. I will get the rest of the information you requested and post an update this evening. Thank you again! - Jen

[Gary R]

No, no need to remove the other accounts, I just need to know so I can check them later to ensure there's nothing hiding there. No need to rename Spyware.exe, just put it in a folder. HJT creates backups for everything it removes, by default it puts them in the same folder as it is being run from. If it's on your Desktop the backups can easily be lost or deleted by mistake. In the remote chance that we remove that we shouldn't have, it's nice to have the backup so we can restore it.

[jeninmaine]

Hello again Gary,

I did as instructed, and so far so good as I haven't seen the popups this boot (but I'll let you be the judge of that!).

Here's the log for ComboFix:

ComboFix 07-07-30.2 - "Jen" 2007-08-01 21:06:50.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tsdxiaht.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.bak2
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\xxyvuuv.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Jen\APPLIC~1\SystemDoctor Free
C:\DOCUME~1\Jen\APPLIC~1\SystemDoctor Free\Logs\update.log
C:\WINDOWS\system32\winnb58.dll


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-08-01 21:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-01 21:01 125,504 --a------ C:\WINDOWS\system32\djodauww.dll
2007-08-01 01:41 <DIR> d-------- C:\VundoFix Backups
2007-08-01 01:32 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-01 01:01 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2007-08-01 00:50 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-07-31 23:25 <DIR> d-------- C:\WINDOWS\pss
2007-07-31 22:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-31 19:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-31 19:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-31 19:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-05 19:17 <DIR> d-------- C:\Jen's Old Machine
2007-07-01 21:35 <DIR> d-------- C:\DOCUME~1\Jen\APPLIC~1\Flickr
2007-07-01 20:36 <DIR> d-------- C:\Program Files\Flickr Uploadr


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 21:13 1864 --a------ C:\DOCUME~1\Jen\APPLIC~1\wklnhst.dat
2007-07-10 20:27 56 -r-hs---- C:\WINDOWS\system32\9D579380DB.sys
2007-07-10 20:27 4184 --a------ C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-25 20:56 --------- d-------- C:\Program Files\Bethesda Softworks
2007-06-12 19:00 36112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-06-12 19:00 203024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-06-12 18:52 1126328 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2007-06-04 15:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-01-22 04:14 64792 --a------ C:\DOCUME~1\Jen\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B17A66D-2428-4576-8AEB-B0CABC48BBB8}]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3EEDBBF3-0A5B-46E4-B35D-F3140015CDD0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 00:20 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 08:56]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:36]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 19:39]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-06-15 00:58:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-05 23:19:45]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2006-05-02 19:22:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjh]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

R0 iastor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iastor.sys
R1 ELhid;ELhid;C:\WINDOWS\system32\DRIVERS\ELhid.sys
R1 ELkbd;ELkbd;C:\WINDOWS\system32\DRIVERS\ELkbd.sys
R1 ELmon;ELmon;C:\WINDOWS\system32\DRIVERS\ELmon.sys
R1 ELmou;ELmou;C:\WINDOWS\system32\DRIVERS\ELmou.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\system32\Drivers\tmtdi.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R2 tm_cfw;Common Firewall Driver;C:\WINDOWS\system32\Drivers\tm_cfw.sys
R2 Tmfilter;Tmfilter;C:\WINDOWS\system32\drivers\TmXPFlt.sys
R2 Tmpreflt;Tmpreflt;C:\WINDOWS\system32\drivers\Tmpreflt.sys
R2 Vsapint;Vsapint;C:\WINDOWS\system32\drivers\Vsapint.sys
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e1e5132.sys
R3 ELacpi;ELacpi;C:\WINDOWS\system32\DRIVERS\ELacpi.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
S3 61883;61883 Unit Device;C:\WINDOWS\system32\DRIVERS\61883.sys
S3 Avc;AVC Device;C:\WINDOWS\system32\DRIVERS\avc.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 kbeepm;kbeepm;\??\C:\DOCUME~1\Jen\LOCALS~1\Temp\kbeepm.sys
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 21:13:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-01 21:14:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-01 21:14

--- E O F ---


Here's ComboFix-quarantined-files.txt:

