# Computer under Attack



## patrick (Dec 31, 2011)

Hello, I am new to ComputerForum but was directed here to you experts, especially to Johnb35, as I have not been able to resolve a computer issue.  I have a Compaq dc7800c that has performed flawlessly for 2 years.  However, recently I downloaded a free copy of the Angry Birds game and found out that the program was downloading a lot of other stuff.  I thought I had removed the program and all of what it downloaded.  However, since this event my PC has slowed down significantly and there is a lot of unaccounted for traffic on the internet.  

When I go to my Trend Micro security program, it indicates that there incoming threats at about 100 per hour.  It found one cookie that it got rid of.  I called my internet provider where staff had me cleanse my two browers--Firebox and Google Chrome.  But the problem persists and Trend Micros Tech Support is not available until Monday and I could not get information from its online service.  

Another action I've taken is to disconnect the Cisco wi-fi router in case this was the source of threats which are still coming in but not at such a high rate.  Another disturbing problem is the computer refuses to log off and I have to disconnect the power.

Once again the system is a Compaq dc7800c using Windows XP Professional, service pack 3 or 4.  Anti-virus software is Trend Micro Titanium Maximum Security 2012 which is fully up to date.  A friend advised that I try AVG, but the system would not download it.  I would very much appreciate your assistance.


----------



## johnb35 (Dec 31, 2011)

Hi,

The first thing you want to do is do the following procedures.

1.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.






To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.






If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it.  Please open the log and copy and paste it back here.


2.

Please download *Malwarebytes' Anti-Malware *from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run *Rkill.scr*,  *Rkill.exe*, or *Rkill.com*.  If you are still having issues running rkill then try downloading these renamed versions of the same program.

*EXPLORER.EXE*
*IEXPLORE.EXE*
*USERINIT.EXE*
*WINLOGON.EXE*

But *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the *HijackThis* installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy.  Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------



## patrick (Dec 31, 2011)

John, thanks so much for the quick reply and for being here on New Year's Eve.  I will do as you advise and post the results.

Patrick


----------



## johnb35 (Dec 31, 2011)

I will be on here off and on for the rest of the day now that I am home from work, providing I don't fall asleep in order to stay up past the new year.


----------



## patrick (Dec 31, 2011)

Hi again, initially, my Foxfire would not allow me to run TDSKiller.  After changing to Google Chrome, I got it to run.  But I don't get the Scan Results screen after scanning.  I couldn't attach the screensaver but here is a text version of what appeared:

Threats detected

Locked file
Service: safeBoot

Rootkit.boot.pihar.b
......
malware object.high.

Options were to "skip" or "cure".

Should I just hit the continue button at bottom of the screen?  Thanks.


----------



## johnb35 (Dec 31, 2011)

Maks sure you select cure. and then continue.


----------



## patrick (Dec 31, 2011)

Appreciate the response as I probably would have proceeded without selecting "cure".


----------



## patrick (Dec 31, 2011)

Okay, I hit continue and now I am to reboot.


