XP Antimalware 2010

JMM123 · March 15, 2010

Please help! Yesterday I got the fake XP Internet Security on my PC and had to find a way to get rid of it. While googling, I found Malwarebytes. However, XP wouldn't let me install it because of the Malware (av.exe, I could end it from the task manager but clicking anything wouldn't work). Hijack this showed nothing wrong with it, and scanning with AVG (I managed to right click and hit "scan this" to open it up) showed three trojans which I deleted. It didn't do anything.

I then read that renaming the installer file might trigger the installation of Malwarebytes. I tried, but it didn't work. I then changed the .exe to .com and it worked, I installed it, updated and ran a quick scan. It came up with 6 objects and I cleaned them out, disabled system restore and rebooted the computer as specified. It didn't do anything. The program was still there. So then I repeated the process of installing Malwarebytes again and did a full scan this time. I got 60 something results (many of which I didn't believe were legit infected, some were Printer Drivers etc) and deleted all of them anyway. I rebooted and it worked, there was nothing popping up. This was early in the morning now.

Throughout the day I used my PC normally and didn't find any problems with it. I didn't get anything telling me I had something wrong. I could start up programs normally again. It seemed to be all over.

But then just now about 20 minutes ago it started again. This time it's "XP Antimalware 2010" or something like that and runs "ave.exe" instead of "av.exe" on the task manager. It has all the same program windows and comes up with the same bullcrap. I'm running a scan with Antimalware as I type this again but I'm worried that its not going to be effective again in the long run. Is there anything I can do to prevent it from coming back?

It seems to appear mainly during the nights.

Here is the thing from yesterday.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 3:08:24 AM, on 3/14/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Documents and Settings\Mike\Local Settings\Application Data\av.exe

C:\WINDOWS\system32\libusbd-nt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

c:\program files\cyberlink\powerdvd\pdvdserv .exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

c:\program files\hp\hp software update\hpwuschd2 .exe

c:\program files\itunes\ituneshelper .exe

c:\program files\java\jre6\bin\jusched .exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask .exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.londondrugs.com

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--

End of file - 11388 bytes

There are a couple other details I can mention:

1. It probably started a while ago when I was looking at a video where some guy was turning his N64 into a portable N64 (one of those hobby mod sites). I got a popup telling me I had viruses and I foolishly clicked "remove all unhealed infections" because it looked a lot like AVG (which I use). It kept giving me messages telling me I had viruses and I rebooted my computer and they ceased to appear. I took the advice of a friend and checked my startup processes to see if it had added any and from what I could tell it didn't.

2. My sister's laptop, which is using internet from my wireless router, contains some malware (her google searches are redirected). I don't know if that has anything to do with it and I seriously doubt it can spread over my internet but I'm no expert so I figured I'd mention it).

Any help would be GREATLY appreciated.

JMM123 · March 15, 2010

Just wondering if anyone has any ideas...

JMM123 · March 17, 2010

ANYONE? Please...

Maniac · March 18, 2010

Hello JMM123! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install any software or hardware, while work on.

Step 1:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

Step 2:

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* HijackThis Uninstall List

* HijackThis log (new)

* ComboFix log

JMM123 · March 19, 2010

Hello Borislav! Here are the things as requested:

COMBOFIX LOG

ComboFix 10-03-18.01 - Mike 03/19/2010 0:25.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1917.994 [GMT -7:00]