2007-07-28 14:03	  31254	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyvuuv.dll.vir
2007-07-29 22:33	  376832	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\WinNB58.dll.vir
2007-07-31 21:00	  1125	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Jen\APPLIC~1\SystemDoctor Free\Logs\update.log.vir
2007-08-01 01:59	  228960	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\mllmm.dll.vir
2007-08-01 01:59	  6467	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\mmllm.bak1.vir
2007-08-01 21:00	  1758069	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\mmllm.bak2.vir
2007-08-01 21:04	  69184	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tsdxiaht.dll.vir
2007-08-01 21:06	  1760824	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\mmllm.ini.vir
2007-08-01 21:10	  104	--a------	C:\Qoobox\Quarantine\catchme.log


Folder PATH listing
Volume serial number is 342C-DC9D
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   
	+---C
	|   +---DOCUME~1
	|   |   \---Jen
	|   |	   \---APPLIC~1
	|   |		   \---SystemDoctor Free
	|   |			   \---Logs
	|   |					   update.log.vir
	|   |					   
	|   \---WINDOWS
	|	   \---system32
	|			   mllmm.dll.vir
	|			   mmllm.bak1.vir
	|			   mmllm.bak2.vir
	|			   mmllm.ini.vir
	|			   tsdxiaht.dll.vir
	|			   WinNB58.dll.vir
	|			   xxyvuuv.dll.vir
	|			   
	\---Registry_backups

Here's the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:23 PM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jen\Desktop\HJT\Spyware.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B17A66D-2428-4576-8AEB-B0CABC48BBB8} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O2 - BHO: (no name) - {3EEDBBF3-0A5B-46E4-B35D-F3140015CDD0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsof...iveXClient1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


I am SO getting rid of Trend Micro PC-illin. I was only using it as it came packaged on my machine when I bought it, and what a PITA it is. I was thinking of getting Norton Internet Security - what would you recommend?

Thank you again and continually,
- Jen

[Gary R]

Hi Jen,

Looking better.

Still a little cleaning up to do, and I'd like to run a scan of your system to give me an all over look at it. HJT is a good programme, but it doesn't look at all areas of your computer. I like to use Kaspersky, because it is very thorough and because it doesn't try to remove anything. I like to have full control over what is removed from a computer, because even the best automated scanners sometimes give false positives.

Run a scan with HJT and when finished check the following items (if found).

O2 - BHO: (no name) - {1B17A66D-2428-4576-8AEB-B0CABC48BBB8} - C:\WINDOWS\system32\pmkjh.dll (file missing)

O2 - BHO: (no name) - {3EEDBBF3-0A5B-46E4-B35D-F3140015CDD0} - (no file)

O20 - Winlogon Notify: pmkjh - C:\WINDOWS\



Now close all open windows and click Fix Checked to remove them.

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings.
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK.
• Now under select a target to scan select My Computer.
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Can you run a HJT scan for each account on your machine please and post them back here. Label each one so I know which scan is for which account please.

If you don't mind I'll address your request for how to secure your computer when we're sure everything's been removed that needs to be.

[jeninmaine]

Here's the latest...