----------



## patrick (Dec 31, 2011)

Hi, the log file for TDSSKiller is below.  Let me add that there is already improvement.  This time the computer logged off normally.  Should I wait for your response to the log file before going to Step 2.  Download Malwarebytes' etc.?
---
13:43:40.0937 3556	TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
13:43:41.0484 3556	============================================================
13:43:41.0484 3556	Current date / time: 2011/12/31 13:43:41.0484
13:43:41.0484 3556	SystemInfo:
13:43:41.0484 3556	
13:43:41.0500 3556	OS Version: 5.1.2600 ServicePack: 3.0
13:43:41.0500 3556	Product type: Workstation
13:43:41.0500 3556	ComputerName: HP11005506461
13:43:41.0500 3556	UserName: Administrator
13:43:41.0500 3556	Windows directory: C:\WINDOWS
13:43:41.0500 3556	System windows directory: C:\WINDOWS
13:43:41.0500 3556	Processor architecture: Intel x86
13:43:41.0500 3556	Number of processors: 2
13:43:41.0500 3556	Page size: 0x1000
13:43:41.0500 3556	Boot type: Normal boot
13:43:41.0500 3556	============================================================
13:43:43.0750 3556	Initialize success
13:43:51.0609 6076	============================================================
13:43:51.0609 6076	Scan started
13:43:51.0609 6076	Mode: Manual; 
13:43:51.0609 6076	============================================================
13:43:54.0562 6076	Abiosdsk - ok
13:43:54.0578 6076	abp480n5 - ok
13:43:54.0625 6076	ac97intc        (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
13:43:54.0625 6076	ac97intc - ok
13:43:54.0687 6076	ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:43:54.0703 6076	ACPI - ok
13:43:54.0828 6076	ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:43:54.0828 6076	ACPIEC - ok
13:43:54.0890 6076	ADIHdAudAddService (4e6e32df81005355056a76491d29d05c) C:\WINDOWS\system32\drivers\ADIHdAud.sys
13:43:54.0890 6076	ADIHdAudAddService - ok
13:43:54.0921 6076	adpu160m        (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
13:43:54.0937 6076	adpu160m - ok
13:43:54.0937 6076	adpu320         (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
13:43:55.0046 6076	adpu320 - ok
13:43:55.0203 6076	AEAudio         (058cdc314672a28a90566a787d9876e7) C:\WINDOWS\system32\drivers\AEAudio.sys
13:43:55.0203 6076	AEAudio - ok
13:43:55.0281 6076	aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:43:55.0281 6076	aec - ok
13:43:55.0328 6076	AFD             (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
13:43:55.0328 6076	AFD - ok
13:43:55.0406 6076	Aha154x - ok
13:43:55.0468 6076	aic78u2         (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
13:43:55.0468 6076	aic78u2 - ok
13:43:55.0484 6076	aic78xx         (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
13:43:55.0484 6076	aic78xx - ok
13:43:55.0484 6076	AliIde - ok
13:43:55.0500 6076	amsint - ok
13:43:55.0515 6076	asc - ok
13:43:55.0531 6076	asc3350p - ok
13:43:55.0531 6076	asc3550 - ok
13:43:55.0578 6076	AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:43:55.0578 6076	AsyncMac - ok
13:43:55.0703 6076	atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:43:55.0703 6076	atapi - ok
13:43:55.0718 6076	Atdisk - ok
13:43:55.0750 6076	Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:43:55.0750 6076	Atmarpc - ok
13:43:55.0812 6076	audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:43:55.0812 6076	audstub - ok
13:43:55.0906 6076	Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:43:55.0906 6076	Beep - ok
13:43:55.0937 6076	cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:43:55.0937 6076	cbidf2k - ok
13:43:55.0953 6076	cd20xrnt - ok
13:43:55.0968 6076	Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:43:55.0968 6076	Cdaudio - ok
13:43:56.0015 6076	Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:43:56.0015 6076	Cdfs - ok
13:43:56.0031 6076	Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:43:56.0031 6076	Cdrom - ok
13:43:56.0140 6076	Changer - ok
13:43:56.0156 6076	CmdIde - ok
13:43:56.0171 6076	Cpqarray - ok
13:43:56.0218 6076	dac2w2k - ok
13:43:56.0218 6076	dac960nt - ok
13:43:56.0265 6076	Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:43:56.0281 6076	Disk - ok
13:43:56.0312 6076	dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:43:56.0328 6076	dmboot - ok
13:43:56.0421 6076	dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:43:56.0421 6076	dmio - ok
13:43:56.0437 6076	dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:43:56.0437 6076	dmload - ok
13:43:56.0484 6076	DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:43:56.0484 6076	DMusic - ok
13:43:56.0546 6076	dot4            (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
13:43:56.0546 6076	dot4 - ok
13:43:56.0656 6076	Dot4Print       (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
13:43:56.0656 6076	Dot4Print - ok
13:43:56.0671 6076	dot4usb         (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
13:43:56.0671 6076	dot4usb - ok
13:43:56.0687 6076	dpti2o          (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
13:43:56.0687 6076	dpti2o - ok
13:43:56.0718 6076	drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:43:56.0718 6076	drmkaud - ok
13:43:56.0734 6076	E100B           (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
13:43:56.0734 6076	E100B - ok
13:43:56.0781 6076	e1express       (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
13:43:56.0781 6076	e1express - ok
13:43:56.0937 6076	Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:43:56.0937 6076	Fastfat - ok
13:43:56.0953 6076	Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:43:56.0953 6076	Fdc - ok
13:43:56.0984 6076	Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:43:56.0984 6076	Fips - ok
13:43:57.0015 6076	Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:43:57.0015 6076	Flpydisk - ok
13:43:57.0156 6076	FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:43:57.0156 6076	FltMgr - ok
13:43:57.0203 6076	Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:43:57.0218 6076	Fs_Rec - ok
13:43:57.0265 6076	Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:43:57.0265 6076	Ftdisk - ok
13:43:57.0312 6076	Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:43:57.0312 6076	Gpc - ok
13:43:57.0437 6076	HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
13:43:57.0437 6076	HDAudBus - ok
13:43:57.0531 6076	HECI            (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys
13:43:57.0531 6076	HECI - ok
13:43:57.0625 6076	HidUsb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:43:57.0640 6076	HidUsb - ok
13:43:57.0734 6076	HPKBCCID        (1ffda46b645473d56c72aae6e1002825) C:\WINDOWS\system32\DRIVERS\HPKBCCID.sys
13:43:57.0734 6076	HPKBCCID - ok
13:43:57.0750 6076	hpn - ok
13:43:57.0781 6076	HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:43:57.0796 6076	HTTP - ok
13:43:57.0828 6076	i2omgmt - ok
13:43:57.0859 6076	i2omp - ok
13:43:57.0890 6076	i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:43:57.0890 6076	i8042prt - ok
13:43:57.0984 6076	i81x            (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
13:43:57.0984 6076	i81x - ok
13:43:58.0015 6076	iAimFP0         (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
13:43:58.0015 6076	iAimFP0 - ok
13:43:58.0031 6076	iAimFP1         (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
13:43:58.0031 6076	iAimFP1 - ok
13:43:58.0046 6076	iAimFP2         (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
13:43:58.0046 6076	iAimFP2 - ok
13:43:58.0093 6076	iAimFP3         (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
13:43:58.0093 6076	iAimFP3 - ok
13:43:58.0125 6076	iAimFP4         (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
