Malware Changing Google Search Results, Specifically Antivirus 2009 Please Help!

[Jdollar]

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 03/13/2010 at 11:36 PM

Application Version : 4.34.1000

Core Rules Database Version : 4671
Trace Rules Database Version: 2483

Scan type : Complete Scan
Total Scan Time : 00:47:23

Memory items scanned : 904
Memory threats detected : 0
Registry items scanned : 7753
Registry threats detected : 0
File items scanned : 24960
File threats detected : 31

Adware.Tracking Cookie
C:\Documents and Settings\hhunt\Cookies\hhunt@imrworldwide[2].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@kontera[2].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@yieldmanager[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@at.atwola[2].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@adinterax[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@media6degrees[2].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@revsci[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@pointroll[2].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@apmebf[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@walmart.112.2o7[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@a1.interclick[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@associatedcontent.112.2o7[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@interclick[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@ad.yieldmanager[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@overture[2].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@richmedia.yahoo[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@e-2dj6wfmioicpsgo.stats.esomniture[2].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@2o7[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@sales.liveperson[2].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@tacoda[2].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@ads.pointroll[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@chitika[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@admarketplace[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@sales.liveperson[3].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@ad.wsod[2].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@content.yieldmanager[3].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@dmtracker[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@dminsite.112.2o7[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@bridge1.admarketplace[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@ads.associatedcontent[1].txt
C:\Documents and Settings\hhunt\Cookies\hhunt@content.yieldmanager[1].txt



Malwarebytes' Anti-Malware 1.44
Database version: 3865
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/14/2010 7:27:36 AM
mbam-log-2010-03-14 (07-27-36).txt

Scan type: Quick Scan
Objects scanned: 159098
Time elapsed: 12 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Program Files\Internet Explorer\Iexplore.exe" %1) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:47:43 PM, on 3/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\TEMP\YBF46E.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\COMMON~1\MOBIPO~1\webcomp.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Pcounter\WBALANCE.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Wake Forest University Baptist Medical Center - Wake Forest University Baptist Medical Center
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.com
O1 - Hosts: 84.19.171.6 google.com.au
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.be
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.com.br
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.ca
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.ch
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.de
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.dk
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.fr
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.ie
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.it
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.co.jp
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.nl
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.no
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.co.nz
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.pl
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.se
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.co.uk
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.co.za
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 Google Analytics | Official Website
O1 - Hosts: 84.19.171.6 Bing
O1 - Hosts: 84.19.171.6 search.yahoo.com
O1 - Hosts: 84.19.171.6 Yahoo! Search - Web Search
O1 - Hosts: 84.19.171.6 uk.search.yahoo.com
O1 - Hosts: 84.19.171.6 ca.search.yahoo.com
O1 - Hosts: 84.19.171.6 de.search.yahoo.com
O1 - Hosts: 84.19.171.6 fr.search.yahoo.com
O1 - Hosts: 84.19.171.6 au.search.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "C:\sysprep\ImgSetup.exe" "/" -HideWindow
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\PROGRA~1\COMMON~1\MOBIPO~1\webcomp.exe -m
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Wbalance.lnk = C:\Program Files\Pcounter\WBALANCE.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/...nAxControl.CAB
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://os1:4343/officescan/console/...l/WinNTChk.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://os1:4343/officescan/console/...tall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://os1:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.0.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1252939545531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1252939538015
O16 - DPF: {C7477E5B-9297-4083-A4B3-A6BBC611F7C9} (BlackBerry Patch Installer) - http://www.blackberry.com/CalendarPa...hLoaderUSB.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = medctr.ad.wfubmc.edu
O17 - HKLM\Software\..\Telephony: DomainName = medctr.ad.wfubmc.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = medctr.ad.wfubmc.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 20621 bytes

[Jdollar]

More specifically the virus/malware is redirecting my google searches.

[JohnB151]

Hi and welcome to the Help2Go forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

Despite that it is important that you first know a couple of things:

• The fixes are specific to your problem and should only be used for this issue on this machine.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me how long it will take so the topic will not be closed.

There are also some things that I want you do so I can work as good as possible:

• Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• Please reply to this thread. Do not start a new topic.
• Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

One more thing is very important for users who have Vista as operating system.
When I instruct to run a tool or program always right-click and choose 'Run as Administrator' instead of just double-clicking the icon.

Finally, please make a uninstall list using HijackThis and post that log so I know you have read this post.
To access the Uninstall Manager you would do the following:

• Start HijackThis
• Click on the Open The Misc Tool Section button
• Click on the Open Uninstall Manager button.
• Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic.

Regards,
John.

[Jdollar]