Running from: c:\documents and settings\Mike\My Documents\Downloads\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Mike\Local Settings\Temporary Internet Files\bxN4O.jpg

c:\documents and settings\Mike\Local Settings\Temporary Internet Files\O6pXo.jpg

c:\documents and settings\Mike\Local Settings\Temporary Internet Files\X4nNOOyba.jpg

c:\documents and settings\Mike\Local Settings\Temporary Internet Files\xAoXpY.jpg

c:\program files\Internet Explorer\SET222.tmp

c:\program files\Internet Explorer\SET223.tmp

c:\program files\Internet Explorer\SET224.tmp

c:\program files\Internet Explorer\SET2CC.tmp

c:\program files\Internet Explorer\SET2CD.tmp

c:\program files\Internet Explorer\SET2CE.tmp

c:\program files\Internet Explorer\SET57.tmp

c:\program files\Internet Explorer\SET58.tmp

c:\program files\Internet Explorer\SET59.tmp

c:\recycler\S-1-5-21-2596395849-1305048804-2818759859-500

c:\windows\system32\AutoRun.inf

c:\windows\system32\ctfmon .exe

c:\windows\system32\ReadMe.txt

c:\windows\system32\yk51x86.inf

.

((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))

.

2010-03-19 07:21 . 2010-03-19 07:21 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-03-18 14:34 . 2010-03-18 14:34 -------- d-----w- c:\documents and settings\Lisa\Local Settings\Application Data\AVG Security Toolbar

2010-03-18 05:22 . 2010-03-19 05:18 0 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\prvlcl.dat

2010-03-16 15:33 . 2010-03-16 15:33 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-03-16 15:33 . 2010-03-16 15:33 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-03-16 15:33 . 2010-03-16 15:33 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-03-16 15:33 . 2010-03-16 15:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-16 15:32 . 2010-03-15 07:09 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

2010-03-16 15:32 . 2010-03-15 07:09 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe

2010-03-16 15:32 . 2010-03-15 07:09 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-03-16 15:32 . 2010-03-15 07:09 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-03-15 15:33 . 2010-03-15 07:10 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-03-15 15:33 . 2010-03-15 07:10 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe

2010-03-15 07:17 . 2010-03-15 07:17 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\AVG Security Toolbar

2010-03-15 07:10 . 2010-03-16 19:57 -------- d-----w- C:\$AVG

2010-03-15 07:09 . 2010-03-15 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-03-14 20:41 . 2010-03-14 20:46 139620 ----a-w- c:\windows\hpoins15.dat

2010-03-14 20:41 . 2007-09-21 12:46 1039 ------w- c:\windows\hpomdl15.dat

2010-03-14 20:23 . 2010-03-14 20:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\HP

2010-03-14 12:24 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-14 12:24 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-14 11:22 . 2010-03-14 11:22 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes

2010-03-14 11:22 . 2010-03-14 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-14 11:22 . 2010-03-15 06:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-14 10:27 . 2010-03-14 10:27 0 ----a-w- c:\documents and settings\Mike\settings.dat

2010-03-14 10:15 . 2010-03-14 10:15 -------- d-----w- c:\documents and settings\Mike\DoctorWeb

2010-03-14 10:08 . 2010-03-14 10:08 -------- d-----w- c:\program files\TrendMicro

2010-03-12 21:08 . 2010-03-14 13:59 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Windows Server

2010-03-09 18:54 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-16 15:33 . 2009-01-18 21:49 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-16 15:33 . 2009-01-18 21:49 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-16 15:33 . 2009-01-18 21:49 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-15 07:09 . 2009-01-18 21:49 -------- d-----w- c:\program files\AVG

2010-03-14 12:05 . 2009-07-14 05:42 -------- d-----w- c:\program files\iTunes

2010-03-14 12:05 . 2009-07-14 05:40 -------- d-----w- c:\program files\QuickTime

2010-03-10 11:02 . 2008-04-10 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-06 03:20 . 2009-08-01 23:07 -------- d-----w- c:\program files\Google

2010-02-20 00:50 . 2009-11-13 07:10 79488 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-02-18 17:31 . 2009-11-13 19:06 79488 ----a-w- c:\documents and settings\Lisa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-02-11 01:44 . 2009-11-13 19:06 79488 ----a-w- c:\documents and settings\Peggy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-02-10 11:19 . 2009-01-19 02:53 -------- d-----w- c:\program files\THQ

2010-02-10 11:19 . 2008-04-10 17:39 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-23 19:13 . 2009-08-26 04:53 -------- d-----w- c:\program files\Microsoft Silverlight

2009-12-31 16:50 . 2008-04-09 18:49 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2008-04-09 18:49 916480 ----a-w- c:\windows\system32\wininet.dll

.

