Printer NOT working ~Please help regarding printer spooler service!

Joker37 · Dec 4, 2010

My computer was infected by the virus, Security Tool 2011, a few days ago. Now the virus is gone (as far as I know at least) however I cannot use the printer for some reason. I think it has something to do with the virus. Anyway, how can I fix this problem and print? Whenever I try to print a message displays saying that a printer has not been installed. It then gives me an option of installing one however another message then pops up and says that the "printer spooler service is not running". What does this mean? How can I fix this problem? It is very annoying.

I also tried going to the site, http://www.technipages.com/fix-for-the-print-spooler-service-is-not-running-error.html, and following the instructions listed however it did not work.

When I got to step 2, I double-clicked the printer spooler service icon however the startup type was already in automatic. Also straight after I right clicked the printer spooler service icon and pressed 'start' a message popped up saying:

"Could not start the Printer Spooler service on Local Computer.
Error 2: The system cannot find the file specified."

I also tried going to Control Panel --> Printers and other Hardware --> Printers and Faxes

however there was nothing in there. Please somebody help me. What should I do?

johnb35 · Dec 4, 2010

I just fixed a clients computer yesterday with the same issue. Most likely you are still infected. Firstly i cant help you too much until get home from work, however check to see if you have a file by the name of spoolsv.exe in the c:\windows\system32 folder and let me know if you dont.

johnb35 · Dec 5, 2010

Now that i'm home and can post specific links, please do the following. Combofix will tell us if spoolsv.exe file is missing.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file here :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running

Joker37 · Dec 5, 2010

ComboFix log list:
ComboFix 10-12-04.02 - Lubnah 06/12/2010 8:42.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.511.182 [GMT 11:00]
Running from: c:\documents and settings\Lubnah\Desktop\ComboFix.exe
AV: BP Security Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\Lubnah\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\Lubnah\Application Data\completescan
c:\documents and settings\Lubnah\Application Data\install
c:\windows\PRAGMAixvpfpcbcv
c:\windows\PRAGMAixvpfpcbcv\PRAGMAc.dll
c:\windows\PRAGMAixvpfpcbcv\PRAGMAcfg.ini
c:\windows\PRAGMAixvpfpcbcv\PRAGMAd.sys
c:\windows\PRAGMAixvpfpcbcv\PRAGMAsrcr.dat
c:\windows\system32\PRAGMAerrors.log
c:\windows\system32\USRINI~1.EXE

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMAIXVPFPCBCV
-------\Legacy_RKHIT
-------\Legacy_SVCHOST32
-------\Service_PRAGMAixvpfpcbcv

((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))
.

2010-12-05 21:38 . 2010-12-05 21:38 -------- d-----w- C:\found.002
2010-12-04 18:49 . 2010-11-29 06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-04 18:49 . 2010-11-29 06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-01 23:37 . 2010-12-04 18:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-01 04:30 . 2010-12-01 04:30 -------- d-----w- c:\windows\LMI3F.tmp
2010-12-01 04:18 . 2010-12-01 04:18 -------- d-----w- c:\windows\LMI43.tmp
2010-11-24 04:07 . 2010-11-24 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-11-20 09:21 . 2010-11-20 09:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-11-18 12:44 . 2010-11-18 14:59 -------- d-----w- c:\documents and settings\p
2010-11-18 07:20 . 2010-11-18 07:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\FileOpen
2010-11-18 07:20 . 2010-11-18 07:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-11-12 13:54 . 2010-11-12 17:11 -------- d-----w- c:\documents and settings\max.LENOVO-HOME.003
2010-11-12 02:07 . 2010-11-12 02:07 -------- d-----w- c:\documents and settings\Lubnah\Application Data\Malwarebytes
2010-11-12 01:30 . 2010-11-12 01:30 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-11-12 00:46 . 2010-11-12 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-09 12:38 . 2010-11-09 20:10 -------- d-----w- c:\documents and settings\max.LENOVO-HOME.002
2010-11-08 11:58 . 2010-11-08 11:58 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
2010-11-08 11:58 . 2010-11-08 11:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-07 22:52 . 2010-11-07 23:41 -------- d-----w- c:\documents and settings\max.LENOVO-HOME.001
2010-11-06 08:20 . 2010-11-06 08:20 -------- d-----w- c:\documents and settings\Lubnah\Local Settings\Application Data\Threat Expert
2010-11-06 05:06 . 2010-11-06 05:06 -------- d-----w- C:\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-21 02:17 . 2009-08-17 18:30 40 ----a-w- C:\ZTWIN.BAT
2010-09-18 06:53 . 2009-11-07 03:16 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-11-07 03:16 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 01:23 . 2007-06-25 02:32 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-10 05:58 . 2007-06-25 05:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2008-06-25 11:51 . 2008-06-25 11:51 118784 ----a-w- c:\program files\internet explorer\plugins\LV86ActiveXControl.dll
.