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Access Help
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player 11
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
BlackBerry Desktop Software 4.6
BlackBerry Desktop Software 4.6
BlackBerry Smartphone Web Patch Installer
Bonjour
Compatibility Pack for the 2007 Office system
Diagnosaurus
Express Scribe
Garmin City Navigator North America NT 2010.40
Garmin POI Loader
Garmin WebUpdater
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Help Center
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HiJackThis
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
Interactive Medical Terminology 2.0
InterVideo WinDVD
ISI ResearchSoft - Export Helper
iTunes
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Malwarebytes' Anti-Malware
mCore
MDL Chime/Chime Pro for Communicator
MDL Chime/Chime Pro for Internet Explorer
mDriver
MedRecall (PocketPC and Smartphone) v #PRODNAME# by Skyscape
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft ActiveSync
Microsoft Antimalware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Web Access S/MIME
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Security Essentials
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
MMedicus
mMHouse
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mXML
Netscape Communicator 4.8
OCR Software by I.R.I.S 7.0
PC-Doctor 5 for Windows
Pcounter for Windows
Pcounter for Windows
Productivity Center Supplement for ThinkPad
QuickTime
RDC
RealPlayer
RecordNow Audio
RecordNow Copy
RecordNow Data
Roxio Media Manager
Scroll Lock Indicator Utility
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB955936)
Security Update for Microsoft Office Excel 2007 (KB955470)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SMART Board Software
smARTupdate
Software Installer
Sonic DLA
Sonic Express Labeler
Sonic Update Manager
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
Stedman's Electronic Medical Dictionary 6.0
Stedman's Medical Dictionary for the Health Professions and Nur (Shared Components)
Stedman's Medical Dictionary for the Health Professions and Nursing 1.0
SUPERAntiSpyware Free Edition
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Keyboard Customizer Utility
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad Presentation Director
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Active Protection System
ThinkVantage Productivity Center
TrackPoint Accessibility Features
Trend Micro OfficeScan Client
TurboNote
TWC Customer Controls
Tweak UI
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb957829)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
User Profile Hive Cleanup Service
VoiceOver Kit
WIMGAPI
Windows Desktop Search 3.01
Windows Driver Package - Intel (NETw4x32) net (02/25/2007 11.1.0.86)
Windows Driver Package - Intel (w29n51) net (02/08/2007 9.0.4.33)
Windows Driver Package - Intel net (02/25/2007 11.1.0.86)
Windows Driver Package - Intel net (02/25/2007 11.1.0.86)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

[JohnB151]

Hi,

There are two questions that I have first.

• Is it right that this computer is part of the Wake Forest University Baptist Medical Center? If so, don't you have an IT department you could bring this computer to? The reason I am asking is that we normally don't clean business computers as crashes and loss of data could bring us into trouble.
• Does your Trend Micro software has a firewall included?

Also, you have the beta version of HijackThis installed. Please uninstall this version and then download the stable version 2.0.2:

• Download HJTInstall.exe to your Desktop.
• Doubleclick HJTInstall.exe to install it.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Regards,
John.

[Jdollar]

Thank you for your help!

My computer is no longer affiliated with the Wake Forest Baptist Medical Center, I am no longer a student there as of 1 year ago and the computer was released to me as my own personal machine.

My trend micro does not have a firewall with it, I'm almost 100% sure.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:26 AM, on 3/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\TEMP\YBF46E.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\COMMON~1\MOBIPO~1\webcomp.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Pcounter\WBALANCE.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Wake Forest University Baptist Medical Center - Wake Forest University Baptist Medical Center
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.com
O1 - Hosts: 84.19.171.6 google.com.au
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.be
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.com.br
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.ca
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.ch
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.de
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.dk
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.fr
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.ie
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.it
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.co.jp
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.nl
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.no
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.co.nz
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.pl
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.se
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.co.uk
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 google.co.za
O1 - Hosts: 84.19.171.6 Google
O1 - Hosts: 84.19.171.6 Google Analytics | Official Website
O1 - Hosts: 84.19.171.6 Bing
O1 - Hosts: 84.19.171.6 search.yahoo.com
O1 - Hosts: 84.19.171.6 Yahoo! Search - Web Search
O1 - Hosts: 84.19.171.6 uk.search.yahoo.com
O1 - Hosts: 84.19.171.6 ca.search.yahoo.com
O1 - Hosts: 84.19.171.6 de.search.yahoo.com
O1 - Hosts: 84.19.171.6 fr.search.yahoo.com
O1 - Hosts: 84.19.171.6 au.search.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "C:\sysprep\ImgSetup.exe" "/" -HideWindow
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\RunOnce: [TSC] "C:\Program Files\Trend Micro\OfficeScan Client\tsc.exe" /HD
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\PROGRA~1\COMMON~1\MOBIPO~1\webcomp.exe -m
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Wbalance.lnk = C:\Program Files\Pcounter\WBALANCE.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/...nAxControl.CAB
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://os1:4343/officescan/console/...l/WinNTChk.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://os1:4343/officescan/console/...tall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://os1:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.0.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1252939545531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1252939538015
O16 - DPF: {C7477E5B-9297-4083-A4B3-A6BBC611F7C9} (BlackBerry Patch Installer) - http://www.blackberry.com/CalendarPa...hLoaderUSB.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = medctr.ad.wfubmc.edu
O17 - HKLM\Software\..\Telephony: DomainName = medctr.ad.wfubmc.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = medctr.ad.wfubmc.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 20732 bytes

[JohnB151]

Hi,

Alright, then let's start cleaning.

You aren't running Firewall Software. Please download and install one of them first!

Use a Firewall - Using a Firewall on your computer can be very important. Without a firewall your computer is susceptible to being hacked and taken over. There are some different situations you can be in where a third-party firewall may or may not be a good addition to your system:

• If you are not using Windows XP or Vista, but an older version I recommend you to use a firewall.
• If you are using Windows XP or Vista, but are on dial-up I recommend you to use a firewall.
• If you are using Windows XP or Vista and are using broadband, but are not experienced in using firewalls and getting the choice to allow or disallow things I recommend you to use Windows Firewall.
• If you are using Windows XP or Vista, are using broadband and experienced, I recommend you to disable Windows Firewall (as it is not perfect) and get a third-party firewall.

Here are some firewalls which are free for personal use and most used:
Kerio Personal Firewall (Free version after 30 days)
Online Armor Free

Or you could buy their paid version online or in a shop nearby:
Kerio Personal Firewall (Continue paid version after 30 days)
Online Armor or Online Armor AV+ with Anti-Virus included

As you did this, we can begin with the fix.

Please visit this webpage for download links, and instructions for running the tool:
A guide and tutorial on using ComboFix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Go on with the ComboFix guide when it opens its log please post it.

Remember that the ComboFix log is also saved here: C:\ComboFix.txt

Regards,
John.

[Jdollar]

Here you go....Thanks!

