[Active] help me fix this virus - seasoned computer tech needs help

**b8b** · 13-07-2009

Hi all,

I'm an old-school tech (used to build computers with DOS and stuff, lol), but I'm getting schooled by what appears to be some malware or something. I ran a self-extracting executable that seemed legit but wasn't. Vista just spins on "please wait" when booting into normal mode (I'm in safe mode now). I did a HiJack this and removed a bunch of stuff from starting up (all of it looked sketch), but I deleted all of them, including:
O2 - BHO: C:\Windows\system32\gsf83iujid.dll - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\Windows\system32\gsf83iujid.dll

The rest of my log is below. Thanks for helping.

Log below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:16 PM, on 7/12/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\system32\drivers\smss.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Users\B\AppData\Local\Google\Chrome\Application \chrome.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\B\AppData\Local\Google\Chrome\Application \chrome.exe
C:\Windows\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windo ws\system32\drivers\smss.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\B\AppData\Local\Google\Update\GoogleUpda te.exe" /c
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Windows System Recover!] C:\Users\B\AppData\Local\Temp\svchost.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/e/38.../uploader2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\Windows\System32\rpcnet.exe
O23 - Service: rpcnetp - Unknown owner - C:\Windows\System32\rpcnetp.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

--
End of file - 5788 bytes

**broni** · 13-07-2009

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

**b8b** · 13-07-2009

I think that fixed it, thanks!:

ComboFix 09-07-12.03 - B 07/12/2009 21:52.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3069.2074 [GMT -7:00]
Running from: c:\users\B\Documents\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-806919467-3657881505-3490766666-500
C:\90210.exe
c:\programdata\10165414
c:\programdata\10165414\10165414.exe
c:\programdata\10165414\10165414.glu
c:\programdata\90175406
c:\programdata\90175406\90175406.exe
c:\programdata\Microsoft\Network\Downloader\qmgr0. dat
c:\programdata\Microsoft\Network\Downloader\qmgr1. dat
C:\rnytkgik.exe
c:\users\B\AppData\Roaming\wiaservg.log
c:\windows\Installer\65cc2.msi
c:\windows\system32\drivers\hjgruinvhxvyjy.sys
c:\windows\system32\drivers\smss.exe
c:\windows\system32\hjgruijedmbhgi.dll
c:\windows\system32\hjgruiorcvhtqi.dat
c:\windows\system32\hjgruipkbircto.dll
c:\windows\system32\hjgruiwlijjubf.dat

----- BITS: Possible infected sites -----

hxxp://binuser.fileave.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruicymdcsdc

