Cannot access help and support + system restore + explorer tools => options function

BB1 · March 2008

Hello there

I'm new here but I have been following some of the threads and trying out various solutions to my problem outlined in my title. I think this is such a fantastic forum and was wondering if anyone would be able to help me out.

This only started happened in the past few days.....I found that I am unable to access internet explorer tools => options folder even though I can access it in control panel and C drive hidden documents and settings files. The error says the operation has been cancelled due to restrictions in effect on your computer. Please contact your system administrator ( I am the owner and only user)

I also found this morning that I could not use help and support or use system restore both in normal and safe mode to rewind back the changes. Everytime I open help and support or system restore I can an error msg saying Microsoft support and help center has encountered a problem and needs to close. Then I send an error report, and it shuts down everything.

I have used two antivirus checkers + reg checkers + cleaners + tried to reboot in safemode etc......and read alot of forum threads for advice. I tried typing regedit in my run command line but it states it has been disabled.

this is my hijack this log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:11 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\hwshell.exe
C:\WINDOWS\system32\JWPEN.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
c:\wamp\apache2\bin\httpd.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\wamp\apache2\bin\httpd.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?716834&e23f93498ca4401fe0db6d1aad49db8b
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R3 - URLSearchHook: FreeWorldRadio Toolbar - {7f377e8b-b4a7-46e1-950e-f04276e9bf6f} - C:\Program Files\FreeWorldRadio\tbFree.dll
R3 - URLSearchHook: websitetrafficbuildingtool Toolbar - {b8e7fe85-9bd4-43a0-b1a2-863a6ce455e4} - C:\Program Files\websitetrafficbuildingtool\tbwebs.dll
R3 - URLSearchHook: AdFactoryPro Toolbar - {fbf7f820-644c-4edd-9816-0a5463130bb8} - C:\Program Files\AdFactoryPro\tbAdFa.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FreeWorldRadio Toolbar - {7f377e8b-b4a7-46e1-950e-f04276e9bf6f} - C:\Program Files\FreeWorldRadio\tbFree.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: websitetrafficbuildingtool Toolbar - {b8e7fe85-9bd4-43a0-b1a2-863a6ce455e4} - C:\Program Files\websitetrafficbuildingtool\tbwebs.dll
O2 - BHO: AdFactoryPro Toolbar - {fbf7f820-644c-4edd-9816-0a5463130bb8} - C:\Program Files\AdFactoryPro\tbAdFa.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: FreeWorldRadio Toolbar - {7f377e8b-b4a7-46e1-950e-f04276e9bf6f} - C:\Program Files\FreeWorldRadio\tbFree.dll
O3 - Toolbar: SeoQuake - {9C590067-8A6A-4db6-B052-069283790B04} - C:\Program Files\SeoQuake\seoquake.dll
O3 - Toolbar: websitetrafficbuildingtool Toolbar - {b8e7fe85-9bd4-43a0-b1a2-863a6ce455e4} - C:\Program Files\websitetrafficbuildingtool\tbwebs.dll
O3 - Toolbar: AdFactoryPro Toolbar - {fbf7f820-644c-4edd-9816-0a5463130bb8} - C:\Program Files\AdFactoryPro\tbAdFa.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Hanvon Shell.lnk = C:\Program Files\hwshell.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Spurl! - http://www.spurl.net/rclick.php
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\videocapture\flashcapture\fciext.dll (file missing)
O9 - Extra button: (no name) - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Spurl! - {057AB0AA-0896-44A7-9940-1D3118C870FB} - http://www.spurl.net/rclick.php (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Bookmark the current page to Spurl.net - {057AB0AA-0896-44A7-9940-1D3118C870FB} - http://www.spurl.net/rclick.php (file missing) (HKCU)
O9 - Extra button: Spurl bar - {104D0F17-ED01-4E81-8EFF-53E956FC6D49} - Shdocvw.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Spurl bar - {104D0F17-ED01-4E81-8EFF-53E956FC6D49} - Shdocvw.dll (file missing) (HKCU)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182114510125
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://programchecker.com/dll/nixon.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://online.invokesolutions.com/events/bin/5.5.0.1437/MILive.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HWSuperPowerTablet - HanWang - C:\WINDOWS\system32\JWPEN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Tshjrhtk - Unknown owner - C:\WINDOWS\system32\khhjvhzc.exe (file missing)
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 13473 bytes