13:43:58.0125 6076	iAimFP4 - ok
13:43:58.0156 6076	iAimFP5         (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
13:43:58.0156 6076	iAimFP5 - ok
13:43:58.0156 6076	iAimFP6         (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
13:43:58.0156 6076	iAimFP6 - ok
13:43:58.0171 6076	iAimFP7         (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
13:43:58.0171 6076	iAimFP7 - ok
13:43:58.0218 6076	iAimTV0         (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
13:43:58.0218 6076	iAimTV0 - ok
13:43:58.0250 6076	iAimTV1         (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
13:43:58.0250 6076	iAimTV1 - ok
13:43:58.0250 6076	iAimTV3         (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
13:43:58.0250 6076	iAimTV3 - ok
13:43:58.0281 6076	iAimTV4         (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
13:43:58.0281 6076	iAimTV4 - ok
13:43:58.0296 6076	iAimTV5         (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
13:43:58.0296 6076	iAimTV5 - ok
13:43:58.0328 6076	iAimTV6         (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
13:43:58.0328 6076	iAimTV6 - ok
13:43:58.0515 6076	ialm            (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
13:43:58.0656 6076	ialm - ok
13:43:58.0812 6076	iaStor          (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\DRIVERS\iaStor.sys
13:43:58.0812 6076	iaStor - ok
13:43:58.0859 6076	IFXTPM          (667cfdb801df771f47b7c39373c2d850) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
13:43:58.0875 6076	IFXTPM - ok
13:43:58.0890 6076	Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:43:58.0890 6076	Imapi - ok
13:43:59.0000 6076	ini910u - ok
13:43:59.0343 6076	IntelIde        (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
13:43:59.0343 6076	IntelIde - ok
13:43:59.0406 6076	intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:43:59.0421 6076	intelppm - ok
13:43:59.0531 6076	Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:43:59.0562 6076	Ip6Fw - ok
13:43:59.0640 6076	IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:43:59.0640 6076	IpFilterDriver - ok
13:43:59.0718 6076	IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:43:59.0718 6076	IpInIp - ok
13:43:59.0750 6076	IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:43:59.0750 6076	IpNat - ok
13:43:59.0781 6076	IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:43:59.0781 6076	IPSec - ok
13:43:59.0812 6076	IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:43:59.0812 6076	IRENUM - ok
13:43:59.0843 6076	isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:43:59.0843 6076	isapnp - ok
13:43:59.0890 6076	Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:43:59.0890 6076	Kbdclass - ok
13:43:59.0937 6076	kbdhid          (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:43:59.0937 6076	kbdhid - ok
13:43:59.0968 6076	kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:43:59.0968 6076	kmixer - ok
13:44:00.0000 6076	KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:44:00.0000 6076	KSecDD - ok
13:44:00.0000 6076	lbrtfdc - ok
13:44:00.0046 6076	mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:44:00.0046 6076	mnmdd - ok
13:44:00.0078 6076	Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:44:00.0078 6076	Modem - ok
13:44:00.0125 6076	Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:44:00.0125 6076	Mouclass - ok
13:44:00.0171 6076	mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:44:00.0187 6076	mouhid - ok
13:44:00.0281 6076	MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:44:00.0281 6076	MountMgr - ok
13:44:00.0312 6076	mraid35x - ok
13:44:00.0359 6076	MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:44:00.0359 6076	MRxDAV - ok
13:44:00.0406 6076	MRxSmb          (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:44:00.0421 6076	MRxSmb - ok
13:44:00.0531 6076	Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:44:00.0531 6076	Msfs - ok
13:44:00.0578 6076	MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:44:00.0593 6076	MSKSSRV - ok
13:44:00.0609 6076	MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:44:00.0609 6076	MSPCLOCK - ok
13:44:00.0625 6076	MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:44:00.0640 6076	MSPQM - ok
13:44:00.0703 6076	mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:44:00.0703 6076	mssmbios - ok
13:44:00.0734 6076	Mup             (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
13:44:00.0734 6076	Mup - ok
13:44:00.0796 6076	NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:44:00.0812 6076	NDIS - ok
13:44:00.0843 6076	NdisTapi        (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:44:00.0843 6076	NdisTapi - ok
13:44:00.0890 6076	Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:44:00.0890 6076	Ndisuio - ok
13:44:00.0906 6076	NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:44:00.0906 6076	NdisWan - ok
13:44:00.0953 6076	NDProxy         (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:44:00.0953 6076	NDProxy - ok
13:44:01.0015 6076	NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:44:01.0015 6076	NetBIOS - ok
13:44:01.0078 6076	NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:44:01.0078 6076	NetBT - ok
13:44:01.0093 6076	Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:44:01.0093 6076	Npfs - ok
13:44:01.0125 6076	Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:44:01.0125 6076	Ntfs - ok
13:44:01.0203 6076	Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:44:01.0203 6076	Null - ok
13:44:01.0234 6076	NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:44:01.0234 6076	NwlnkFlt - ok
13:44:01.0265 6076	NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:44:01.0265 6076	NwlnkFwd - ok
13:44:01.0343 6076	P3              (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
13:44:01.0343 6076	P3 - ok
13:44:01.0390 6076	Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:44:01.0390 6076	Parport - ok
13:44:01.0453 6076	PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:44:01.0453 6076	PartMgr - ok
13:44:01.0515 6076	ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:44:01.0515 6076	ParVdm - ok
13:44:01.0546 6076	PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:44:01.0546 6076	PCI - ok
13:44:01.0562 6076	PCIDump - ok
13:44:01.0578 6076	PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:44:01.0578 6076	PCIIde - ok
13:44:01.0625 6076	Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:44:01.0640 6076	Pcmcia - ok
13:44:01.0671 6076	PDCOMP - ok
13:44:01.0687 6076	PDFRAME - ok
13:44:01.0687 6076	PDRELI - ok
13:44:01.0703 6076	PDRFRAME - ok
13:44:01.0703 6076	perc2 - ok
13:44:01.0765 6076	perc2hib - ok
13:44:01.0812 6076	PersonalSecureDrive (c7d5cf6c7dbe6d96de252457721bd0e8) C:\WINDOWS\System32\drivers\psd.sys
13:44:01.0890 6076	PersonalSecureDrive - ok
13:44:02.0015 6076	pnarp           (ce27fc8bdc54b3ac63d53e2d5f6cc929) C:\WINDOWS\system32\DRIVERS\pnarp.sys
13:44:02.0015 6076	pnarp - ok
13:44:02.0062 6076	PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:44:02.0078 6076	PptpMiniport - ok
13:44:02.0078 6076	PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:44:02.0093 6076	PSched - ok
13:44:02.0125 6076	Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:44:02.0125 6076	Ptilink - ok
13:44:02.0156 6076	purendis        (f4fd591e86ecb6b5d000c7d6c987416b) C:\WINDOWS\system32\DRIVERS\purendis.sys
13:44:02.0156 6076	purendis - ok
13:44:02.0250 6076	PxHelp20        (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
13:44:02.0359 6076	PxHelp20 - ok
13:44:02.0468 6076	ql1080 - ok
13:44:02.0484 6076	Ql10wnt - ok
13:44:02.0484 6076	ql12160 - ok
13:44:02.0500 6076	ql1240 - ok
13:44:02.0500 6076	ql1280 - ok