((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2487-08-09 16:48 . 2009-06-06 15:49 -------- d-----w- c:\temp\Bryan and Steve and friends Wake surfing 5-09
2009-07-13 05:00 . 2009-07-13 05:01 -------- d-----w- c:\users\B\AppData\Local\temp
2009-07-13 05:00 . 2009-07-13 05:00 -------- d-----w- c:\users\T\AppData\Local\temp
2009-07-13 02:50 . 2009-07-13 02:50 -------- d-----w- c:\program files\Trend Micro
2009-07-13 01:44 . 2009-07-13 01:44 56320 ----a-w- C:\bhxyusl.exe
2009-07-08 02:07 . 2009-07-08 02:07 -------- d-----w- c:\program files\FeedReader30
2009-07-05 00:50 . 2009-07-05 16:40 -------- d-----w- c:\temp\My.Fitness.Coach.NTSC-WII-ProCiSiON
2009-07-02 18:55 . 2009-07-02 18:55 -------- d-----w- c:\programdata\Citrix
2009-07-02 18:55 . 2009-07-02 18:55 -------- d-----w- c:\program files\Citrix
2009-07-02 18:54 . 2009-07-02 18:54 -------- d-----w- c:\users\B\AppData\Local\Citrix
2009-07-02 18:54 . 2009-07-02 18:54 61224 ----a-w- c:\users\B\GoToAssistDownloadHelper.exe
2009-07-02 18:54 . 2009-07-02 18:54 -------- d-----w- c:\users\B\AppData\Local\Deployment
2009-07-02 14:05 . 2009-02-19 22:27 62760 ----a-w- c:\users\B\AppData\Roaming\Mozilla\Firefox\Profile s\zvp89pui.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
2009-06-27 01:12 . 2009-06-27 01:12 -------- d-----w- c:\users\B\Livestation
2009-06-27 01:12 . 2009-06-27 01:12 -------- d-----w- c:\users\B\AppData\Roaming\Mchid
2009-06-27 01:12 . 2009-06-27 01:12 -------- d-----w- c:\users\B\AppData\Roaming\Livestation
2009-06-27 01:11 . 2009-06-27 01:11 -------- d-----w- c:\program files\OpenAL
2009-06-24 23:53 . 2009-06-24 23:53 48640 ----a-w- C:\dse.exe
2009-06-22 22:23 . 2009-06-22 22:23 239088 ----a-w- c:\users\B\AppData\Roaming\Mozilla\plugins\npgoogl etalk.dll
2009-06-15 21:56 . 2009-06-15 21:59 -------- d-----w- c:\temp\The.Colbert.Report.06.11.2009.PDTV.XviD-CHGRP
2009-06-15 21:55 . 2009-06-15 22:01 -------- d-----w- c:\temp\Night.At.The.Museum.2.R5.LiNE.XviD-KAMERA
2009-06-15 21:54 . 2009-06-15 21:58 -------- d-----w- c:\temp\Mythbusters.S05E07.720p.HDTV.x264-HDCP
2009-06-15 16:19 . 2008-12-04 08:25 120832 ----a-w- c:\users\B\AppData\Roaming\Mozilla\Firefox\Profile s\zvp89pui.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-14 01:49 . 2009-06-14 01:49 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-06-14 01:49 . 2009-06-14 01:49 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-06-14 01:48 . 2009-06-14 01:48 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-06-14 01:47 . 2009-06-14 01:47 211456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-06-14 01:47 . 2009-06-14 01:47 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-06-14 01:47 . 2009-06-14 01:47 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-06-14 01:46 . 2009-06-14 01:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-06-14 01:46 . 2009-06-14 01:46 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-06-14 01:46 . 2009-06-14 01:46 1687040 ----a-w- c:\windows\system32\gameux.dll
2009-06-14 01:46 . 2009-06-14 01:46 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-06-14 01:46 . 2009-06-14 01:46 1194496 ----a-w- c:\windows\system32\msxml3.dll
2009-06-14 01:45 . 2009-06-14 01:45 2048 ----a-w- c:\windows\system32\tzres.dll
2009-06-14 01:44 . 2009-06-14 01:44 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-06-14 01:44 . 2009-06-14 01:44 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-06-14 01:44 . 2009-06-14 01:44 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-06-14 01:42 . 2009-06-14 01:42 696832 ----a-w- c:\windows\system32\localspl.dll
2009-06-14 01:42 . 2009-06-14 01:42 2923520 ----a-w- c:\windows\explorer.exe
2009-06-14 01:40 . 2009-06-14 01:40 7680 ----a-w- c:\windows\system32\lsass.exe
2009-06-14 01:40 . 2009-06-14 01:40 72704 ----a-w- c:\windows\system32\secur32.dll
2009-06-14 01:40 . 2009-06-14 01:40 25600 ----a-w- c:\windows\system32\amxread.dll
2009-06-14 01:40 . 2009-06-14 01:40 14848 ----a-w- c:\windows\system32\apilogen.dll
2009-06-14 01:40 . 2009-06-14 01:40 1233408 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-14 01:39 . 2009-06-14 01:39 290304 ----a-w- c:\windows\system32\drivers\srv.sys