------- Sigcheck -------

[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2007-06-25 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe

c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 06:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-04-30 5472016]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-08 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-08 81920]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-01 40960]
"ESP"="c:\program files\bigpond\security\app\start.exe" [2009-11-02 62952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-21 122368]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-07 2780432]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Lubnah\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Catalyst System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-8-12 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2/09/2009 6:20 PM 13360]
R2 AMP;AMP;c:\windows\system32\drivers\amp.sys [23/09/2009 10:41 AM 121896]
R2 AMPSE;AMPSE;c:\windows\system32\drivers\ampse.sys [23/09/2009 10:41 AM 956968]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2/09/2009 6:20 PM 69936]
R2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [25/06/2009 6:17 PM 87328]
R2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [25/06/2009 6:17 PM 116000]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/01/2010 3:23 PM 135664]
S2 SBAMSvc;AntiMalware;c:\program files\Common Files\Sunbelt\SBAMSvc.exe [8/09/2009 1:46 PM 1012040]
S3 DFBCFDBA;DFBCFDBA; [x]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/08/2009 3:58 PM 93872]
S3 vbma012f;Virtual Bus for Microsoft ACPI-Compliant System; [x]
S3 XoftSpyService;XoftSpyService;"c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe" --> c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 04:23]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 04:23]

2010-12-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 06:50]

2010-12-05 c:\windows\Tasks\User_Feed_Synchronization-{0D7654D3-C6AF-4895-B3E3-901C128F42A7}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/?ocid=hmlogout
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Clowidonokecikot - c:\windows\dinrsr.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-06 09:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3712)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\bigpond\security\App\syssvcnt.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\National Instruments\MAX\nimxs.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\National Instruments\Shared\Tagger\tagsrv.exe
c:\windows\system32\HPZipm12.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\windows\SOUNDMAN.EXE
c:\program files\bigpond\security\app\Console.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-12-06 09:15:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-05 22:15

Pre-Run: 99,408,838,656 bytes free
Post-Run: 99,736,399,872 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - E48BCFEE52ACD8671BC022A4FD9D0D4C

HijackThis log list:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:23:43 AM, on 6/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\bigpond\security\App\syssvcnt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
c:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\bigpond\security\app\Console.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Logitech\Logitech Vid\vid.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Documents and Settings\Lubnah\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/?ocid=hmlogout
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: Yahoo!7 Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\bigpond\security\App\popupbho01.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: BigPond Security Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\bigpond\security\App\popupbho01.dll
O3 - Toolbar: Yahoo!7 Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [ESP] C:\Program Files\bigpond\security\app\start.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Catalyst System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BigPond Security System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\bigpond\security\App\syssvcnt.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: AntiMalware (SBAMSvc) - Unknown owner - c:\Program Files\Common Files\Sunbelt\SBAMSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: vseamps - Authentium, Inc - c:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
O23 - Service: vsedsps - Authentium, Inc - c:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

--
End of file - 12535 bytes

My computer is running normally. I'm not sure how to comment on how its running really. I still have internet connection. There is no problem turning the printer on/off however it still does not print. Whenever I try to print a web page a message pops up and says:

"Before you can perform printer-related tasks such as page setup or printing a document, you need to install a printer. Do you want to install a printer now? |Yes|No|"

When I click yes to the alternatives another message pops up saying:

"Operation could not be completed. The print spooler service is not running."

Also, I tried looking for the spoolsv.exe file going to:
start --> search
and found two files however its weird how it's missing from c:\windows\System32
Would copying and pasting it there solve the problem?
I'm not sure if this is relevant but these two files are from:
C:\Backup\WINDOWS\ServicePackFiles\i386
C:\Backup\WINDOWS\system32

johnb35 · Dec 5, 2010

Ok, your spoolsv.exe file is missing, so we'll fix that first.

I didn't see the bottom of your post until after I posted this.

You can try right clicking on one of those files and click on copy and then go into the system32 folder and click on paste.

If it won't allow you to do that then let me konw.

Joker37 · Dec 5, 2010

johnb35 said:
Ok, your spoolsv.exe file is missing, so we'll fix that first.

I didn't see the bottom of your post until after I posted this.

You can try right clicking on one of those files and click on copy and then go into the system32 folder and click on paste.

If it won't allow you to do that then let me konw.

I copied and pasted one of the files successfully into C:\WINDOWS\system32.
It was the one from C:\Backup\WINDOWS\ServicePackFiles\i386 which I copied and pasted.
But I still cannot print and it said that the print spooler service was not running. Could it be damaged?

johnb35 · Dec 5, 2010

Now all we have to do is start the print spooler service. Click on start, click run, type "services.msc" without the quotes and click on ok. When the page loads up, find the service labeled print spooler and double click on it.

Make sure the startup type says automatic and then click on the start button to start the service. Reboot your computer. You may or may not have to reinstall the printer. Once you restart the printer should show up in the printers and faxes location.