Thomas · March 2008

Welcome to Icrontic BB1,

The log shows an SDBot variant installed there, so best to go easy on statements like those posted here. No anti-infection software alone is sufficient for security - if you get time the steps suggested by Tony Klein Here are truly what is necessary for security, and include the secure choices by you, the user, as well.

The logs also show you have at least 3 Conduit brand toolbars installed there. if you don't know of Conduit your system likely does, as some of your searches may have been going through their servers in Israel. Check the links with their names below:

AdFactoryPro Toolbar - here
websitetrafficbuildingtool Toolbar - here
FreeWorldRadio Toolbar - here

The providers of those toolbars earn money for your use of them, so for them it is a win/win situation. For you I recommend you uninstall all of them through Add/Remove Programs at this time.

Once you have done that, to keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download ComboFix.exe from here to your desktop.

Then temporarily disable your net access (if cable/dsl, disconnect the cable, and for dial-up the phone line), and click the downloaded file to run the repair. Do this each time you are asked to run ComboFix while we do the repairs here.

When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.

ComboFix will also change the drive autoplay settings there as it's own added security measure. When we have completed all repairs here we will return the default Windows settings.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Re-enable net access, and post back the C:\ComboFix.txt log as well as a new HijackThis log please.

BB1 · March 2008

HI there, thanks very much for your detailed reply and link to combofix.
I have uninstalled the toolsbars you recommended (though you will see the empty folders in the log) and the combofix log is pasted below + hijack this.

ComboFix 08-03-29.1 - tali 2008-03-29 12:06:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.592 [GMT -7:00]
Running from: C:\Program Files\combofix\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
Findstr -MIF:/ dmcast "C:\WINDOWS\system32\4569sys\?.*"
Findstr -MIF:/ dmcast "C:\WINDOWS\system32\8089sys\?.*"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\tali.PC211561639531\g2mdlhlpx.exe
D:\Autorun.inf
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-29 12:03 . 2008-03-29 12:03 <DIR> d

C:\Program Files\combofix
2008-03-28 10:04 . 2008-03-28 10:31 1,478,696 --a

C:\Program Files\GenuineCheck.exe
2008-03-28 10:04 . 2008-03-28 10:04 895,016 --a

C:\Program Files\WGAPluginInstall.exe
2008-03-26 12:31 . 2008-03-26 12:31 <DIR> d

C:\Program Files\Trend Micro
2008-03-26 10:39 . 2007-06-17 09:38 <DIR> d

C:\Documents and Settings\Administrator.PC211561639531\Application Data\Symantec
2008-03-26 10:39 . 2007-06-17 09:38 <DIR> d

C:\Documents and Settings\Administrator.PC211561639531\Application Data\Intuit
2008-03-26 08:49 . 2008-03-26 08:49 221,184 --a

C:\WINDOWS\SnoopFreeUI.exe
2008-03-26 08:49 . 2008-03-26 08:49 90,112 --a

C:\WINDOWS\system32\SnoopFreeSvc.exe
2008-03-26 08:49 . 2008-03-26 08:49 45,056 --a

C:\WINDOWS\SnoopFreeDll.dll
2008-03-26 08:49 . 2008-03-26 08:49 9,472 --a

C:\WINDOWS\system32\drivers\SnopFree.sys
2008-03-26 08:48 . 2008-03-26 08:48 <DIR> d

C:\Program Files\SnoopFreeprivacyshield
2008-03-26 08:36 . 2008-03-26 08:36 147,456 --a