ComboFix 10-03-17.06 - Administrator 03/17/2010 21:07:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1335 [GMT -4:00]
Running from: c:\userdata\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {9F90AFBB-8E08-40ED-89BF-A56B48BC1A33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\recycler\S-1-5-21-117609710-1336601894-839522115-1003
c:\recycler\S-1-5-21-117609710-1336601894-839522115-500
c:\recycler\S-1-5-21-2233736159-4063957518-2289737123-500
c:\recycler\S-1-5-21-2633871445-2757023094-1967109679-500
c:\recycler\S-1-5-21-3524852954-3032291821-3607255330-500
c:\recycler\S-1-5-21-4052488196-3934153979-1924722585-500
c:\recycler\S-1-5-21-4238761851-3822946174-2094528166-500
c:\recycler\S-1-5-21-938587776-1173019256-2261042822-500
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\win.ini

.
((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-18 00:35 . 2010-03-18 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\OnlineArmor
2010-03-17 23:39 . 2010-03-18 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-03-17 23:39 . 2010-03-17 23:39 -------- d-----w- c:\documents and settings\hhunt\Application Data\OnlineArmor
2010-03-17 23:38 . 2009-12-05 11:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-03-17 23:38 . 2009-12-05 11:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-03-17 23:38 . 2009-12-05 11:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-03-17 23:38 . 2010-03-17 23:38 -------- d-----w- c:\program files\Tall Emu
2010-03-14 22:10 . 2010-03-14 22:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-03-14 13:54 . 2010-03-14 13:54 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-14 13:54 . 2010-03-14 13:54 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-14 13:53 . 2010-03-14 13:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-03-14 12:27 . 2010-03-14 12:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 12:13 . 2010-03-14 12:13 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-14 12:12 . 2010-03-14 12:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\IsolatedStorage
2010-03-14 12:12 . 2010-03-14 12:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\HP
2010-03-14 12:12 . 2010-03-14 12:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\HP
2010-03-14 12:11 . 2010-03-14 12:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-03-14 12:11 . 2010-03-14 14:17 -------- d--h--r- c:\documents and settings\Administrator\Application Data\yahoo!
2010-03-14 12:10 . 2010-03-14 12:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-14 11:13 . 2010-03-14 11:13 -------- d-----w- c:\documents and settings\hhunt\Application Data\Malwarebytes
2010-03-14 11:13 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 11:13 . 2010-03-14 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-14 11:13 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 11:13 . 2010-03-14 11:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 11:03 . 2010-03-14 11:03 -------- d-----w- c:\program files\TrendMicro
2010-03-14 03:05 . 2010-03-14 03:05 52224 ----a-w- c:\documents and settings\hhunt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-14 03:05 . 2010-03-14 03:05 117760 ----a-w- c:\documents and settings\hhunt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-14 03:05 . 2010-03-14 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-14 03:04 . 2010-03-14 03:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-14 03:04 . 2010-03-14 03:04 -------- d-----w- c:\documents and settings\hhunt\Application Data\SUPERAntiSpyware.com
2010-03-12 22:02 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-12 22:00 . 2010-03-12 22:00 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-03-12 21:49 . 2010-03-12 21:49 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-09 02:58 . 2010-03-09 03:00 2 ----a-w- C:\switches.dat
2010-03-02 01:44 . 1999-02-25 11:32 122880 ----a-w- c:\windows\system32\fxtls532.dll
2010-03-02 01:44 . 1999-01-29 05:28 29184 ----a-w- c:\windows\system32\picn20.dll
2010-03-02 01:44 . 2010-03-02 01:48 -------- d-----w- c:\program files\Kap.GRE
2010-03-02 01:44 . 1999-04-23 22:22 1056768 ----a-w- c:\windows\system32\MSJET35.DLL
2010-03-02 01:44 . 1998-05-01 15:01 24848 ----a-w- c:\windows\system32\msjter35.dll
2010-03-02 01:44 . 1998-05-01 15:01 123664 ----a-w- c:\windows\system32\msjint35.dll
2010-03-02 01:44 . 1998-04-24 00:00 252176 ----a-w- c:\windows\system32\msrd2x35.dll
2010-03-02 01:44 . 1999-04-23 22:22 430080 ----a-w- c:\windows\system32\MSREPL35.DLL
2010-03-02 01:44 . 1999-03-26 00:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-03-02 01:44 . 1998-08-10 18:56 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-02-25 22:20 . 2010-02-25 22:20 -------- d-----w- c:\documents and settings\hhunt\Local Settings\Application Data\Temp
2010-02-16 02:50 . 2010-02-16 02:50 -------- d-----w- c:\program files\Garmin
2010-02-16 02:50 . 2010-02-16 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2010-02-16 01:55 . 2010-02-16 02:40 -------- d-----w- c:\documents and settings\hhunt\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-18 00:19 . 2008-05-26 21:39 44544 ----a-w- c:\windows\system32\agremove.exe
2010-03-17 10:53 . 2008-08-21 15:06 -------- d-----w- c:\program files\Trend Micro
2010-03-14 03:04 . 2006-04-05 14:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-13 01:57 . 2006-04-05 19:52 -------- d-----w- c:\program files\Google
2010-02-16 02:48 . 2008-11-30 15:17 -------- d-----w- c:\documents and settings\hhunt\Application Data\GARMIN
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-13 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
"TpShocks"="TpShocks.exe" [2006-12-26 181808]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-12-20 159744]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-12-20 208896]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-02-02 120368]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-10 185896]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-08-01 540672]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-04-01 718120]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-08 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

c:\documents and settings\hhunt\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-3-26 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Wbalance.lnk - c:\program files\Pcounter\WBALANCE.EXE [2006-4-6 86528]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 18:59 39936 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 03:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 00:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART Board Tools.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk
backup=c:\windows\pss\SMART Board Tools.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TurboNote\\tbnote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\IMT\\server32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [12/25/2006 10:03 PM 19760]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/17/2010 7:38 PM 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/17/2010 7:38 PM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/17/2010 7:38 PM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/17/2010 7:38 PM 1282248]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [12/8/2005 2:44 PM 3328]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/17/2010 7:38 PM 3291336]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [7/10/2007 2:21 PM 36368]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/12/2010 7:15 PM 135664]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [7/10/2007 2:21 PM 225808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/10/2007 2:21 PM 652552]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 23:15]