Let me know. However, we are still not done removing the rest of your infections. I just want to get your printer working first.

Joker37 · Dec 5, 2010

johnb35 said:
Now all we have to do is start the print spooler service. Click on start, click run, type "services.msc" without the quotes and click on ok. When the page loads up, find the service labeled print spooler and double click on it.

Make sure the startup type says automatic and then click on the start button to start the service. Reboot your computer. You may or may not have to reinstall the printer. Once you restart the printer should show up in the printers and faxes location.

Let me know. However, we are still not done removing the rest of your infections. I just want to get your printer working first.

OMG, Johnb35, it worked!
Yay, so happy now.
Can't thank you enough mate!

edit: I didn't have to reinstall the printer.
Also, with these other infections my computer has...they're not that serious are they? What do you recommend I do about them? Would it be possible to fix all these infections?

johnb35 · Dec 5, 2010

Very good.

Now, lets continue with your infections. If you haven't ran malwarebytes lets do so now.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

Post a fresh hijackthis log after running and posting the malwarebytes log.

Joker37 · Dec 6, 2010

johnb35 said:
Very good.

Now, lets continue with your infections. If you haven't ran malwarebytes lets do so now.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to

Update Malwarebytes' Anti-Malware

and Launch Malwarebytes' Anti-Malware

then click Finish.

If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.

Once the program has loaded, select Perform quick scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

Post a fresh hijackthis log after running and posting the malwarebytes log.

I performed a Malewarebytes' Anti-Malware full scan yesterday. Please tell me if I should do another one.
Below is the log for the one I did yesterday:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5243

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/12/2010 7:16:08 AM
mbam-log-2010-12-05 (07-16-08).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 445188
Time elapsed: 1 hour(s), 20 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 7
Registry Data Items Infected: 4
Folders Infected: 7
Files Infected: 43

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{003541A1-3BC0-1B1C-AAF3-040114001C01} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AnVi (Rogue.AnVi) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RkHit (Rogue.SpywareCease) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfrgsnapnt.exe (Trojan.FakeAlert) -> Value: dfrgsnapnt.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SwUpdate (Trojan.Agent) -> Value: SwUpdate -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sezfile\shell\open\command\(default) (Rogue.MultipleAV) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Value: 24d1ca9a-a864-4f7b-86fe-495eb56529d8 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Value: 7bde84a2-f58f-46ec-9eac-f1f90fead080 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{BEBB65DF-DB54-7747-79F5-96DBA73B96B6} (Trojan.ZbotR.Gen) -> Value: {BEBB65DF-DB54-7747-79F5-96DBA73B96B6} -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\program files\AnVi (Rogue.AntiVirus) -> Quarantined and deleted successfully.
c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\setups (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\spyware cease (Rogue.SpywareCease) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\Temp\dfrgsnapnt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\start menu\Programs\Startup\unihi.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\start menu\Programs\Startup\yxqui.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-73586283-573735546-725345543-1004\Dc495.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-73586283-573735546-725345543-1004\Dc496.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-73586283-573735546-725345543-1004\Dc497.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{56af33ab-4836-4b5a-9887-25b6813b0b1d}\RP400\A0348497.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{56af33ab-4836-4b5a-9887-25b6813b0b1d}\RP400\A0348498.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{56af33ab-4836-4b5a-9887-25b6813b0b1d}\RP400\A0348499.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{56af33ab-4836-4b5a-9887-25b6813b0b1d}\RP400\A0348500.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{56af33ab-4836-4b5a-9887-25b6813b0b1d}\RP400\A0348501.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\us?rinit.exe (Rogue.Multiple) -> Delete on reboot.
c:\WINDOWS\Temp\49C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\49E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\eapp32hst.dll (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\Lubnah\application data\Adobe\plugs\kb12862890.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\dkfjasdfshd.bat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Lubnah\start menu\Programs\Startup\chkntfs.exe (Trojan.Downloader) -> Delete on reboot.
c:\WINDOWS\system32\config\svchost.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\Setup\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.14536761675639898.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Yusuf\local settings\Temp\h8srt9c93.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\Yusuf\local settings\Temp\h8srtb183.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\Yusuf\local settings\Temp\pdfupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\windows_security_center.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Lubnah\local settings\application data\MSASCui.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\program files\AnVi\splash.mp3 (Rogue.AntiVirus) -> Quarantined and deleted successfully.
c:\program files\AnVi\Thumbs.db (Rogue.AntiVirus) -> Quarantined and deleted successfully.
c:\program files\AnVi\virus.mp3 (Rogue.AntiVirus) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\Cache\006AAC49.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\spyware cease\md5.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\mtools.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\networkdll.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\opfile.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\QAreaDLL.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\RkHitApi.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\sctdll.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\spkdll.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\spywarecease.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\udefend.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\ussafe.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\zlib1.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.