2009-06-14 01:39 . 2009-06-14 01:39 269824 ----a-w- c:\windows\system32\schannel.dll
2009-06-14 01:36 . 2009-06-14 01:36 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-06-14 01:36 . 2009-06-14 01:36 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-06-14 01:36 . 2009-06-14 01:36 11264 ----a-w- c:\windows\system32\icardres.dll
2009-06-14 01:36 . 2009-06-14 01:36 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-06-14 01:36 . 2009-06-14 01:36 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNativ e_v0300.dll
2009-06-14 01:36 . 2009-06-14 01:36 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-06-14 01:36 . 2009-06-14 01:36 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-06-14 01:32 . 2009-06-14 01:32 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-06-14 01:32 . 2009-06-14 01:32 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-06-14 01:32 . 2009-06-14 01:32 83968 ----a-w- c:\windows\system32\mscories.dll
2009-06-14 01:32 . 2009-06-14 01:32 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-06-14 01:32 . 2009-06-14 01:32 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-06-14 01:27 . 2009-06-14 01:27 2855424 ----a-w- c:\windows\system32\mf.dll
2009-06-14 01:27 . 2009-06-14 01:27 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2009-06-14 01:27 . 2009-06-14 01:27 98816 ----a-w- c:\windows\system32\mfps.dll
2009-06-14 01:27 . 2009-06-14 01:27 94720 ----a-w- c:\windows\system32\logagent.exe
2009-06-14 01:27 . 2009-06-14 01:27 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-06-14 01:27 . 2009-06-14 01:27 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-06-14 01:27 . 2009-06-14 01:27 2048 ----a-w- c:\windows\system32\mferror.dll
2009-06-14 01:25 . 2009-06-14 01:25 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-14 01:23 . 2009-06-14 01:23 1341440 ----a-w- c:\windows\system32\msxml6.dll
2009-06-14 01:23 . 2009-06-14 01:23 2048 ----a-w- c:\windows\system32\msxml6r.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-13 04:53 . 2009-06-06 01:20 277643 ----a-w- c:\programdata\nvModes.dat
2009-07-13 04:52 . 2008-05-29 17:42 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-07-13 04:52 . 2008-05-23 01:51 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-07-13 04:52 . 2008-02-27 21:38 -------- d-----w- c:\program files\Google
2009-07-13 04:51 . 2008-02-27 21:12 12 ----a-w- c:\windows\bthservsdp.dat
2009-07-13 04:06 . 2008-05-29 17:43 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-07-13 02:39 . 2008-05-08 19:24 1356 ----a-w- c:\users\B\AppData\Local\d3d9caps.dat
2009-07-13 02:39 . 2008-05-16 17:05 -------- d-----w- c:\users\B\AppData\Roaming\TeraCopy
2009-07-12 18:41 . 2008-03-15 20:51 -------- d-----w- c:\program files\LogMeIn
2009-07-12 09:44 . 2008-11-18 03:14 -------- d-----w- c:\programdata\Google Updater
2009-07-09 16:39 . 2008-08-11 15:25 31 ----a-w- c:\users\B\AppData\Roaming\Opusbext.dat
2009-07-07 14:17 . 2008-03-08 18:58 -------- d-----w- c:\users\B\AppData\Roaming\uTorrent
2009-07-04 17:40 . 2009-02-07 17:51 -------- d-----w- c:\users\B\AppData\Roaming\Skype
2009-07-04 17:26 . 2009-02-07 18:14 -------- d-----w- c:\users\B\AppData\Roaming\skypePM
2009-07-04 01:13 . 2008-03-06 04:58 135504 ----a-w- c:\users\B\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-04 00:22 . 2008-03-12 01:55 -------- d-----w- c:\programdata\Microsoft Help
2009-07-01 02:03 . 2008-02-27 21:41 -------- d-----w- c:\programdata\SupportSoft
2009-06-29 02:30 . 2008-02-27 21:47 -------- d-----w- c:\programdata\Dell
2009-06-29 02:22 . 2008-03-08 02:35 -------- d-----w- c:\programdata\NVIDIA
2009-06-28 19:36 . 2008-02-27 21:53 -------- d-----w- c:\program files\Microsoft Works
2009-06-27 01:11 . 2008-02-27 21:21 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-06-27 01:11 . 2008-02-27 21:21 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-16 21:36 . 2008-03-08 18:50 -------- d-----w- c:\programdata\Apple
2009-06-14 01:24 . 2009-06-14 01:24 72704 ----a-w- c:\windows\system32\admparse.dll