13:44:02.0546 6076	RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:44:02.0546 6076	RasAcd - ok
13:44:02.0578 6076	Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:44:02.0578 6076	Rasl2tp - ok
13:44:02.0578 6076	RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:44:02.0593 6076	RasPppoe - ok
13:44:02.0593 6076	Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:44:02.0593 6076	Raspti - ok
13:44:02.0609 6076	Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:44:02.0609 6076	Rdbss - ok
13:44:02.0718 6076	RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:44:02.0718 6076	RDPCDD - ok
13:44:02.0734 6076	rdpdr           (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:44:02.0734 6076	rdpdr - ok
13:44:02.0781 6076	RDPWD           (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
13:44:02.0781 6076	RDPWD - ok
13:44:02.0828 6076	redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:44:02.0843 6076	redbook - ok
13:44:02.0984 6076	RsvLock         (02ff0fbd2945b7dd67db3fb0248ae61e) C:\WINDOWS\system32\drivers\RsvLock.sys
13:44:03.0046 6076	RsvLock - ok
13:44:03.0109 6076	SafeBoot        (0e448c0306ba36cfd5c2388046e4ace0) C:\WINDOWS\system32\drivers\SafeBoot.sys
13:44:03.0171 6076	Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\SafeBoot.sys. md5: 0e448c0306ba36cfd5c2388046e4ace0
13:44:03.0171 6076	SafeBoot ( LockedFile.Multi.Generic ) - warning
13:44:03.0171 6076	SafeBoot - detected LockedFile.Multi.Generic (1)
13:44:03.0343 6076	SbAlg           (f6367fb350f8e5d3f6dd8040e4c0e33b) C:\WINDOWS\system32\drivers\SbAlg.sys
13:44:03.0375 6076	SbAlg - ok
13:44:03.0390 6076	SbFsLock        (d48f49ef1cfd73d7371b96839529bc89) C:\WINDOWS\system32\drivers\SbFsLock.sys
13:44:03.0453 6076	SbFsLock - ok
13:44:03.0640 6076	Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:44:03.0640 6076	Secdrv - ok
13:44:03.0687 6076	serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:44:03.0687 6076	serenum - ok
13:44:03.0718 6076	Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:44:03.0765 6076	Serial - ok
13:44:03.0796 6076	Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
13:44:03.0812 6076	Sfloppy - ok
13:44:04.0000 6076	Simbad - ok
13:44:04.0046 6076	Sparrow - ok
13:44:04.0093 6076	splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:44:04.0093 6076	splitter - ok
13:44:04.0156 6076	sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:44:04.0156 6076	sr - ok
13:44:04.0203 6076	Srv             (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:44:04.0203 6076	Srv - ok
13:44:04.0250 6076	swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:44:04.0250 6076	swenum - ok
13:44:04.0296 6076	swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:44:04.0296 6076	swmidi - ok
13:44:04.0359 6076	symc810         (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
13:44:04.0359 6076	symc810 - ok
13:44:04.0390 6076	symc8xx         (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
13:44:04.0390 6076	symc8xx - ok
13:44:04.0468 6076	Symmpi          (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
13:44:04.0546 6076	Symmpi - ok
13:44:04.0578 6076	sym_hi          (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
13:44:04.0593 6076	sym_hi - ok
13:44:04.0656 6076	sym_u3          (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
13:44:04.0656 6076	sym_u3 - ok
13:44:04.0703 6076	sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:44:04.0703 6076	sysaudio - ok
13:44:04.0765 6076	Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:44:04.0765 6076	Tcpip - ok
13:44:04.0812 6076	TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:44:04.0812 6076	TDPIPE - ok
13:44:04.0828 6076	TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:44:04.0828 6076	TDTCP - ok
13:44:04.0875 6076	TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:44:04.0875 6076	TermDD - ok
13:44:05.0000 6076	tmactmon        (e8e528896ff2595cfada88749cd72ef8) C:\WINDOWS\system32\DRIVERS\tmactmon.sys
13:44:05.0015 6076	tmactmon - ok
13:44:05.0015 6076	tmcomm          (1837512d4aab862bd297a2ef035fba14) C:\WINDOWS\system32\DRIVERS\tmcomm.sys
13:44:05.0015 6076	tmcomm - ok
13:44:05.0046 6076	tmevtmgr        (dbac510d1c7cc66b7a78eb2264f3072e) C:\WINDOWS\system32\DRIVERS\tmevtmgr.sys
13:44:05.0046 6076	tmevtmgr - ok
13:44:05.0093 6076	tmtdi           (a6e20b094a8d3e3f46d10bbe7e1ebb82) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
13:44:05.0109 6076	tmtdi - ok
13:44:05.0171 6076	TosIde - ok
13:44:05.0218 6076	Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:44:05.0218 6076	Udfs - ok
13:44:05.0234 6076	ultra - ok
13:44:05.0250 6076	usbccgp         (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:44:05.0250 6076	usbccgp - ok
13:44:05.0281 6076	usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:44:05.0281 6076	usbehci - ok
13:44:05.0312 6076	usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:44:05.0328 6076	usbhub - ok
13:44:05.0375 6076	USBSTOR         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:44:05.0375 6076	USBSTOR - ok
13:44:05.0515 6076	usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:44:05.0515 6076	usbuhci - ok
13:44:05.0562 6076	VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:44:05.0562 6076	VgaSave - ok
13:44:05.0593 6076	ViaIde          (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
13:44:05.0593 6076	ViaIde - ok
13:44:05.0703 6076	VirtDisk        (1b8f371423bb41426632b704a0fd466e) c:\windows\sminst\VirtDisk.sys
13:44:05.0968 6076	VirtDisk - ok
13:44:06.0109 6076	VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:44:06.0109 6076	VolSnap - ok
13:44:06.0171 6076	wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
13:44:06.0171 6076	wacommousefilter - ok
13:44:06.0250 6076	wacomvhid       (846b58ea44bf8c92e4b59f4e2252c4c0) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
13:44:06.0250 6076	wacomvhid - ok
13:44:06.0328 6076	Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:44:06.0328 6076	Wanarp - ok
13:44:06.0328 6076	WDICA - ok
13:44:06.0375 6076	wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:44:06.0375 6076	wdmaud - ok
13:44:06.0421 6076	WmiAcpi         (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
13:44:06.0421 6076	WmiAcpi - ok
13:44:06.0546 6076	WudfPf          (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:44:06.0546 6076	WudfPf - ok
13:44:06.0609 6076	WudfRd          (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:44:06.0625 6076	WudfRd - ok
13:44:06.0656 6076	MBR (0x1B8)     (22932cd5780a49182a8f485fd070964c) \Device\Harddisk0\DR0
13:44:06.0687 6076	\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
13:44:06.0687 6076	\Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
13:44:06.0687 6076	Boot (0x1200)   (227c6cf7b2a0c5e4caac27a77e0b91d1) \Device\Harddisk0\DR0\Partition0
13:44:06.0687 6076	\Device\Harddisk0\DR0\Partition0 - ok
13:44:06.0703 6076	Boot (0x1200)   (9499a793094424a5113b399f306e6eba) \Device\Harddisk0\DR0\Partition1
13:44:06.0703 6076	\Device\Harddisk0\DR0\Partition1 - ok
13:44:06.0703 6076	============================================================
13:44:06.0703 6076	Scan finished
13:44:06.0703 6076	============================================================
13:44:06.0703 3416	Detected object count: 2
13:44:06.0703 3416	Actual detected object count: 2
14:18:38.0296 3416	SafeBoot ( LockedFile.Multi.Generic ) - skipped by user
14:18:38.0328 3416	SafeBoot ( LockedFile.Multi.Generic ) - User select action: Skip 
14:18:38.0515 3416	\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
14:18:38.0531 3416	\Device\Harddisk0\DR0 - ok
14:18:38.0546 3416	\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure 
14:18:51.0468 5252	Deinitialize success