New HijackThis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:00:20 AM, on 6/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Logitech\Logitech Vid\vid.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\bigpond\security\app\Console.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\Program Files\bigpond\security\App\syssvcnt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
c:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Lubnah\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/?ocid=hmlogout
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: Yahoo!7 Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\bigpond\security\App\popupbho01.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: BigPond Security Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\bigpond\security\App\popupbho01.dll
O3 - Toolbar: Yahoo!7 Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [ESP] C:\Program Files\bigpond\security\app\start.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Catalyst System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BigPond Security System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\bigpond\security\App\syssvcnt.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: AntiMalware (SBAMSvc) - Unknown owner - c:\Program Files\Common Files\Sunbelt\SBAMSvc.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: vseamps - Authentium, Inc - c:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
O23 - Service: vsedsps - Authentium, Inc - c:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

--
End of file - 12638 bytes

johnb35 · Dec 6, 2010

Please perform another scan with malwarebytes, make sure you update it first as the latest database version is 5252. Post its log along with a fresh hijackthis log afterwards.

I'm going out for a little bit but will be back within the hour and will check in when i get back.

Joker37 · Dec 6, 2010

Malwarebytes' Anti-Malware log:
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5252

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/12/2010 11:56:59 AM
mbam-log-2010-12-06 (11-56-59).txt

Scan type: Quick scan
Objects scanned: 244053
Time elapsed: 26 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HijackThis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:58:50 AM, on 6/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Logitech\Logitech Vid\vid.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\bigpond\security\app\Console.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\Program Files\bigpond\security\App\syssvcnt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
c:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Lubnah\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/?ocid=hmlogout
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: Yahoo!7 Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\bigpond\security\App\popupbho01.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: BigPond Security Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\bigpond\security\App\popupbho01.dll
O3 - Toolbar: Yahoo!7 Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [ESP] C:\Program Files\bigpond\security\app\start.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Catalyst System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BigPond Security System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\bigpond\security\App\syssvcnt.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: AntiMalware (SBAMSvc) - Unknown owner - c:\Program Files\Common Files\Sunbelt\SBAMSvc.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: vseamps - Authentium, Inc - c:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
O23 - Service: vsedsps - Authentium, Inc - c:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

--
End of file - 12745 bytes

johnb35 · Dec 6, 2010

Unfortunately my home internet is down right now so I'm posting this from my phone. I will reply back with instructions when I get internet back.

johnb35 · Dec 6, 2010

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:

File::
c:\windows\LMI3F.tmp
c:\windows\LMI43.tmp

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Also please do the following.

Download Security Check from here or here
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Also please use hijackthis to post an uninstall log. Open hijackthis, click on open misc tools section, click on open uninstall manager, click on save list and save it, then copy and paste that log back here.

Also please download and install this program but do not run it yet.

http://download.cnet.com/ccleaner/

Joker37 · Dec 23, 2010

Sorry for the late reply. Been too busy preparing with exams lately and just got a bit lazy.

ComboFix log:
ComboFix 10-12-22.05 - Lubnah 23/12/2010 21:02:40.3.2 - x86
Running from: c:\documents and settings\Lubnah\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lubnah\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

FILE ::
"c:\windows\LMI3F.tmp"
"c:\windows\LMI43.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\spool\prtprocs\w32x86\xuOC7s317u.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-23 to 2010-12-23 )))))))))))))))))))))))))))))))
.

2010-12-22 04:15 . 2010-12-22 04:15 -------- d-----w- C:\spoolerlogs
2010-12-16 19:00 . 2010-12-16 19:01 -------- d-----w- C:\680c114bc681db10c7
2010-12-16 04:27 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 04:27 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-11 15:40 . 2010-12-11 15:40 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2010-12-11 15:34 . 2010-12-11 15:34 -------- d-----w- c:\program files\VideoLAN
2010-12-11 15:34 . 2010-12-11 15:40 -------- d-----w- c:\program files\Graboid
2010-12-06 00:29 . 2010-11-29 06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 00:29 . 2010-11-29 06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 23:21 . 2010-08-17 13:17 58880 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe
2010-12-05 23:21 . 2010-08-17 13:17 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-12-05 21:38 . 2010-12-05 21:38 -------- d-----w- C:\found.002
2010-12-01 23:37 . 2010-12-06 00:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-01 04:30 . 2010-12-01 04:30 -------- d-----w- c:\windows\LMI3F.tmp
2010-12-01 04:18 . 2010-12-01 04:18 -------- d-----w- c:\windows\LMI43.tmp
2010-11-24 04:07 . 2010-11-24 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-11-07 03:16 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2007-06-25 05:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2009-11-07 03:15 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2009-11-07 03:16 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2009-11-07 03:15 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-21 02:17 . 2009-08-17 18:30 40 ----a-w- C:\ZTWIN.BAT
2008-06-25 11:51 . 2008-06-25 11:51 118784 ----a-w- c:\program files\internet explorer\plugins\LV86ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 06:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-04-30 5472016]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-08 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-08 81920]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-01 40960]
"ESP"="c:\program files\bigpond\security\app\start.exe" [2009-11-02 62952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-21 122368]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-07 2780432]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Lubnah\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Catalyst System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-8-12 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
R2 SBAMSvc;AntiMalware;c:\program files\Common Files\Sunbelt\SBAMSvc.exe [2009-09-08 1012040]
R3 DFBCFDBA;DFBCFDBA; [x]
R3 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2009-08-05 93872]
R3 vbma012f;Virtual Bus for Microsoft ACPI-Compliant System; [x]
R3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [x]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-09-11 13360]
S2 AMP;AMP;c:\windows\system32\DRIVERS\amp.sys [2009-09-22 121896]
S2 AMPSE;AMPSE;c:\windows\system32\DRIVERS\ampse.sys [2009-09-22 956968]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-03-04 69936]
S2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [2009-06-25 87328]
S2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2009-06-25 116000]