2009-06-14 01:24 . 2009-06-14 01:24 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-14 01:24 . 2009-06-14 01:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-14 01:24 . 2009-06-14 01:24 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-06-14 01:24 . 2009-06-14 01:24 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-06-14 01:24 . 2009-06-14 01:24 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-06-12 18:44 . 2009-06-12 18:44 -------- d-----w- c:\program files\AGEIA Technologies
2009-06-12 18:44 . 2008-09-04 03:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-12 17:57 . 2008-03-08 20:50 -------- d-----w- c:\programdata\FLEXnet
2009-06-08 05:54 . 2009-06-08 05:54 -------- d-----w- c:\program files\iTunes
2009-06-08 05:54 . 2009-06-08 05:54 -------- d-----w- c:\program files\iPod
2009-06-08 05:54 . 2008-03-08 18:50 -------- d-----w- c:\program files\Common Files\Apple
2009-06-08 05:53 . 2008-03-08 18:16 -------- d-----w- c:\program files\QuickTime
2009-06-08 05:44 . 2009-06-08 05:44 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-06 16:54 . 2009-01-01 20:45 -------- d-----w- c:\program files\HP
2009-05-29 20:36 . 2009-05-29 20:36 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 20:36 . 2009-05-29 20:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-28 01:00 . 2009-05-28 01:00 1505824 ----a-w- c:\windows\system32\nvcpluir.dll
2009-05-28 01:00 . 2009-05-28 01:00 1194528 ----a-w- c:\windows\system32\nvcplui.exe
2009-05-28 01:00 . 2009-05-28 01:00 1358368 ----a-w- c:\windows\system32\nvsvsr.dll
2009-05-28 01:00 . 2009-05-28 01:00 1292832 ----a-w- c:\windows\system32\nvsvs.dll
2009-05-28 01:00 . 2009-05-28 01:00 143360 ----a-w- c:\windows\system32\nvshext.dll
2009-05-28 01:00 . 2009-05-28 01:00 1097728 ----a-w- c:\windows\system32\nvsvcr.dll
2009-05-27 23:04 . 2009-05-27 23:04 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-05-27 23:04 . 2009-05-27 23:04 4224 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2009-05-27 23:04 . 2009-05-27 23:04 1704960 ----a-w- c:\windows\system32\nvcuda.dll
2009-05-27 23:04 . 2009-05-27 23:04 143360 ----a-w- c:\windows\system32\nvcod151.dll
2009-05-27 23:04 . 2009-05-27 23:04 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-05-27 18:56 . 2008-03-08 02:32 457248 ----a-w- c:\windows\system32\nvuninst.exe
2009-05-26 04:30 . 2009-05-26 04:30 -------- d-----w- c:\program files\FileASSASSIN
2009-05-24 22:41 . 2009-05-24 22:41 -------- d-----w- c:\program files\Digital Guitar Tuner 2.3
2009-05-24 20:32 . 2009-05-24 20:32 -------- d-----w- c:\program files\ShowMyPCService
2009-05-22 19:29 . 2007-06-12 18:02 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-05-16 16:00 . 2008-03-08 02:26 272635 ----a-w- c:\users\B\AppData\Roaming\nvModes.dat
2009-05-16 05:11 . 2009-05-16 03:02 -------- d-----w- c:\users\B\AppData\Roaming\Feedreader
2007-04-17 05:10 . 2008-03-06 05:11 539136 ------w- c:\program files\mozilla firefox\components\pbgk1_8.dll
2008-02-28 21:30 . 2008-07-19 16:43 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 21:33 . 2008-07-19 16:43 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2008-02-27 21:24 . 2008-02-27 21:24 74 --sh--r- c:\windows\CT4CET.bin
2008-02-28 05:05 . 2008-02-28 04:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 05:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 05:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-02-27 68856]
"Google Update"="c:\users\B\AppData\Local\Google\Update\Go ogleUpdate.exe" [2009-02-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-02-28 1006264]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-04 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-09-04 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-09-04 96800]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 05:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-806919467-3657881505-3490766666-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{60130966-D434-49EF-9827-3281F6043454}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{767132E4-2600-4B73-BC3E-6454F8E2A70F}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{72E508A3-4E63-40EA-A588-EF247967789F}"= c:\program files\Dell\MediaDirect\MediaDirect.exe