Kaspersky scan log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 02, 2007 11:04:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/08/2007
Kaspersky Anti-Virus database records: 371345
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 193043
Number of viruses found: 5
Number of infected objects: 159 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:07:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\history.dat Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\key3.db Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jen\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jen\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jen\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jen\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jen\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9uuyk0z.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jen\Local Settings\History\History.IE5\MSHist012007080220070803\index.dat Object is locked skipped
C:\Documents and Settings\Jen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jen\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS100.CAB/A0045109.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS100.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS104.CAB/A0045116.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS104.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS105.CAB/A0045129.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS105.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS106.CAB/A0045136.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS106.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS107.CAB/A0046138.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS107.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS108.CAB/A0046148.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS108.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS109.CAB/A0046177.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS109.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS110.CAB/A0046185.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS110.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS111.CAB/A0046191.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS111.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS112.CAB/A0046198.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS112.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS113.CAB/A0046208.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS113.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS114.CAB/A0046307.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS114.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS115.CAB/A0046351.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS115.CAB/A0046402.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS115.CAB CAB: infected - 2 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS123.CAB/A0033994.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS123.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS124.CAB/A0034003.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS124.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS125.CAB/A0034067.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS125.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS126.CAB/A0035066.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS126.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS128.CAB/A0036066.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS128.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS129.CAB/A0037066.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS129.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS131.CAB/A0038119.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS131.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS132.CAB/A0038126.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS132.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS133.CAB/A0038136.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS133.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS134.CAB/A0038156.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS134.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS135.CAB/A0038171.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS135.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS136.CAB/A0038178.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS136.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS137.CAB/A0038189.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS137.CAB/A0038192.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS137.CAB CAB: infected - 2 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS138.CAB/A0038199.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS138.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS139.CAB/A0038206.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS139.CAB/A0038209.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS139.CAB CAB: infected - 2 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS140.CAB/A0038223.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS140.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS141.CAB/A0038230.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS141.CAB/A0038233.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS141.CAB CAB: infected - 2 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS367.CAB/A0006035.CPY Infected: not-a-virus:AdWare.Win32.Coupons.b skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS367.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS50.CAB/A0041362.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS50.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS51.CAB/A0042362.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS51.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS52.CAB/A0042373.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS52.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS53.CAB/A0042385.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS53.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS54.CAB/A0042392.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS54.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS55.CAB/A0042403.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS55.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS56.CAB/A0042513.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS56.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS57.CAB/A0042522.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS57.CAB/A0042526.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS57.CAB CAB: infected - 2 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS58.CAB/A0042540.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS58.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS59.CAB/A0042568.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS59.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS60.CAB/A0042575.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS60.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS61.CAB/A0042582.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS61.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS62.CAB/A0042588.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS62.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS63.CAB/A0042595.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS63.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS64.CAB/A0042603.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS64.CAB/A0042607.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS64.CAB CAB: infected - 2 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS65.CAB/A0042623.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS65.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS66.CAB/A0042653.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS66.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS67.CAB/A0042670.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS67.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS68.CAB/A0042686.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS68.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS69.CAB/A0042693.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS69.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS70.CAB/A0043692.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS70.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS71.CAB/A0043698.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS71.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS72.CAB/A0043705.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS72.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS73.CAB/A0043713.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS73.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS75.CAB/A0043724.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS75.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS76.CAB/A0043744.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS76.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS77.CAB/A0043752.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS77.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS78.CAB/A0043758.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS78.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS79.CAB/A0043777.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS79.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS80.CAB/A0043792.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS80.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS81.CAB/A0043801.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS81.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS82.CAB/A0043974.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS82.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS83.CAB/A0020547.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS83.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS85.CAB/A0043982.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS85.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS86.CAB/A0043997.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS86.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS87.CAB/A0044004.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS87.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS89.CAB/A0044046.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS89.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS90.CAB/A0044057.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS90.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS91.CAB/A0044064.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS91.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS92.CAB/A0023597.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS92.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS95.CAB/A0044073.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS95.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS96.CAB/A0044079.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS96.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS98.CAB/A0044101.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS98.CAB CAB: infected - 1 skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS99.CAB/A0044108.CPY Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE\FS99.CAB CAB: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\10.tmp Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyvuuv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\pmkjh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.lc skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06ABB95C-F70D-4F67-B453-B45F103EF2C8}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


HijackThis for main XP account (the one I use):

Logfile of HijackThis v1.99.1
Scan saved at 11:06:43 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\Jen\Desktop\HJT\Spyware.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsof...iveXClient1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


HijackThis for secondary XP account #1:

Logfile of HijackThis v1.99.1
Scan saved at 11:09:33 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Documents and Settings\Jen\Desktop\HJT\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsof...iveXClient1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe




HijackThis for secondary XP account #2:


Logfile of HijackThis v1.99.1
Scan saved at 11:11:04 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Documents and Settings\Jen\Desktop\HJT\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://secure.sysen...auth/login.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsof...iveXClient1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



Many many thanks!
- Jen

[Gary R]

Hi Jen

As far as I can see, your computer looks clear of infection now.

The "infections" found by Kaspersky were just the encrypted backups created by your protection programmes and Vundofix. They're not a threat to you, but if you wish you can delete them from your machine.

If so.

Delete the following file

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\10.tmp (in bold).

Delete these folders (in bold).

C:\VundoFix Backups
C:\QooBox\Quarantine


Delete the contents of this folder (do not delete the folder).