----------



## johnb35 (Dec 31, 2011)

Nope, continue on.  Kind of figured you would have a rootkit to kill first.


----------



## patrick (Dec 31, 2011)

Continuing on and if you have time could you answer 1.  What is the "root kit" file?  2.  Why wasn't there the option offered to "cure" rather the option of "skip".  Thanks very much for being there and assisting.


----------



## johnb35 (Dec 31, 2011)

The tdsskiller program found and removed a rootkit, if you wouldn't have selected cure, it still would be on your system. This is where most users get the google redirect issue is from a bootkit/rootkit/mbr infection.  Scanning with tdsskiller is almost required nowadays.


----------



## patrick (Dec 31, 2011)

Hi, here are the log files.

1. Malwarebytes log file

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.31.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: HP11005506461 [administrator]

12/31/2011 2:47:11 PM
mbam-log-2011-12-31 (14-47-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193723
Time elapsed: 28 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\Temp\wera0.0709276298994217.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.8385896513212964.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.06559594403979829.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.

(end)
2.  Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:29:19 PM, on 12/31/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
O2 - BHO: StartNow Toolbar Helper - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\TmBpIe32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
O3 - Toolbar: StartNow Toolbar - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [IFXSPMGT] C:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKLM\..\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL ""
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290153598093
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg.dll
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
O18 - Protocol: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\ifxtcs.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: Updater Service for StartNow Toolbar - Unknown owner - C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe

--
End of file - 13369 bytes


----------



## johnb35 (Dec 31, 2011)

Ok, continue with the next procedure.  

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

*Combofix*


When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
Save the file to your windows desktop.  The combofix icon will look like this when it has downloaded to your desktop.




We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:


Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found *here*.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Please click on I agree on the disclaimer window.
ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.





ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.





Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:





At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.

Please click on yes in the next window to continue scanning for malware.

ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.





When ComboFix has finished running, you will see a screen stating that it is preparing the log report.