ell MediaDirect
"{DFAF7922-399C-4BE7-AFA0-3D70FE6F3893}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{B1A4686F-2070-497C-826E-D157A65C4A1B}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine. exe:Cyberlink Media Server Browser Engine
"{00525BF6-944A-42D6-8237-77111FD3E171}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe: CyberLink Media Server
"{FC390913-0531-4AB4-B67F-A41D879608F1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F7FBDCCF-2BDF-433C-9766-899BA8D58C7A}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0FBA4FA7-F47A-419A-9642-A7105972B2B2}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BF4CD8F-4690-4D3C-BD62-7C0756549F6F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{18AD4FD4-089F-41CB-B5F8-E86408F3B3C8}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{632CEF26-E12C-4E08-A88C-2B7EB22217C4}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{C4E71963-DC01-4948-911D-8EA69473D0F8}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{12BC4A61-AAF6-47A7-BD79-906F1E26C10C}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{B8DA3166-A776-4936-8915-CA84138A09DC}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6AAD9AF9-4D9A-4BD7-A73F-E76EA2EC2048}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6F68E549-7E33-46D8-BF40-F20E5436156B}"= UDP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{52D26A2F-6231-4FBB-8FDD-DA58017A7BD1}"= TCP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{7392C869-E6D8-427C-BAD2-270612404C9C}"= UDP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{1A945FDE-3857-4A4A-87C6-FF10F01A7F69}"= TCP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{278C53BA-6C0B-48E5-BCC0-0E0141E603B8}"= UDP:c:\program files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{1DBEE02E-8C05-4009-A1D6-680E9E00CB48}"= TCP:c:\program files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{01A4643E-E373-4A18-9DE0-DEA834B78B1C}"= UDP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{0073BDFA-C403-4209-BCD9-A7AFCA2FC58D}"= TCP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{1006C8D0-55A5-497F-A085-F3B270E04BD4}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{CEA46B47-973A-447F-9085-704D6FBC186F}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{BFDBD024-1C5D-4C2C-91DF-9602477B756D}"= Disabled:TCP:5353:LocalSubnet:LocalSubnet:mDNS-SD/Bonjour
"TCP Query User{FBE14DB1-72E9-4BF9-A74C-F56D1B7F9C41}c:\\program files\\tivo\\desktop\\tivoserver.exe"= UDP:c:\program files\tivo\desktop\tivoserver.exe:TiVo Server Service Process
"UDP Query User{5D9041E4-933E-427A-964B-5F323530C45B}c:\\program files\\tivo\\desktop\\tivoserver.exe"= TCP:c:\program files\tivo\desktop\tivoserver.exe:TiVo Server Service Process
"{4EFEDD54-7DD5-4952-8A4C-04D89C4096F9}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{13A0A4BF-4EFB-415F-A031-9FEB0012053C}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{507568A7-E1FE-48DC-BC14-8D4515DA34FC}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{4F5F107F-4997-4EF2-99D7-EEE1DCAEA623}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{DFA7838F-EFBA-4091-B0EA-225C57F6FFBC}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{A4F05025-2137-40CA-8264-2E28773246F1}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{FE4C737A-D129-4745-995E-0765F9BECE29}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{16FF8CD1-F518-44C9-BF09-F908BC0EA63E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{BC3756DD-A2D1-4664-B294-BA71145B830E}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{AE64FA32-BB67-49EC-87D8-1D06739FA092}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{29F622BA-255B-4B02-B956-8F21270B754C}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{00F313D8-046B-4C56-97F8-376CDAB35A9C}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{D0E78864-E983-4C60-940C-FE15277AD197}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{E8020732-9829-466C-8E24-B9492ED00721}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{F387D113-A552-4B6C-9341-B7436DDCFCCE}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{A9B024A0-080D-476E-A2ED-86D8501B8060}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{1D1838A8-4627-4E2B-8DBB-DB5A096E6732}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{C1B5C2BB-CB6C-4FC4-B4D0-058F11D2D942}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{C245DFB6-B01C-41A3-AB57-C45A382FECC7}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{37725E6F-FAD9-4B3C-9B6C-6241C134F74C}"= UDP:c:\users\B\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{79CBCD95-410B-4780-980A-570E84435899}"= TCP:c:\users\B\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{272D73A3-1C5C-4924-BCFA-EBD02D89281D}"= UDP:c:\users\B\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{2BFB1030-0F57-463D-9844-0D67E95BE7BB}"= TCP:c:\users\B\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{EBA3894D-6482-4FAC-B1B0-EC17A3398AA7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{8316770F-4E70-4608-A49E-DE051B1BC3A2}"= UDP:c:\users\B\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{CBA1BF93-D9E2-402A-B4BF-1EF9C7FC8773}"= UDP:c:\users\B\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{0FC906ED-4B44-490D-81C2-2B7CAA0A1808}"= TCP:c:\users\B\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{603F970A-6A9B-4FA8-A7D5-BD2912CC445C}"= TCP:c:\users\B\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{82EA0810-F3E1-4FD9-BD94-AB7413EF217A}"= UDP:c:\users\B\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{663ADFF1-D433-4AD6-8C26-81D292F963F6}"= TCP:c:\users\B\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{222EDE93-B740-4A00-BFCD-84335110EBEA}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0984865E-115F-4B52-AECC-91BB2297F426}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DC2DA3A4-CE19-4AF9-B604-87E9A9124202}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{8F5BB94E-11D3-4E84-9C3E-1ED5EC9C2927}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{01C48F6C-5205-40B8-927E-F7CA0F3D927E}"= UDP:c:\program files\uTorrent\uTorrent.exe:uTorrent.exe
"{0D1012D0-A8E8-4CD1-B7AE-96A32591C9F0}"= TCP:c:\program files\uTorrent\uTorrent.exe:uTorrent.exe
"{A32EB55E-C4BE-4283-9482-4F6146E321C0}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{66960314-C3D7-4CCF-98D9-C9DAA55ABF7D}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 1:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sy s [3/15/2008 1:52 PM 47640]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2/27/2008 10:06 PM 179712]
R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\System32\drivers\OEM04Vfx.sys [2/27/2008 10:06 PM 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\System32\drivers\OEM04Vid.sys [2/27/2008 10:06 PM 234720]
S3 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2/27/2008 2:11 PM 73728]
S3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [3/5/2008 2:29 AM 93184]
S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/10/2007 11:45 PM 124832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-07-12 c:\windows\Tasks\Funambol Outlook Plug-in - B.job
- c:\program files\Funambol\Outlook Plug-in\OutlookPlugin.exe [2008-02-04 08:54]