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 23:15]

2010-03-18 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-04-05 05:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www1.wfubmc.edu/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {C7477E5B-9297-4083-A4B3-A6BBC611F7C9} - hxxp://www.blackberry.com/CalendarPatch/patch/desktop/DevicePatchLoaderUSB.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Trend OfficeScan ImageSetup - c:\sysprep\ImgSetup.exe
AddRemove-Pcounter for Windows - c:\program files\Pcounter\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-03-17 21:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3393018131-2606410657-977329125-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,3d,5b,c3,32,77,62,40,93,9f,48,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,3d,5b,c3,32,77,62,40,93,9f,48,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
.
Completion time: 2010-03-17 21:20:15
ComboFix-quarantined-files.txt 2010-03-18 01:20

Pre-Run: 81,792,618,496 bytes free
Post-Run: 82,573,701,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 07BC9F2890756B241997468FD7116995

[JohnB151]

Hi,

There are some suspicious files in the log, so let's check them for malware.

To enable the viewing of Hidden files follow these steps:

• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon (or click Start, then select My Computer)
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and shutdown My Computer.

Now your computer is configured to show all hidden files.

• Go to VirusTotal or Jotti's

c:\windows\system32\agremove.exe
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\biologon.dll

• Click Browse and browse to the destination of the first file in the above box.
• Click Send/Submit (if the file is present), and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programs.
• After a while, a window will open, with details of what the scans found.
• Save the complete results in a Notepad/Word document on your desktop.
• Repeat for all files on the list.

Please post the results. Also let me know if you still had Pcounter installed because ComboFix deleted it from that Add/Remove list but that may be an error (which I can restore easily).

Regards,
John.

[Jdollar]

John Info. requested below, also I am not sure what Pcounter is? How can I tell if I still have?

File agremove.exe received on 2010.03.19 00:52:13 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.18 -
AhnLab-V3 5.0.0.2 2010.03.18 -
AntiVir 8.2.1.194 2010.03.18 -
Antiy-AVL 2.0.3.7 2010.03.18 -
Authentium 5.2.0.5 2010.03.19 -
Avast 4.8.1351.0 2010.03.18 -
Avast5 5.0.332.0 2010.03.18 -
AVG 9.0.0.787 2010.03.18 -
BitDefender 7.2 2010.03.19 -
CAT-QuickHeal 10.00 2010.03.18 -
ClamAV 0.96.0.0-git 2010.03.18 -
Comodo 4310 2010.03.19 -
DrWeb 5.0.1.12222 2010.03.19 -
eSafe 7.0.17.0 2010.03.18 -
eTrust-Vet 35.2.7373 2010.03.18 -
F-Prot 4.5.1.85 2010.03.18 -
F-Secure 9.0.15370.0 2010.03.19 -
Fortinet 4.0.14.0 2010.03.18 -
GData 19 2010.03.19 -
Ikarus T3.1.1.80.0 2010.03.18 -
Jiangmin 13.0.900 2010.03.18 -
K7AntiVirus 7.10.1001 2010.03.18 -
McAfee 5924 2010.03.18 -
McAfee+Artemis 5924 2010.03.18 -
McAfee-GW-Edition 6.8.5 2010.03.18 Heuristic.BehavesLike.Win32.Downloader.A
Microsoft 1.5605 2010.03.18 -
NOD32 4956 2010.03.18 -
Norman 6.04.09 2010.03.18 -
nProtect 2009.1.8.0 2010.03.18 -
Panda 10.0.2.2 2010.03.18 -
PCTools 7.0.3.5 2010.03.18 -
Rising 22.39.03.04 2010.03.18 -
Sophos 4.51.0 2010.03.19 -
Sunbelt 5961 2010.03.19 -
Symantec 20091.2.0.41 2010.03.19 -
TheHacker 6.5.2.0.237 2010.03.19 -
TrendMicro 9.120.0.1004 2010.03.18 -
VBA32 3.12.12.2 2010.03.17 -
ViRobot 2010.3.18.2234 2010.03.18 -
VirusBuster 5.0.27.0 2010.03.18 -