C:\WINDOWS\system32\VBZIP11.DLL
2008-03-26 08:36 . 2008-03-26 08:36 143,360 --a

C:\WINDOWS\system32\vbuzip10.dll
2008-03-26 08:36 . 2008-03-26 08:36 62,464 --a

C:\WINDOWS\system32\shdocvw.oca
2008-03-26 08:36 . 2008-03-26 08:36 32,768 --a

C:\WINDOWS\system32\REGTOOL5.DLL
2008-03-26 00:12 . 2008-03-26 00:12 <DIR> d

C:\Program Files\doctorspywarecleaner
2008-03-23 15:46 . 2008-03-23 15:46 <DIR> d

C:\Program Files\AF Uninstalls
2008-03-22 11:19 . 2008-03-22 11:24 <DIR> d

C:\Program Files\Web Forum Reader Lite
2008-03-22 11:19 . 2008-03-22 11:21 <DIR> d

C:\Documents and Settings\tali.PC211561639531\Application Data\ChemTable Software
2008-03-21 23:11 . 2008-03-21 23:11 <DIR> d

C:\Program Files\Alleycode
2008-03-21 23:06 . 2008-03-21 23:06 <DIR> d

C:\Program Files\Free Monitor for Google
2008-03-21 23:06 . 2008-03-21 23:07 <DIR> d

C:\Documents and Settings\tali.PC211561639531\Application Data\Free Monitor for Google
2008-03-21 23:05 . 2008-03-21 23:05 <DIR> d

C:\Program Files\My Blog Announcer
2008-03-21 22:31 . 2008-03-21 22:31 <DIR> d

C:\Program Files\Listpics
2008-03-21 21:54 . 2008-03-21 21:54 <DIR> d

C:\Program Files\Scott's Box Shot Maker
2008-03-21 16:16 . 2008-03-25 23:33 <DIR> d

C:\Program Files\Subscribe Emails
2008-03-21 16:05 . 2008-03-21 16:05 <DIR> d

C:\Program Files\AutoMailer Freeware
2008-03-20 21:57 . 2008-03-20 21:57 <DIR> d

C:\Program Files\Forum Buzz
2008-03-20 21:54 . 2008-03-20 21:54 <DIR> d

C:\Program Files\Optin Buzz
2008-03-20 11:33 . 2008-03-20 11:33 <DIR> d

C:\Program Files\Push Button PL Article Site Builder
2008-03-20 11:29 . 2008-03-20 11:29 <DIR> d

C:\Program Files\Article Content Spinner
2008-03-19 16:31 . 2008-03-21 15:11 <DIR> d

C:\Program Files\Easy Email Sender
2008-03-19 16:31 . 2008-03-19 16:32 <DIR> d

C:\Documents and Settings\All Users\Application Data\{B30272FD-A07A-4120-AE33-8498151921F0}
2008-03-19 15:33 . 2008-03-19 15:33 <DIR> d

C:\Program Files\Management-Ware
2008-03-19 15:33 . 2008-03-19 15:33 <DIR> d--h

C:\Documents and Settings\All Users\Application Data\{6E01B5BC-2A01-4372-A54F-BC08B1B66A41}
2008-03-19 14:35 . 2008-03-21 15:52 <DIR> d

C:\Program Files\WorldCast
2008-03-19 14:14 . 2008-03-19 16:38 <DIR> d

C:\Program Files\Turbo-Mailer
2008-03-19 14:12 . 2008-03-22 21:58 <DIR> d

C:\Program Files\TigerTom's Bulk Email Software
2008-03-18 18:53 . 2008-03-18 18:53 0 --a

C:\LOG667.tmp
2008-03-16 11:44 . 2008-03-16 11:44 0 --a

C:\LOG3BA.tmp
2008-03-15 20:30 . 2008-03-15 20:30 <DIR> d

C:\Program Files\Advanced Site Submitter
2008-03-15 15:01 . 2008-03-15 15:01 <DIR> d