.
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

2010-12-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 04:23]

2010-12-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 04:23]

2010-12-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 06:50]

2010-12-23 c:\windows\Tasks\User_Feed_Synchronization-{0D7654D3-C6AF-4895-B3E3-901C128F42A7}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/?ocid=hmlogout
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-23 22:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Lubnah\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160812AS_________________41N3268_LEN rev.3.AAH -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82FEBEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x82109872; SUB DWORD [EBP-0x4], 0x8210912e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x83151AB8]
3 CLASSPNP[0xF8685FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x82E749D0]
[0x83108558] -> IRP_MJ_CREATE -> 0x82FEBEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3160812AS_________________41N3268_LEN_3.AAH___#5&27eb323d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82FEBAEA
user & kernel MBR OK
copy of MBR has been found in sector 9 !
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3528)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\bigpond\security\App\syssvcnt.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\National Instruments\MAX\nimxs.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\National Instruments\Shared\Tagger\tagsrv.exe
c:\windows\system32\HPZipm12.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\windows\SOUNDMAN.EXE
c:\program files\bigpond\security\app\Console.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-12-23 22:29:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-23 11:29
ComboFix2.txt 2010-12-05 22:15

Pre-Run: 97,047,076,864 bytes free
Post-Run: 99,551,514,624 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 1789999D9DB69CD520AACFAA241BC8D0

Security Check Document:
Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Anti-Virus (Command Software 5)
Firewall (User)
Firewall (Core 2)
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 17
Out of date Java installed!
Adobe Flash Player
Adobe Reader 7.0
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

hijackthis uninstall log:
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Anti-Spyware (Sunbelt3)
Anti-Virus (Command Software 5)
Apple Application Support
Apple Software Update
Ask Toolbar
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Authentium Install Helper
AVSDK5
BigPond (BIUS)
BigPond Security
Conduit Engine
ESP
Firewall (Core 2)
Firewall (User)
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Graboid Video 1.73
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Product Assistant
HP Solution Center 7.0
HP Update
HSF2014 56K Data Fax Modem
InterVideo WinDVD
Java(TM) 6 Update 17
Logitech Vid
Logitech Webcam Software
Logitech Webcam Software Driver Package
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
National Instruments Software
OCR Software by I.R.I.S 7.0
PC-Doctor 5 for Windows
Popup Blocker
QuickTime
Realtek AC'97 Audio
RocketReader Version 8.00
SearchElf 1.2 Toolbar
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Skype Toolbars
Skype™ 4.2
ThinkVantage System Update
Third Party Prerequisites
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.0.1
Web Filtering (Base 2)
Web Filtering (Base)
Web Filtering (Kids Page)
Web Filtering (RuleSpace CFI Anti-Phishing)
Web Filtering (Rulespace CFI)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Search Protection
Yahoo!7 Toolbar

johnb35 · Dec 23, 2010

Uh oh. Looks like you have had some new issues come about. Now you have a rootkit infection. Please do the following.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.

If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it. Please open the log and copy and paste it back here.

Go ahead and run that while i go through your logs.

johnb35 · Dec 23, 2010

This post will have multiple procedures to perform, so make sure everything is completed.

1.

Please uninstall the following programs via add/remove programs.

Adobe Reader 7.0
Ask Toolbar
Java(TM) 6 Update 17
SearchElf 1.2 Toolbar

2.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:

Folder::
c:\windows\LMI3F.tmp
c:\windows\LMI43.tmp

Driver::
DFBCFDBA

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

3.

Download and install the latest versions of Java and Adobe reader from these links.

http://get.adobe.com/reader/?promoid=BUIGO

http://www.java.com/en/download/index.jsp

4.

Rerun a malwarebytes scan after you update it of course and then post its log along with a fresh hijackthis log.