Additional information
File size: 44544 bytes
MD5...: 9f2457cd8ec5e60ae852bf333385f2ac
SHA1..: bb6791894fc11ee68665411353411295af856e5d
SHA256: cd1dc21c324eec7f73f935f41cc4901e48709f1dcf62f4ed421f4db9dc708acb
ssdeep: 768:3ksbl3bHrH9BhVjGS2lqh+mX5xVYbwuxLBOZzSBvxgGstQ5q:3ksbxbpBDrF<BR>hhz+bw24z6Cjtwq<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1ae00<BR>timedatestamp.....: 0x4422e82e (Thu Mar 23 18:25:50 2006)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x10000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x11000 0xa000 0xa000 7.90 9cd5adcec0ff888cb4ffa8a58934851e<BR>.rsrc 0x1b000 0x1000 0xa00 3.34 49dfe60daf93bdfc68058446a7394ad2<BR><BR>( 4 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess<BR>&gt; ADVAPI32.dll: FreeSid<BR>&gt; USER32.dll: wsprintfA<BR>&gt; WS2_32.dll: -<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)<BR>Win32 EXE Yoda's Crypter (34.3%)<BR>Win32 Executable Generic (11.0%)<BR>Win32 Dynamic Link Library (generic) (9.8%)<BR>Generic Win/DOS Executable (2.5%)
sigcheck:<BR>publisher....: Absolute Software Corp.<BR>copyright....: Copyright (c) 2005 Absolute Software Corp.<BR>product......: agremove<BR>description..: agremove.exe<BR>original name: agremove.exe<BR>internal name: agremove.exe<BR>file version.: 0, 0, 0, 0<BR>comments.....: Installation/Management Application<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
packers (F-Prot): UPX
<table border="1"><tr><td colspan="4">File agremove.exe received on 2010.03.19 00:52:13 (UTC)</td></tr><tr><td>Antivirus</td><td>Version</td><td>Last Update</td><td>Result</td</tr><tr><td>a-squared</td><td>4.5.0.50</td><td>2010.03.18</td><td>-</td</tr><tr><td>AhnLab-V3</td><td>5.0.0.2</td><td>2010.03.18</td><td>-</td</tr><tr><td>AntiVir</td><td>8.2.1.194</td><td>2010.03.18</td><td>-</td</tr><tr><td>Antiy-AVL</td><td>2.0.3.7</td><td>2010.03.18</td><td>-</td</tr><tr><td>Authentium</td><td>5.2.0.5</td><td>2010.03.19</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1351.0</td><td>2010.03.18</td><td>-</td</tr><tr><td>Avast5</td><td>5.0.332.0</td><td>2010.03.18</td><td>-</td</tr><tr><td>AVG</td><td>9.0.0.787</td><td>2010.03.18</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2010.03.19</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>10.00</td><td>2010.03.18</td><td>-</td</tr><tr><td>ClamAV</td><td>0.96.0.0-git</td><td>2010.03.18</td><td>-</td</tr><tr><td>Comodo</td><td>4310</td><td>2010.03.19</td><td>-</td</tr><tr><td>DrWeb</td><td>5.0.1.12222</td><td>2010.03.19</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.17.0</td><td>2010.03.18</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>35.2.7373</td><td>2010.03.18</td><td>-</td</tr><tr><td>F-Prot</td><td>4.5.1.85</td><td>2010.03.18</td><td>-</td</tr><tr><td>F-Secure</td><td>9.0.15370.0</td><td>2010.03.19</td><td>-</td</tr><tr><td>Fortinet</td><td>4.0.14.0</td><td>2010.03.18</td><td>-</td</tr><tr><td>GData</td><td>19</td><td>2010.03.19</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.80.0</td><td>2010.03.18</td><td>-</td</tr><tr><td>Jiangmin</td><td>13.0.900</td><td>2010.03.18</td><td>-</td</tr><tr><td>K7AntiVirus</td><td>7.10.1001</td><td>2010.03.18</td><td>-</td</tr><tr><td>McAfee</td><td>5924</td><td>2010.03.18</td><td>-</td</tr><tr><td>McAfee+Artemis</td><td>5924</td><td>2010.03.18</td><td>-</td</tr><tr><td>McAfee-GW-Edition</td><td>6.8.5</td><td>2010.03.18</td><td style="color: red;">Heuristic.BehavesLike.Win32.Downloader.A</td</tr><tr><td>Microsoft</td><td>1.5605</td><td>2010.03.18</td><td>-</td</tr><tr><td>NOD32</td><td>4956</td><td>2010.03.18</td><td>-</td</tr><tr><td>Norman</td><td>6.04.09</td><td>2010.03.18</td><td>-</td</tr><tr><td>nProtect</td><td>2009.1.8.0</td><td>2010.03.18</td><td>-</td</tr><tr><td>Panda</td><td>10.0.2.2</td><td>2010.03.18</td><td>-</td</tr><tr><td>PCTools</td><td>7.0.3.5</td><td>2010.03.18</td><td>-</td</tr><tr><td>Rising</td><td>22.39.03.04</td><td>2010.03.18</td><td>-</td</tr><tr><td>Sophos</td><td>4.51.0</td><td>2010.03.19</td><td>-</td</tr><tr><td>Sunbelt</td><td>5961</td><td>2010.03.19</td><td>-</td</tr><tr><td>Symantec</td><td>20091.2.0.41</td><td>2010.03.19</td><td>-</td</tr><tr><td>TheHacker</td><td>6.5.2.0.237</td><td>2010.03.19</td><td>-</td</tr><tr><td>TrendMicro</td><td>9.120.0.1004</td><td>2010.03.18</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.12.2</td><td>2010.03.17</td><td>-</td</tr><tr><td>ViRobot</td><td>2010.3.18.2234</td><td>2010.03.18</td><td>-</td</tr><tr><td>VirusBuster</td><td>5.0.27.0</td><td>2010.03.18</td><td>-</td</tr><tr><td colspan="4">&nbsp;</td></tr><tr><td colspan="4">Additional information</td></tr><tr><td colspan="4">File size: 44544 bytes</td></tr><tr><td colspan="4">MD5...: 9f2457cd8ec5e60ae852bf333385f2ac</td></tr><tr><td colspan="4">SHA1..: bb6791894fc11ee68665411353411295af856e5d</td></tr><tr><td colspan="4">SHA256: cd1dc21c324eec7f73f935f41cc4901e48709f1dcf62f4ed421f4db9dc708acb</td></tr><tr><td colspan="4">ssdeep: 768:3ksbl3bHrH9BhVjGS2lqh+mX5xVYbwuxLBOZzSBvxgGstQ5q:3ksbxbpBDrF<BR>hhz+bw24z6Cjtwq<BR></td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1ae00<BR>timedatestamp.....: 0x4422e82e (Thu Mar 23 18:25:50 2006)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x10000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x11000 0xa000 0xa000 7.90 9cd5adcec0ff888cb4ffa8a58934851e<BR>.rsrc 0x1b000 0x1000 0xa00 3.34 49dfe60daf93bdfc68058446a7394ad2<BR><BR>( 4 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess<BR>&gt; ADVAPI32.dll: FreeSid<BR>&gt; USER32.dll: wsprintfA<BR>&gt; WS2_32.dll: -<BR><BR>( 0 exports ) <BR></td></tr><tr><td colspan="4">RDS...: NSRL Reference Data Set<BR>-</td></tr><tr><td colspan="4">pdfid.: -</td></tr><tr><td colspan="4">trid..: UPX compressed Win32 Executable (39.5%)<BR>Win32 EXE Yoda's Crypter (34.3%)<BR>Win32 Executable Generic (11.0%)<BR>Win32 Dynamic Link Library (generic) (9.8%)<BR>Generic Win/DOS Executable (2.5%)</td></tr><tr><td colspan="4">sigcheck:<BR>publisher....: Absolute Software Corp.<BR>copyright....: Copyright (c) 2005 Absolute Software Corp.<BR>product......: agremove<BR>description..: agremove.exe<BR>original name: agremove.exe<BR>internal name: agremove.exe<BR>file version.: 0, 0, 0, 0<BR>comments.....: Installation/Management Application<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR></td></tr><tr><td colspan="4">packers (F-Prot): UPX</td></tr></table>
Antivirus;Version;Last Update;Result
a-squared;4.5.0.50;2010.03.18;-
AhnLab-V3;5.0.0.2;2010.03.18;-
AntiVir;8.2.1.194;2010.03.18;-
Antiy-AVL;2.0.3.7;2010.03.18;-
Authentium;5.2.0.5;2010.03.19;-
Avast;4.8.1351.0;2010.03.18;-
Avast5;5.0.332.0;2010.03.18;-
AVG;9.0.0.787;2010.03.18;-
BitDefender;7.2;2010.03.19;-
CAT-QuickHeal;10.00;2010.03.18;-
ClamAV;0.96.0.0-git;2010.03.18;-
Comodo;4310;2010.03.19;-
DrWeb;5.0.1.12222;2010.03.19;-
eSafe;7.0.17.0;2010.03.18;-
eTrust-Vet;35.2.7373;2010.03.18;-
F-Prot;4.5.1.85;2010.03.18;-
F-Secure;9.0.15370.0;2010.03.19;-
Fortinet;4.0.14.0;2010.03.18;-
GData;19;2010.03.19;-
Ikarus;T3.1.1.80.0;2010.03.18;-
Jiangmin;13.0.900;2010.03.18;-
K7AntiVirus;7.10.1001;2010.03.18;-
McAfee;5924;2010.03.18;-
McAfee+Artemis;5924;2010.03.18;-
McAfee-GW-Edition;6.8.5;2010.03.18;Heuristic.BehavesLike.Win32.Downloader.A
Microsoft;1.5605;2010.03.18;-
NOD32;4956;2010.03.18;-
Norman;6.04.09;2010.03.18;-
nProtect;2009.1.8.0;2010.03.18;-
Panda;10.0.2.2;2010.03.18;-
PCTools;7.0.3.5;2010.03.18;-
Rising;22.39.03.04;2010.03.18;-
Sophos;4.51.0;2010.03.19;-
Sunbelt;5961;2010.03.19;-
Symantec;20091.2.0.41;2010.03.19;-
TheHacker;6.5.2.0.237;2010.03.19;-
TrendMicro;9.120.0.1004;2010.03.18;-
VBA32;3.12.12.2;2010.03.17;-
ViRobot;2010.3.18.2234;2010.03.18;-
VirusBuster;5.0.27.0;2010.03.18;-