2009-07-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-27 04:50]

2009-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-806919467-3657881505-3490766666-1000Core.job
- c:\users\B\AppData\Local\Google\Update\GoogleUpdat e.exe [2009-02-05 05:19]

2009-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-806919467-3657881505-3490766666-1000UA.job
- c:\users\B\AppData\Local\Google\Update\GoogleUpdat e.exe [2009-02-05 05:19]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080228
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\users\B\AppData\Roaming\Mozilla\Firefox\Profile s\zvp89pui.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.d ll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug. dll
FF - plugin: c:\users\B\AppData\Local\Google\Update\1.2.183.7\n pGoogleOneClick8.dll
FF - plugin: c:\users\B\AppData\Roaming\Mozilla\plugins\npgoogl etalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-12 22:01
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2009-07-13 22:03
ComboFix-quarantined-files.txt 2009-07-13 05:02

Pre-Run: 20,412,903,424 bytes free
Post-Run: 20,647,641,088 bytes free

412 --- E O F --- 2009-07-13 04:41

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:52 PM, on 7/12/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\B\AppData\Local\Google\Update\GoogleUpda te.exe" /c
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/e/38.../uploader2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\Windows\System32\rpcnet.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

--
End of file - 4963 bytes

**broni** · 13-07-2009

I'm glad, things are better, but we're far from being done.
First of all, I don't see any antivirus program running.

Please, download, and install one of these:

- Avast! free antivirus: Download FREE antivirus software - avast! Home Edition
- Avira free antivirus: Download Free Antivirus Products

- free PC Tools Antivirus: PC Tools AntiVirus - Free Anti Virus Download and Removal
- free PC Tools Firewall Plus: PC Tools Firewall Plus - Free Firewall Download

- free Comodo Internet Security (firewall + AV): Firewall and AntiVirus Free Software Download from Comodo
NOTE. During installation, Comodo will also allow you to install AV only, or firewall only, if you prefer to combine one Comodo product with some other product.

If you decide to install Avast, or Avira, make sure, Windows firewall is turned on, or use PC Tools Firewall Plus, or Comodo firewall..
If you decide to install Comodo Internet Security, or just Comodo firewall, make sure, Windows firewall is turned off.

IMPORTANT! Make sure, you use only ONE antivirus, and ONE firewall.

After installation, update AV program, and run full scan.
When done, run Combofix again, and post its log.
Make sure to disable AV program while running Combofix.

**b8b** · 13-07-2009

Thanks, Broni! It found 30 items to clean up (sheesh!). I didn't know about a good A/V, I've been out of the tech loop for a while. Thanks again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:39 PM, on 7/13/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\AltBinz\altbinz.exe
C:\Users\B\AppData\Local\Google\Update\GoogleUpdat e.exe
C:\Users\B\AppData\Local\Google\Update\1.2.183.7\G oogleCrashHandler.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\B\AppData\Local\Google\Update\GoogleUpda te.exe" /c
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/e/38.../uploader2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\Windows\System32\rpcnet.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

--
End of file - 5704 bytes

**broni** · 13-07-2009

Very well, but I need new Combofix log.
Re-run it, following original instructions.

[Active] help me fix this virus - seasoned computer tech needs help

[Active] help me fix this virus - seasoned computer tech needs help

Similar Threads

virus or not?

Do I have a virus?

[Active] virus

[Active] I think i have a virus

computer tech Windows 98 help, help, help