Joker37 · Dec 23, 2010

johnb35 said:
Please open the log and copy and paste it back here.

These came from three of those TDSSKiller documents:

2010/12/24 04:48:23.0718 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/24 04:48:23.0718 ================================================================================
2010/12/24 04:48:23.0718 SystemInfo:
2010/12/24 04:48:23.0718
2010/12/24 04:48:23.0718 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/24 04:48:23.0718 Product type: Workstation
2010/12/24 04:48:23.0718 ComputerName: LENOVO-HOME
2010/12/24 04:48:23.0718 UserName: Lubnah
2010/12/24 04:48:23.0718 Windows directory: C:\WINDOWS
2010/12/24 04:48:23.0718 System windows directory: C:\WINDOWS
2010/12/24 04:48:23.0718 Processor architecture: Intel x86
2010/12/24 04:48:23.0718 Number of processors: 2
2010/12/24 04:48:23.0718 Page size: 0x1000
2010/12/24 04:48:23.0718 Boot type: Normal boot
2010/12/24 04:48:23.0718 ================================================================================
2010/12/24 04:48:24.0765 Initialize success
2010/12/24 04:48:27.0296 ================================================================================
2010/12/24 04:48:27.0296 Scan started
2010/12/24 04:48:27.0296 Mode: Manual;
2010/12/24 04:48:27.0296 ================================================================================
2010/12/24 04:48:30.0343 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/24 04:48:30.0656 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/24 04:48:30.0921 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/24 04:48:31.0234 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/24 04:48:31.0515 ALCXWDM (1f753af649021cece56451fb60d0a015) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/12/24 04:48:32.0171 AMP (2f71ca5f8bc73205352861569d9422ef) C:\WINDOWS\system32\DRIVERS\amp.sys
2010/12/24 04:48:32.0421 AMPSE (87eac076a7a1508992d47607be1d307f) C:\WINDOWS\system32\DRIVERS\ampse.sys
2010/12/24 04:48:32.0812 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/24 04:48:33.0171 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/24 04:48:33.0328 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/24 04:48:33.0515 ati2mtag (7a95a5f3ed40a3b6f1275821553f3f4f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/24 04:48:34.0062 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/24 04:48:34.0234 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/24 04:48:34.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/24 04:48:34.0640 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/24 04:48:34.0781 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/24 04:48:34.0890 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/24 04:48:35.0109 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/24 04:48:35.0359 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/24 04:48:35.0687 cvintdrv (dbd89bc0dbe00dcd245be8f61dbee291) C:\WINDOWS\system32\drivers\cvintdrv.sys
2010/12/24 04:48:35.0875 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/24 04:48:35.0921 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/24 04:48:36.0125 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/24 04:48:36.0296 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/24 04:48:36.0515 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/24 04:48:36.0687 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/24 04:48:37.0031 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/24 04:48:37.0250 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/24 04:48:37.0390 FilterService (a75ddc492d2d1d6558ad8003a4adb73a) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2010/12/24 04:48:37.0515 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/24 04:48:37.0734 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/24 04:48:37.0921 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/24 04:48:38.0078 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/24 04:48:38.0281 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/24 04:48:38.0359 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/24 04:48:38.0515 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/24 04:48:38.0687 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/12/24 04:48:38.0796 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/12/24 04:48:38.0890 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/12/24 04:48:39.0015 HSFHWBS2 (0ede148eed2a4e212dad6ef29b73fc0b) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/12/24 04:48:39.0265 HSF_DP (d9eb0b254da1a80ebe607cdac8c38e5d) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/12/24 04:48:39.0593 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/24 04:48:39.0734 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/24 04:48:39.0828 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/24 04:48:40.0000 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/24 04:48:40.0187 intelppm (a0c76dc0ac27a5afb007acc9427d9929) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/24 04:48:40.0187 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: a0c76dc0ac27a5afb007acc9427d9929, Fake md5: 8c953733d8f36eb2133f5bb58808b66b
2010/12/24 04:48:40.0203 intelppm - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/12/24 04:48:40.0234 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/24 04:48:40.0468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/24 04:48:40.0593 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/24 04:48:40.0671 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/24 04:48:40.0781 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/24 04:48:40.0890 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/24 04:48:41.0093 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/24 04:48:41.0218 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/24 04:48:41.0359 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/24 04:48:41.0406 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/24 04:48:41.0437 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2010/12/24 04:48:41.0531 L8042mou (8a5993705add14352c9a279fa8338334) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2010/12/24 04:48:41.0750 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2010/12/24 04:48:41.0937 LVPr2Mon (c57c48fb9ae3efb9848af594e3123a63) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2010/12/24 04:48:42.0218 LVUVC (291f69b3dda0f033d2490c5ba5179f7c) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2010/12/24 04:48:43.0015 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/24 04:48:43.0218 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/24 04:48:43.0359 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/24 04:48:43.0390 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/24 04:48:43.0484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/24 04:48:43.0593 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/24 04:48:43.0625 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/24 04:48:43.0703 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/24 04:48:43.0765 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/24 04:48:43.0781 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/24 04:48:43.0875 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/24 04:48:44.0000 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/24 04:48:44.0046 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/24 04:48:44.0156 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/12/24 04:48:44.0234 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/24 04:48:44.0390 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/24 04:48:44.0484 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/24 04:48:44.0531 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/24 04:48:44.0609 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/24 04:48:44.0796 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/24 04:48:44.0875 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/24 04:48:44.0984 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/24 04:48:45.0015 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/24 04:48:45.0125 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/24 04:48:45.0265 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/24 04:48:45.0343 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/24 04:48:45.0421 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/24 04:48:45.0625 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/24 04:48:45.0750 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/24 04:48:45.0937 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/24 04:48:46.0078 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/24 04:48:46.0171 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/24 04:48:46.0359 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/24 04:48:46.0421 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/24 04:48:46.0515 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/24 04:48:46.0750 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/24 04:48:46.0812 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/24 04:48:47.0125 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/24 04:48:47.0562 ================================================================================
2010/12/24 04:48:47.0562 Scan finished
2010/12/24 04:48:47.0562 ================================================================================
2010/12/24 04:48:47.0593 Detected object count: 1
2010/12/24 04:49:32.0531 intelppm (a0c76dc0ac27a5afb007acc9427d9929) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/24 04:49:32.0531 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: a0c76dc0ac27a5afb007acc9427d9929, Fake md5: 8c953733d8f36eb2133f5bb58808b66b
2010/12/24 04:49:34.0671 Backup copy found, using it..
2010/12/24 04:49:34.0812 C:\WINDOWS\system32\DRIVERS\intelppm.sys - will be cured after reboot
2010/12/24 04:49:34.0812 Rootkit.Win32.TDSS.tdl3(intelppm) - User select action: Cure
2010/12/24 04:49:54.0171 Deinitialize success