Additional information
File size: 44544 bytes
MD5...: 9f2457cd8ec5e60ae852bf333385f2ac
SHA1..: bb6791894fc11ee68665411353411295af856e5d
SHA256: cd1dc21c324eec7f73f935f41cc4901e48709f1dcf62f4ed421f4db9dc708acb
ssdeep: 768:3ksbl3bHrH9BhVjGS2lqh+mX5xVYbwuxLBOZzSBvxgGstQ5q:3ksbxbpBDrF<BR>hhz+bw24z6Cjtwq<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1ae00<BR>timedatestamp.....: 0x4422e82e (Thu Mar 23 18:25:50 2006)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x10000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x11000 0xa000 0xa000 7.90 9cd5adcec0ff888cb4ffa8a58934851e<BR>.rsrc 0x1b000 0x1000 0xa00 3.34 49dfe60daf93bdfc68058446a7394ad2<BR><BR>( 4 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess<BR>&gt; ADVAPI32.dll: FreeSid<BR>&gt; USER32.dll: wsprintfA<BR>&gt; WS2_32.dll: -<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)<BR>Win32 EXE Yoda's Crypter (34.3%)<BR>Win32 Executable Generic (11.0%)<BR>Win32 Dynamic Link Library (generic) (9.8%)<BR>Generic Win/DOS Executable (2.5%)
sigcheck:<BR>publisher....: Absolute Software Corp.<BR>copyright....: Copyright (c) 2005 Absolute Software Corp.<BR>product......: agremove<BR>description..: agremove.exe<BR>original name: agremove.exe<BR>internal name: agremove.exe<BR>file version.: 0, 0, 0, 0<BR>comments.....: Installation/Management Application<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
packers (F-Prot): UPX