C:\Jen's Old Machine\C Drive\_RESTORE\ARCHIVE

You can also get rid of Vundofix and Combofix, they're updated frequently, so the versions you have now will be of no use against future infections.

Don't forget to re-enable Spybot S&D Teatimer. (Pretty much the reverse of disabling it).

• Run Spybot-S&D
• Go to the Mode menu, and make sure Advanced Mode is selected.
• On the left hand side, choose Tools -> Resident
• Check Resident TeaTimer and OK any prompts.

Best we clear out your temp files as well.

• Click Start > Run and type cleanmgr then click OK.
• This will bring up the Disk Cleanup window.
• Check the following entries.
  • Temporary Internet Files.
  • Recycle Bin.
  • Temporary Files.
• Click OK.
• When a prompt pops up click Yes.

Are you still noticing any problems ?

• If you are let me know about them.
• If not it's time to make your computer more secure.

Below are a series of recommendations which will help you keep more secure online.

THESE STEPS ARE VERY IMPORTANT

Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to clean the restore points.

• Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
• Reboot.
  
• Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
• NOTE: only do this once, NOT on a regular basis.

Update your Java.
Older versions have vulnerabilities that malware can and are using to infect systems.

Please follow these steps to remove older version Java components. This is important as it's still possible to get infected through an old install even if you're using the latest version of Java.

• Close any programmes you may have running, ESPECIALLY your web browser
• Click Start > Control Panel.
• Click Add/Remove Programs.
• Check any item with Java Runtime Environment (JRE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove all versions of Java.
• Reboot your computer once all Java components are removed.

Download the latest version of Java Runtime Environment (JRE) 6u2, and install it to your computer.

Updating Windows and Internet Explorer
It is essential you keep your Operating System up to date with all the latest patches. The bad guys watch for the latest exploits, as soon as Microsoft brings out a patch, the bad guys will bring out an infection to exploit that vulnerability. If you don't have all the latest patches your computer is vulnerable. Please go to the windows update site and get the critical updates.

Use a "secure" browser
Install Internet Explorer 7 or an alternative browser like Firefox or Opera for more secure surfing.
Please remember that there is no such thing as a totally secure browser. Your browsing habits will be the major factor in determining just how safe you are online. If you visit, Crack/Warez sites, Porn sites, or other sites of a questionable nature, you still run a severe risk of getting infected.

The following are free programs that are designed to keep your computer clean. A brief description is included with each item, click on name to go to download site.

• Adaware SE Personal
  Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
  
• Spybot S & D
  Spybot is a scanner like Adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and protection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
  To see how to set this up as well as more spybot features, see here
  
• SpywareBlaster
  Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
  If you don't know what activex controls are, see here
  
• IE Spyad
  It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.
  
• Hosts file:
• Make sure you read the instructions on how to install the hosts file, here.
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
• If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  • Click the start button (at the lower left hand corner of your screen)
  • Click run
  • In the dialog box, type services.msc
  • hit enter, then locate dns client
  • Highlight it, then double-click it.
  • On the dropdown box, change the setting from automatic to manual.
  • Click ok

• Use an Anti Virus Software - It's very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
  Computer Safety On line - LIST of free Anti virus programs
  
• Use a Firewall - I cannot stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
  See here to choose one.
  
• Site Advisor This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site.

Obviously you have already taken care of some of the issues mentioned, but it is important that you read through them, and address any that you may have missed.

Here's links to a few articles which are well worth reading

• Microsoft - Security at Home
• Top Ten excuses why people don't want to secure their computer and why they are wrong - by Budfred
• How did I get infected in the first place - by TonyKlein
• Prevent Re-infection
• Simple and easy ways to keep your computer safe and secure on the Internet
• Help! My computer is slow! - How to improve system performance after malware removal - by Miekiemoes

Finally

NOW is the time you can start to hit back at the people who infected you.

Please take the time to go and complain - that forum has a topic for your infection which is Vundo...... (if not, post in the Is your infection not listed here? topic). Please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to goverment or government agencies that something will get done.

Edited by Gary R, 03 August 2007 - 01:09 AM.

[Gary R]

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please pm a moderator, including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Tom Coyote Donations

Gary R

[Gary R]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php