2010/12/24 05:05:03.0734 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/24 05:05:03.0734 ================================================================================
2010/12/24 05:05:03.0734 SystemInfo:
2010/12/24 05:05:03.0734
2010/12/24 05:05:03.0734 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/24 05:05:03.0734 Product type: Workstation
2010/12/24 05:05:03.0734 ComputerName: LENOVO-HOME
2010/12/24 05:05:03.0734 UserName: Lubnah
2010/12/24 05:05:03.0734 Windows directory: C:\WINDOWS
2010/12/24 05:05:03.0734 System windows directory: C:\WINDOWS
2010/12/24 05:05:03.0734 Processor architecture: Intel x86
2010/12/24 05:05:03.0734 Number of processors: 2
2010/12/24 05:05:03.0734 Page size: 0x1000
2010/12/24 05:05:03.0734 Boot type: Normal boot
2010/12/24 05:05:03.0734 ================================================================================
2010/12/24 05:05:04.0187 Initialize success
2010/12/24 05:05:07.0250 ================================================================================
2010/12/24 05:05:07.0250 Scan started
2010/12/24 05:05:07.0250 Mode: Manual;
2010/12/24 05:05:07.0250 ================================================================================
2010/12/24 05:05:09.0875 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/24 05:05:09.0921 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/24 05:05:10.0015 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/24 05:05:10.0093 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/24 05:05:10.0359 ALCXWDM (1f753af649021cece56451fb60d0a015) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/12/24 05:05:10.0859 AMP (2f71ca5f8bc73205352861569d9422ef) C:\WINDOWS\system32\DRIVERS\amp.sys
2010/12/24 05:05:10.0937 AMPSE (87eac076a7a1508992d47607be1d307f) C:\WINDOWS\system32\DRIVERS\ampse.sys
2010/12/24 05:05:11.0203 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/24 05:05:11.0359 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/24 05:05:11.0437 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/24 05:05:11.0609 ati2mtag (7a95a5f3ed40a3b6f1275821553f3f4f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/24 05:05:11.0796 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/24 05:05:11.0859 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/24 05:05:11.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/24 05:05:12.0250 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/24 05:05:12.0328 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/24 05:05:12.0437 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/24 05:05:12.0515 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/24 05:05:12.0562 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/24 05:05:12.0781 cvintdrv (dbd89bc0dbe00dcd245be8f61dbee291) C:\WINDOWS\system32\drivers\cvintdrv.sys
2010/12/24 05:05:12.0953 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/24 05:05:13.0031 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/24 05:05:13.0156 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/24 05:05:13.0218 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/24 05:05:13.0312 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/24 05:05:13.0390 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/24 05:05:13.0484 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/24 05:05:13.0546 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/24 05:05:13.0609 FilterService (a75ddc492d2d1d6558ad8003a4adb73a) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2010/12/24 05:05:13.0687 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/24 05:05:13.0734 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/24 05:05:13.0812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/24 05:05:13.0921 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/24 05:05:13.0968 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/24 05:05:14.0062 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/24 05:05:14.0140 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/24 05:05:14.0250 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/12/24 05:05:14.0312 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/12/24 05:05:14.0437 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/12/24 05:05:14.0531 HSFHWBS2 (0ede148eed2a4e212dad6ef29b73fc0b) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/12/24 05:05:14.0718 HSF_DP (d9eb0b254da1a80ebe607cdac8c38e5d) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/12/24 05:05:14.0890 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/24 05:05:15.0046 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/24 05:05:15.0109 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/24 05:05:15.0250 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/24 05:05:15.0328 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/24 05:05:15.0421 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/24 05:05:15.0484 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/24 05:05:15.0546 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/24 05:05:15.0625 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/24 05:05:15.0656 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/24 05:05:15.0718 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/24 05:05:15.0796 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/24 05:05:15.0859 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/24 05:05:15.0937 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/24 05:05:15.0984 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/24 05:05:16.0031 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2010/12/24 05:05:16.0093 L8042mou (8a5993705add14352c9a279fa8338334) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2010/12/24 05:05:16.0234 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2010/12/24 05:05:16.0328 LVPr2Mon (c57c48fb9ae3efb9848af594e3123a63) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2010/12/24 05:05:16.0562 LVUVC (291f69b3dda0f033d2490c5ba5179f7c) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2010/12/24 05:05:17.0125 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/24 05:05:17.0203 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/24 05:05:17.0281 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/24 05:05:17.0312 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/24 05:05:17.0390 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/24 05:05:17.0468 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/24 05:05:17.0515 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/24 05:05:17.0593 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/24 05:05:17.0687 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/24 05:05:17.0734 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/24 05:05:17.0859 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/24 05:05:17.0937 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/24 05:05:18.0000 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/24 05:05:18.0046 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/12/24 05:05:18.0140 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/24 05:05:18.0218 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/24 05:05:18.0312 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/24 05:05:18.0406 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/24 05:05:18.0500 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/24 05:05:18.0546 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/24 05:05:18.0593 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/24 05:05:18.0656 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/24 05:05:18.0687 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/24 05:05:18.0734 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/24 05:05:18.0890 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/24 05:05:18.0984 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/24 05:05:19.0031 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/24 05:05:19.0234 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/24 05:05:19.0296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/24 05:05:19.0375 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/24 05:05:19.0484 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/24 05:05:19.0546 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/24 05:05:19.0625 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/24 05:05:19.0703 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/24 05:05:19.0765 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/24 05:05:19.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/24 05:05:19.0921 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/24 05:05:20.0375 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/24 05:05:20.0531 ================================================================================
2010/12/24 05:05:20.0531 Scan finished
2010/12/24 05:05:20.0531 ================================================================================
2010/12/24 05:05:25.0203 Deinitialize success