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.  

Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy.  Then come to the forum in your reply and right click on your mouse and click on paste.  



In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## patrick (Jan 1, 2012)

Hi, I followed the instructions for disabling Trend Micro; however, I didn't get the window that says to confirm that I want to disable the program.  It is no longer in the taskbar.  Does this mean it was disabled?


----------



## johnb35 (Jan 1, 2012)

Usually, you can just right click on the trendmicro icon in the system tray and click on disable auto protect or something similar.


----------



## patrick (Jan 1, 2012)

When I right click on the Trend Micro icon on the desktop, I don't get any thing about disabling the program.  However, when I click on the "Compatibility" tab from Properties, I see in "Input Settings", "Turn off advanced text settings for this program".  Should I click the box for this option?


----------



## johnb35 (Jan 1, 2012)

You don't right click on the icon on your desktop.  You right click on the icon that is in the system tray by the clock.  

Look at these images.











Right click on the icon and click so that it unchecks protection against virus and spyware.


----------



## patrick (Jan 1, 2012)

Yes, first I did right click on the icon near the system clock and got the menu you show.  However, I never got a window indicating to disable the program and now I no longer have the icon near the system clock.  I am wondering whether it is disabled.


----------



## johnb35 (Jan 1, 2012)

If the icon is no longer there then most likely you just exited the program, which means its not longer running.  If its still active, combofix will pop up a message saying so.


----------



## patrick (Jan 1, 2012)

Hi again John,

I tried to close the combo program and restart it; instead it ran, even with this program up, and finished.  Now I see the Trend Micro icon near the system clock.  Here are the log files:

1.  ComboFix 11-12-31.03 - Administrator 12/31/2011  16:42:58.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.978.253 [GMT -8:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.xul
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\buttons.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\constants.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\events.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\globals.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\hosts.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\init.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_images.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_maps.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_news.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_videos.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_web.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_amazon.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_ebay.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_facebook.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_games.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_msn.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_shopping.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_travel.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_twitter.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\startnow_logo.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\installer.xml
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\chevron_button.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_button_hover.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_button_normal.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_dropdown_button_normal.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_background.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_left.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_middle.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\separator.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\splitter.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ff_hover_c.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_c.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_l.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_r.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_c.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_l.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_r.png
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\toolbar.xml
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\locale\en-US\{5911488E-9D1E-40ec-8CBB-06B231CC153F}.dtd
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\skin\overlay.css
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\components\tellSvc.dll
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\searchplugins\bing-zugo.xml
c:\program files\Shop to Win
c:\program files\Shop to Win\unins000.exe
c:\program files\StartNow Toolbar
c:\program files\StartNow Toolbar\ReactivateFF.exe
c:\program files\StartNow Toolbar\ReactivateIE.exe
c:\program files\StartNow Toolbar\Resources\images\engine_images.png
c:\program files\StartNow Toolbar\Resources\images\engine_maps.png
c:\program files\StartNow Toolbar\Resources\images\engine_news.png
c:\program files\StartNow Toolbar\Resources\images\engine_videos.png
c:\program files\StartNow Toolbar\Resources\images\engine_web.png
c:\program files\StartNow Toolbar\Resources\images\icon_amazon.png
c:\program files\StartNow Toolbar\Resources\images\icon_ebay.png
c:\program files\StartNow Toolbar\Resources\images\icon_facebook.png
c:\program files\StartNow Toolbar\Resources\images\icon_games.png
c:\program files\StartNow Toolbar\Resources\images\icon_msn.png
c:\program files\StartNow Toolbar\Resources\images\icon_shopping.png
c:\program files\StartNow Toolbar\Resources\images\icon_travel.png
c:\program files\StartNow Toolbar\Resources\images\icon_twitter.png
c:\program files\StartNow Toolbar\Resources\images\startnow_logo.png
c:\program files\StartNow Toolbar\Resources\installer.xml
c:\program files\StartNow Toolbar\Resources\skin\chevron_button.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_background.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_left.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
c:\program files\StartNow Toolbar\Resources\skin\separator.png
c:\program files\StartNow Toolbar\Resources\skin\splitter.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
c:\program files\StartNow Toolbar\Resources\toolbar.xml
c:\program files\StartNow Toolbar\Resources\update.xml
c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
c:\program files\StartNow Toolbar\Toolbar32.dll
c:\program files\StartNow Toolbar\ToolbarBroker.exe
c:\program files\StartNow Toolbar\ToolbarUpdaterService.exe
c:\program files\StartNow Toolbar\uninstall.dat
c:\windows\system32\SET1D1.tmp
c:\windows\system32\SET1D3.tmp
c:\windows\system32\SET1D7.tmp
c:\windows\system32\SET1DF.tmp
c:\windows\system32\SET1E1.tmp
c:\windows\system32\SET22E.tmp
D:\Autorun.inf
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_Updater_Service_for_StartNow_Toolbar
-------\Legacy_Updater_Service_for_StartNow_Toolbar
-------\Service_Updater Service for StartNow Toolbar
-------\Service_Updater Service for StartNow Toolbar
.
.
(((((((((((((((((((((((((   Files Created from 2011-12-01 to 2012-01-01  )))))))))))))))))))))))))))))))
.
.
2011-12-31 23:28 . 2011-12-31 23:28	388096	----a-r-	c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-31 22:45 . 2011-12-31 22:45	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-12-31 22:44 . 2011-12-31 22:44	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-31 22:44 . 2011-12-31 22:44	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-12-31 22:44 . 2011-12-10 23:24	20464	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-12-31 09:48 . 2011-12-31 09:48	--------	d--h--w-	c:\documents and settings\All Users\Application Data\Common Files
2011-12-31 09:44 . 2011-12-31 10:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\MFAData
2011-12-31 07:11 . 2011-12-31 07:11	--------	d-----w-	c:\documents and settings\All Users\Application Data\ArcSoft
2011-12-31 07:10 . 2011-12-31 07:10	--------	d-----w-	c:\documents and settings\Administrator\Application Data\ArcSoft
2011-12-31 07:10 . 2011-12-31 07:10	--------	d-----w-	c:\documents and settings\Administrator\Application Data\HP SureStore Application
2011-12-18 05:11 . 2011-12-18 05:11	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\WeatherBug
2011-12-18 05:11 . 2011-12-18 05:11	--------	d-----w-	c:\program files\kitara
2011-12-18 05:11 . 2011-12-18 05:11	--------	d-----w-	c:\documents and settings\Administrator\Application Data\WeatherBug
2011-12-18 05:11 . 2011-12-18 05:11	18944	----a-r-	c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-12-18 05:10 . 2011-12-31 09:54	--------	d-----w-	c:\program files\Common Files\FreeCause
2011-12-16 03:43 . 2011-12-16 03:43	--------	d-----w-	C:\PICDISK
2011-12-10 22:09 . 2011-12-10 22:09	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\Trend Micro
2011-12-10 22:08 . 2011-12-10 21:56	92432	----a-w-	c:\windows\system32\drivers\tmtdi.sys
2011-12-10 22:08 . 2011-12-10 21:56	81168	----a-w-	c:\windows\system32\drivers\tmactmon.sys
2011-12-10 22:08 . 2011-12-10 21:56	68368	----a-w-	c:\windows\system32\drivers\tmevtmgr.sys
2011-12-10 22:08 . 2011-12-10 21:56	205072	----a-w-	c:\windows\system32\drivers\tmcomm.sys
2011-12-10 22:06 . 2011-12-10 22:06	56	----a-w-	c:\windows\system32\SupportTool.exe.bat
2011-12-10 21:22 . 2011-12-10 21:22	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2011-12-10 21:13 . 2011-12-31 23:55	--------	d-----w-	c:\program files\Trend Micro
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-30 00:27 . 2011-07-06 18:03	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2006-02-28 02:00	1859584	----a-w-	c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2006-02-28 02:00	916992	----a-w-	c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-02-28 02:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-02-28 02:00	1469440	----a-w-	c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-02-28 02:00	385024	----a-w-	c:\windows\system32\html.iec
2011-11-03 21:38 . 2011-11-03 21:41	108544	------w-	c:\windows\system32\pxcpyi64.exe
2011-11-03 21:38 . 2011-11-03 21:41	109568	------w-	c:\windows\system32\pxinsi64.exe
2011-11-03 21:38 . 2011-11-03 21:41	20640	------w-	c:\windows\system32\drivers\PxHelp20.sys
2011-11-03 19:20 . 2011-05-13 00:22	499712	----a-w-	c:\windows\system32\msvcp71.dll
2011-11-03 19:20 . 2011-05-13 00:22	348160	----a-w-	c:\windows\system32\msvcr71.dll
2011-11-01 16:07 . 2006-02-28 02:00	1288704	----a-w-	c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-02-28 02:00	33280	----a-w-	c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2006-02-28 02:00	2148864	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2006-02-28 02:00	2027008	----a-w-	c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2006-02-28 02:00	186880	----a-w-	c:\windows\system32\encdec.dll
2011-10-12 00:37 . 2011-10-12 00:28	8892928	----a-w-	c:\documents and settings\All Users\Application Data\atscie.msi
2011-10-10 14:22 . 2006-02-28 02:00	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-11-23 07:54 . 2011-03-25 01:12	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-26 1015808]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-07 408344]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-04-19 677408]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-04-07 467240]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-03 273528]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-12-10 129304]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-05 1300672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30	74240	----a-r-	c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages	REG_MULTI_SZ   	SbHpNp scecli
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabledure Networks Platform Service
.
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [6/13/2007 5:53 PM 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 1:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [6/14/2007 4:22 PM 13184]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [4/18/2007 7:32 PM 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [6/13/2007 5:53 PM 5808]
R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/10/2011 2:08 PM 68368]
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [12/10/2011 2:05 PM 200632]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2/27/2006 6:00 PM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/27/2006 6:00 PM 14336]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [7/9/2007 5:03 PM 221184]
R2 TabletServiceWacom;TabletServiceWacom;c:\program files\Tablet\Wacom\Wacom_Tablet.exe [11/23/2010 12:52 AM 4767600]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [3/12/2008 1:18 PM 2521880]
R3 HPKBCCID;HP Keyboard Smart Card Driver;c:\windows\system32\drivers\HPKBCCID.sys [4/28/2010 9:56 PM 46976]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 12:13 PM 41216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2011 4:20 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2011 4:20 PM 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\SMINST\virtdisk.sys [3/12/2008 1:28 PM 57344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance	REG_MULTI_SZ   	ASBroker ASChannel
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-13 00:20]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-13 00:20]
.
2012-01-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-731066989-228264084-1301754188-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 20:40]
.
2012-01-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-731066989-228264084-1301754188-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 20:40]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3z6dmq5p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2856459&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-StartNow Toolbar - c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-31 16:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-731066989-228264084-1301754188-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,16,86,76,2b,0e,51,b3,4c,ad,c0,79,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,3e,ba,36,56,1e,7e,45,86,8c,c6,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,16,86,76,2b,0e,51,b3,4c,ad,c0,79,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\SbHpNp.DLL
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
.
- - - - - - - > 'lsass.exe'(816)
c:\windows\SbHpNp.dll
.
- - - - - - - > 'explorer.exe'(1980)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\windows\system32\ifxtcs.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Tablet\Wacom\Wacom_TabletUser.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-12-31  17:00:23 - machine was rebooted
ComboFix-quarantined-files.txt  2012-01-01 01:00
.
Pre-Run: 38,616,297,472 bytes free
Post-Run: 40,456,617,984 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0E798674A82421E26A63B649A5129730