File ati2evxx.dll received on 2010.03.19 01:57:27 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.19 -
AhnLab-V3 5.0.0.2 2010.03.18 -
AntiVir 8.2.1.194 2010.03.18 -
Antiy-AVL 2.0.3.7 2010.03.18 -
Authentium 5.2.0.5 2010.03.19 -
Avast 4.8.1351.0 2010.03.18 -
Avast5 5.0.332.0 2010.03.18 -
AVG 9.0.0.787 2010.03.18 -
BitDefender 7.2 2010.03.19 -
CAT-QuickHeal 10.00 2010.03.18 -
ClamAV 0.96.0.0-git 2010.03.18 -
Comodo 4311 2010.03.19 -
DrWeb 5.0.1.12222 2010.03.19 -
eSafe 7.0.17.0 2010.03.18 -
eTrust-Vet 35.2.7373 2010.03.18 -
F-Prot 4.5.1.85 2010.03.18 -
F-Secure 9.0.15370.0 2010.03.19 -
Fortinet 4.0.14.0 2010.03.18 -
GData 19 2010.03.19 -
Ikarus T3.1.1.80.0 2010.03.19 -
Jiangmin 13.0.900 2010.03.18 -
K7AntiVirus 7.10.1001 2010.03.18 -
Kaspersky 7.0.0.125 2010.03.19 -
McAfee 5924 2010.03.18 -
McAfee+Artemis 5924 2010.03.18 -
McAfee-GW-Edition 6.8.5 2010.03.18 -
Microsoft 1.5605 2010.03.18 -
NOD32 4956 2010.03.18 -
Norman 6.04.09 2010.03.18 -
nProtect 2009.1.8.0 2010.03.18 -
Panda 10.0.2.2 2010.03.18 -
PCTools 7.0.3.5 2010.03.18 -
Prevx 3.0 2010.03.19 -
Rising 22.39.04.01 2010.03.19 -
Sophos 4.51.0 2010.03.19 -
Sunbelt 5962 2010.03.19 -
Symantec 20091.2.0.41 2010.03.19 -
TheHacker 6.5.2.0.237 2010.03.19 -
TrendMicro 9.120.0.1004 2010.03.18 -
VBA32 3.12.12.2 2010.03.17 -
ViRobot 2010.3.18.2234 2010.03.18 -
VirusBuster 5.0.27.0 2010.03.18 -

Additional information
File size: 114688 bytes
MD5...: 586ce2f435bd43522d245ff03fd10e8f
SHA1..: 725b56a6435e6ce9f4dd36a6aa3537647b200d7f
SHA256: 4d0cc0b1f8fe4038551b129f25ce78aebd73e3443051acd99e09913baf1e7d59
ssdeep: 1536:/zlZ32poxHz9arvmb4qJQg8o+KWT7lNRvoN6f+u0XYxKTUtmPeQpLMFb4HR<BR>w7H4/:xZ32pcHhCeHQg8o9M3Q6Rw6BtZmZ<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0xc3f4<BR>timedatestamp.....: 0x4615767e (Thu Apr 05 22:21:50 2007)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 5 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x12434 0x13000 6.21 ae3807a52311d3ad9c8ec5e856fb8c29<BR>.rdata 0x14000 0x45d9 0x5000 5.84 c274ffb0835a0d1b21070022de5981b0<BR>.data 0x19000 0x237c 0x1000 1.17 df6a71788c812c26f6e52bc287f105bb<BR>.rsrc 0x1c000 0x5d0 0x1000 1.79 a3fccbd002796fe7ab8a31b2ac1fa230<BR>.reloc 0x1d000 0xd70 0x1000 6.02 274a1836269bb3eba1dab12f184d2bf4<BR><BR>( 6 imports ) <BR>&gt; KERNEL32.dll: GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcess, OutputDebugStringA, ResetEvent, WaitForMultipleObjects, GetSystemInfo, VirtualProtect, GetLocaleInfoA, UnhandledExceptionFilter, FlushFileBuffers, GetStringTypeW, WaitForSingleObject, GetExitCodeProcess, TerminateProcess, CreateProcessA, LoadLibraryA, FreeLibrary, HeapAlloc, GetProcessHeap, HeapFree, CreateThread, CreateEventA, DisableThreadLibraryCalls, TerminateThread, Sleep, CallNamedPipeA, GetLastError, lstrcpyA, GetModuleHandleA, GetProcAddress, GetVersionExA, OpenEventA, SetEvent, CloseHandle, GetSystemTimeAsFileTime, GetStringTypeA, LCMapStringW, MultiByteToWideChar, LCMapStringA, SetConsoleCtrlHandler, SetStdHandle, GetCPInfo, GetCurrentProcessId, GetCurrentThread, GetTickCount, RtlUnwind, RaiseException, GetCommandLineA, WideCharToMultiByte, InterlockedExchange, VirtualQuery, SetUnhandledExceptionFilter, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, HeapDestroy, HeapCreate, VirtualFree, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, WriteFile, SetFilePointer, VirtualAlloc, HeapReAlloc, IsBadWritePtr, IsBadReadPtr, IsBadCodePtr, GetACP, GetOEMCP<BR>&gt; USER32.dll: ChangeDisplaySettingsExA, GetSystemMetrics, GetWindowRect, GetWindowPlacement, SetWindowsHookExA, CallNextHookEx, UnhookWindowsHookEx, OffsetRect, IntersectRect, EnumDisplaySettingsA, EnumDisplayDevicesA, SystemParametersInfoA, IsIconic<BR>&gt; GDI32.dll: GetClipBox, GetDCOrgEx, ExtEscape, CreateDCA, DeleteDC<BR>&gt; ADVAPI32.dll: OpenThreadToken, RevertToSelf, SetThreadToken, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, CreateProcessAsUserA, OpenSCManagerA, OpenServiceA, CloseServiceHandle, QueryServiceStatus, GetUserNameA, InitializeSecurityDescriptor, AllocateAndInitializeSid, GetLengthSid, InitializeAcl, AddAccessAllowedAce, SetSecurityDescriptorDacl, FreeSid<BR>&gt; ole32.dll: CoCreateInstance, CoInitializeEx, CoUninitialize, StringFromGUID2<BR>&gt; OLEAUT32.dll: -, -<BR><BR>( 15 exports ) <BR>AtiDisConnectEvent, AtiLockEvent, AtiLogoffEvent, AtiLogonEvent, AtiReConnectEvent, AtiReleaseKeyboardHook, AtiSetKeyboardHook, AtiShutdownEvent, AtiStartScreenSaverEvent, AtiStartShellEvent, AtiStartupEvent, AtiStopScreenSaverEvent, AtiUnLockEvent, ChangeDesktopSetting, _AtiLowLevelKeyboardProc@12<BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<BR>Win32 Executable Generic (14.7%)<BR>Win32 Dynamic Link Library (generic) (13.1%)<BR>Generic Win/DOS Executable (3.4%)<BR>DOS Executable Generic (3.4%)
sigcheck:<BR>publisher....: ATI Technologies Inc.<BR>copyright....: Copyright (c) 1999-2006 ATI Technologies Inc.<BR>product......: ATI External Event Utility for Windows<BR>description..: ATI External Event Utility DLL Module<BR>original name: ATI2EVXX.DLL<BR>internal name: ATI2EVXX.DLL<BR>file version.: 6.14.10.4162<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>