2010/12/24 05:06:40.0968 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/24 05:06:40.0968 ================================================================================
2010/12/24 05:06:40.0968 SystemInfo:
2010/12/24 05:06:40.0968
2010/12/24 05:06:40.0968 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/24 05:06:40.0968 Product type: Workstation
2010/12/24 05:06:40.0968 ComputerName: LENOVO-HOME
2010/12/24 05:06:40.0968 UserName: Lubnah
2010/12/24 05:06:40.0968 Windows directory: C:\WINDOWS
2010/12/24 05:06:40.0968 System windows directory: C:\WINDOWS
2010/12/24 05:06:40.0968 Processor architecture: Intel x86
2010/12/24 05:06:40.0968 Number of processors: 2
2010/12/24 05:06:40.0968 Page size: 0x1000
2010/12/24 05:06:40.0968 Boot type: Normal boot
2010/12/24 05:06:40.0968 ================================================================================
2010/12/24 05:06:41.0156 Initialize success
2010/12/24 05:06:55.0562 Deinitialize success

johnb35 · Dec 23, 2010

Just make sure you reboot the computer and then perform the other procedures I posted.

Joker37 · Dec 23, 2010

johnb35 said:
This post will have multiple procedures to perform, so make sure everything is completed.

1.

Please uninstall the following programs via add/remove programs.

Adobe Reader 7.0
Ask Toolbar
Java(TM) 6 Update 17

I clicked start --> control panel --> add or remove programs
however I was not able to remove the three programs above.

After I clicked the remove button on each of them a message popped up in a few seconds after saying:

"The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

It wasn't in safe mode.

Is it necessary that I remove these programs?
Can I proceed to the subsequent steps?

Printer NOT working ~Please help regarding printer spooler service!

New Member

Administrator

Administrator

New Member

Administrator

New Member

Administrator

New Member

Administrator

New Member

Administrator

New Member

Administrator

Administrator

New Member

Administrator

Administrator

New Member

Administrator

New Member