<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\Common Files\Adobe\Updater5\adobeupdater .exe
c:\program files\Common Files\Ahead\Lib\nerocheck .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask	  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 20:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2009-07-27 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8491008]

"nwiz"="nwiz.exe" [2007-10-05 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-17 16855552]

"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]

c:\documents and settings\Peggy\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Lisa\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-16 15:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 12:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58742:TCP"= 58742:TCP:Pando Media Booster

"58742:UDP"= 58742:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/18/2009 2:49 PM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/18/2009 2:49 PM 242696]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/16/2010 8:33 AM 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 8:33 AM 308064]

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [7/28/2009 12:25 PM 33792]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/1/2009 4:07 PM 133104]

S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xPADFL02.sys [7/28/2009 12:30 PM 27904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.gamefaqs.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\p9eas4lv.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com

FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

AddRemove-{4EC8B911-98AB-4819-B5EE-D32E8A0A8AAA}_is1 - c:\documents and settings\Mike\My Documents\Michael's Stuff\Crap\DVDx\unins000.exe

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-974280231-128286620-3404963085-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:ca,6a,b9,af,77,7e,96,9e,2b,07,c0,01,fc,8f,36,90,73,9e,a4,80,48,b7,74,

d3,17,5d,4c,eb,e6,29,cd,49,6f,f1,98,c6,41,36,4d,66,6c,f5,15,36,18,aa,1e,26,\

"??"=hex:da,15,4a,69,87,b1,d4,f2,b5,09,69,a4,8e,f1,98,a1

[HKEY_USERS\S-1-5-21-974280231-128286620-3404963085-1007\Software\SecuROM\License information*]

"datasecu"=hex:bb,74,74,a9,9f,d4,0b,cf,ab,eb,e5,12,1f,e6,00,f5,2a,48,62,ef,30,

80,d2,d3,b5,b0,13,6a,65,db,b4,ab,9c,3b,84,82,b3,2e,58,e5,2e,c6,99,2b,2a,93,\

"rkeysecu"=hex:9b,5c,2a,bf,71,b9,b6,72,91,ef,97,85,7a,0c,f4,90

.

Completion time: 2010-03-19 00:32:03

ComboFix-quarantined-files.txt 2010-03-19 07:32

Pre-Run: 249,351,856,128 bytes free

Post-Run: 253,791,825,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8806A98DC52D1FAFAD92C193CCE44CDF

HiJack This

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 12:25:02 AM, on 3/19/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\program files\windows live\messenger\msnmsgr .exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\msiexec.exe

C:\Combo-Fix\CF28723.cfxxe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

C:\Combo-Fix\CF28723.cfxxe

C:\WINDOWS\PEV.exe

C:\Combo-Fix\pv.cfxxe

C:\Combo-Fix\CF28723.cfxxe

C:\Combo-Fix\SWREG.cfxxe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background

O4 - HKUS\S-1-5-21-974280231-128286620-3404963085-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Peggy')

O4 - HKUS\S-1-5-21-974280231-128286620-3404963085-1005\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Peggy')

O4 - HKUS\S-1-5-21-974280231-128286620-3404963085-1005\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" (User 'Peggy')

O4 - HKUS\S-1-5-21-974280231-128286620-3404963085-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Lisa')

O4 - S-1-5-21-974280231-128286620-3404963085-1005 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Peggy')

O4 - S-1-5-21-974280231-128286620-3404963085-1005 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Peggy')

O4 - S-1-5-21-974280231-128286620-3404963085-1006 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Lisa')

O4 - S-1-5-21-974280231-128286620-3404963085-1006 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Lisa')