2.  Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:02:44 PM, on 12/31/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\TmBpIe32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [IFXSPMGT] C:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKLM\..\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL ""
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290153598093
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg.dll
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
O18 - Protocol: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\APSHook.dll
O20 - Winlogon Notify: OneCard - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\ifxtcs.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 12167 bytes


----------



## johnb35 (Jan 1, 2012)

Looking lots better.  However, do you know what this is for?

c:\windows\system32\SupportTool.exe.bat


Lets make sure you don't have any outdated software installed.  Combofix created a log for us but didn't automatically show it.  Please navigate to 

c:\Qoobox and in that folder will be a file named add-remove programs.txt.  Please open that file and copy the contents and paste in your next reply.


----------



## patrick (Jan 1, 2012)

Hi  John, Whew!  "Looking lots better" coming from you brings so much hope...relief.  I believe the c:\windows\system32\SupportTool.exe.bat is used to launch a tool used by our company's Technical Support team.  I am not sure.  I will follow your other instructions and report back.


----------



## patrick (Jan 1, 2012)

Here is the contents of add-remove program.txt:


Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Help Center 2.0
Adobe Photoshop Elements 4.0
Adobe Reader X (10.1.1)
AOL Toolbar 5.0
BIOS Configuration for HP ProtectTools
Cisco Network Magic
Costco Photo Organizer
Credential Manager for HP ProtectTools
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Drive Encryption for HP ProtectTools
Embedded Security for HP ProtectTools
Google Chrome
Google Update Helper
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Backup and Recovery Manager
HP Help and Support
HP ProtectTools Security Manager
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.1.14.1
Intel® Active Management Technology
Intel® Management Engine Interface
InterVideo Register Manager
InterVideo WinDVD
Java Auto Updater
Java(TM) 6 Update 26
Java(TM) SE Runtime Environment 6 Update 1
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Software Update for Web Folders  (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 8.0.1 (x86 en-US)
MSN
MSXML 6 Service Pack 2 (KB973686)
Network Magic
Picasa 3
Pure Networks Platform
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
SCRABBLE PLUS
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553353) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SoundMAX
StartNow Toolbar
Trend Micro Titanium
Trend Micro Titanium Maximum Security 2012
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553455) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
Update for Microsoft Outlook Social Connector (KB2583935)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Wacom Tablet
WebEx Support Manager for Internet Explorer
WebFldrs XP
WebTablet IE Plugin
WebTablet Netscape Plugin
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3


----------



## johnb35 (Jan 1, 2012)

Is this a business computer?  I generally won't help anyone that has a business computer and advice them to contact the network admin to fix the issue.  I'm just noticing that some of the entries I see are more business related.

Please uninstall the following entries in add/remove programs.

Java(TM) 6 Update 26
Java(TM) SE Runtime Environment 6 Update 1
StartNow Toolbar

Then go here to download the lastest version of java.

http://www.java.com/en/download/inc/windows_upgrade_ie.jsp

How's your system running now?


----------



## patrick (Jan 1, 2012)

John, this is a business model that I bought for home as my personal computer.  I do not remote access into my office from this computer.  I only buy business models for home use.  I have found the performance to be superior--never any issue at all until "this recent event".  I will follow what you recommend next and will report back.


----------



## patrick (Jan 1, 2012)

Well, John, bravo!!!  I have upgraded Java and rebooted, and the computer seems to be performing as it did previously.  It logged off as it should, and quickly, and it rebooted quickly.  Even though it takes up a lot of space, this is why I like this business model--it is fast!  After booting, I usually go first to Firefox which was taking a while to launch.  It now comes up quickly.  I love my computer again.  

Your reputation is well deserved, and I am so glad I was able to contact you on New Year's Eve!!  I don't know whether you are working as a volunteer on this Forum.  What an asset you are!  Sure hope you enjoy the rest of this New Year's Eve and best wishes for another successful year in all your endeavors!!


----------



## johnb35 (Jan 1, 2012)

I appreciate it.  May I ask who referred you to come here and seek out my help?  I'm just curious.  

Yes, all staff in this forum are just volunteers that visit the forum whenever they can, in my case, its quite often.  I love what I do and have my own computer repair business.


----------



## patrick (Jan 1, 2012)

johnb35 said:


> I appreciate it.  May I ask who referred you to come here and seek out my help?  I'm just curious.
> 
> Yes, all staff in this forum are just volunteers that visit the forum whenever they can, in my case, its quite often.  I love what I do and have my own computer repair business.



--------------
John, it's clear you love what you do and if I lived near your computer business I would have visited your business with my computer.  In fact, before coming to Computer Forum, I was about to take my computer to a local repair shop....until a person who used to work in IT has been very impressed with your work and was emphatic that YOU could "make my computer well again."  Once again much success to you and your business in the New Year!!


----------