File biologon.dll received on 2010.03.19 01:59:15 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.19 -
AhnLab-V3 5.0.0.2 2010.03.18 -
AntiVir 8.2.1.194 2010.03.18 -
Antiy-AVL 2.0.3.7 2010.03.18 -
Authentium 5.2.0.5 2010.03.19 -
Avast 4.8.1351.0 2010.03.18 -
Avast5 5.0.332.0 2010.03.18 -
AVG 9.0.0.787 2010.03.18 -
BitDefender 7.2 2010.03.19 -
CAT-QuickHeal 10.00 2010.03.18 -
ClamAV 0.96.0.0-git 2010.03.18 -
Comodo 4311 2010.03.19 -
DrWeb 5.0.1.12222 2010.03.19 -
eSafe 7.0.17.0 2010.03.18 -
eTrust-Vet 35.2.7373 2010.03.18 -
F-Prot 4.5.1.85 2010.03.18 -
F-Secure 9.0.15370.0 2010.03.19 -
Fortinet 4.0.14.0 2010.03.18 -
GData 19 2010.03.19 -
Ikarus T3.1.1.80.0 2010.03.19 -
Jiangmin 13.0.900 2010.03.18 -
K7AntiVirus 7.10.1001 2010.03.18 -
Kaspersky 7.0.0.125 2010.03.19 -
McAfee 5924 2010.03.18 -
McAfee+Artemis 5924 2010.03.18 -
McAfee-GW-Edition 6.8.5 2010.03.18 -
Microsoft 1.5605 2010.03.18 -
NOD32 4956 2010.03.18 -
Norman 6.04.09 2010.03.18 -
nProtect 2009.1.8.0 2010.03.18 -
Panda 10.0.2.2 2010.03.18 -
PCTools 7.0.3.5 2010.03.18 -
Prevx 3.0 2010.03.19 -
Rising 22.39.04.01 2010.03.19 -
Sophos 4.51.0 2010.03.19 -
Sunbelt 5962 2010.03.19 -
Symantec 20091.2.0.41 2010.03.19 -
TheHacker 6.5.2.0.237 2010.03.19 -
TrendMicro 9.120.0.1004 2010.03.18 -
VBA32 3.12.12.2 2010.03.17 -
ViRobot 2010.3.18.2234 2010.03.18 -
VirusBuster 5.0.27.0 2010.03.18 -

Additional information
File size: 5632 bytes
MD5...: 8079c366f987682e705d81fad42b6e65
SHA1..: 675caace009d9ddd39711a13d7deaae917b7410f
SHA256: f6f47f937fe8ea0b456943eaf80a8c2cf322a1719b8a6b0d3f35d3cc44ffdbf4
ssdeep: 48:SuOhpJGs8vUAQ7FBSffoAq987p1bBXl6Ntuyvo3LQpnmf1YIZWvHl105WwaeQ<BR>:iL0sZTe393ecscfaEWN1oWwj<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x132c<BR>timedatestamp.....: 0x3b2e5d49 (Mon Jun 18 19:58:01 2001)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x633 0x800 4.85 c245db2236a52df6f277dbaf08cb212a<BR>.data 0x2000 0xc 0x200 0.07 1d7d80e8b5ce8c86e7c833467964b6ae<BR>.rsrc 0x3000 0x418 0x600 2.44 e666b7aa23d86e9720e8fa68d09b550e<BR>.reloc 0x4000 0x7e 0x200 1.12 cafde358022319ea180dfa8c95479b94<BR><BR>( 4 imports ) <BR>&gt; ntdll.dll: RtlInitString, RtlNtStatusToDosError<BR>&gt; KERNEL32.dll: LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryW, LocalAlloc, SetLastError, CloseHandle<BR>&gt; ADVAPI32.dll: OpenThreadToken, OpenProcessToken, GetTokenInformation<BR>&gt; Secur32.dll: LsaRegisterLogonProcess, LsaLookupAuthenticationPackage, LsaCallAuthenticationPackage<BR><BR>( 3 exports ) <BR>InitializeBioLogon, InitiateInteractiveLogon, InitiateInteractiveLogonWithTimeout<BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)<BR>Win32 Dynamic Link Library (generic) (37.6%)<BR>Generic Win/DOS Executable (9.9%)<BR>DOS Executable Generic (9.9%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: (c) Microsoft Corporation. All rights reserved.<BR>product......: Microsoft_ Windows_ Operating System<BR>description..: Biologon service<BR>original name: biologon.dll<BR>internal name: biologon<BR>file version.: 6.00.2497.0000 built by: main(SReasor)<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>


Thanks Much