C:\Program Files\Sabinet
2008-03-14 16:43 . 2008-03-25 21:51 <DIR> d

C:\Program Files\My Link Cloaker
2008-03-12 23:20 . 2008-03-12 23:20 73 --a

C:\WINDOWS\EurekaLog.ini
2008-03-12 23:19 . 2008-03-12 23:20 <DIR> d

C:\Program Files\Blog Finder Pro
2008-03-12 16:15 . 2008-03-12 16:15 <DIR> d

C:\Program Files\Milliondollartraffic
2008-03-11 10:50 . 2008-03-11 10:50 <DIR> d

C:\Documents and Settings\tali.PC211561639531\Application Data\PCF-VLC
2008-03-11 10:47 . 2008-03-11 10:47 <DIR> d

C:\Documents and Settings\tali.PC211561639531\Application Data\Participatory Culture Foundation
2008-03-11 10:33 . 2008-03-11 10:33 <DIR> d

C:\Program Files\Participatory Culture Foundation
2008-03-10 15:10 . 2008-03-10 15:10 <DIR> d

C:\Program Files\AffiliateToolBoxCreator
2008-03-10 14:37 . 2008-03-10 14:37 <DIR> d

C:\Program Files\Softland
2008-03-10 14:37 . 2008-02-20 15:37 22,168 --a

C:\WINDOWS\system32\dopdfmn6.dll
2008-03-10 14:37 . 2008-02-20 15:37 18,072 --a

C:\WINDOWS\system32\dopdfmi6.dll
2008-03-10 14:37 . 2008-02-11 16:14 7,477 --a

C:\WINDOWS\system32\dopdf6.ctm
2008-03-10 14:21 . 2008-03-29 11:36 <DIR> d

C:\Program Files\AdFactoryPro
2008-03-10 13:38 . 2008-03-10 13:38 <DIR> d

C:\Program Files\eBook Maestro FREE
2008-03-10 11:29 . 2008-03-10 11:29 100 --a

C:\WINDOWS\123ShortcutKey.INI
2008-03-10 11:29 . 2008-03-10 11:30 4 --a

C:\123ShortcutKey.sk
2008-03-09 13:29 . 2008-03-09 13:29 <DIR> d

C:\Program Files\LadyWebs Website Analyzer
2008-03-09 12:24 . 2008-03-09 12:25 <DIR> d

C:\Program Files\Surf Starter Pro
2008-03-08 00:03 . 2008-03-08 00:03 <DIR> d

C:\Documents and Settings\tali.PC211561639531\EurekaLog
2008-03-08 00:02 . 2008-03-08 00:02 <DIR> d

C:\Documents and Settings\tali.PC211561639531\Application Data\PlayIt Softwares
2008-03-07 23:21 . 2008-03-07 23:32 <DIR> d

C:\Program Files\Real Link Finder
2008-03-07 23:13 . 2008-03-07 23:13 <DIR> d

C:\Program Files\Top Keyword Finder
2008-03-01 11:57 . 2008-03-01 11:57 <DIR> d

C:\Documents and Settings\tali.PC211561639531\Application Data\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 18:51

d

w C:\Program Files\FreeWorldRadio
2008-03-29 18:36

d

w C:\Program Files\Conduit
2008-03-29 10:33

d

w C:\Program Files\websitetrafficbuildingtool
2008-03-27 22:34

d

w C:\Documents and Settings\tali.PC211561639531\Application Data\AdobeUM
2008-03-26 17:59

d

w C:\Program Files\Xerver
2008-03-26 15:59

d

w C:\Documents and Settings\tali.PC211561639531\Application Data\System Tweaker
2008-03-26 04:52

d

w C:\Program Files\Affiliate Link Cloaker Buzz Software
2008-03-24 06:06 115,920 ----a-w C:\Program Files\msinet.ocx
2008-03-23 22:11

d

w C:\Program Files\Auto Mailer
2008-03-22 04:54

d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 22:18

d

w C:\Program Files\SendBlaster
2008-03-19 01:55

d

w C:\Documents and Settings\tali.PC211561639531\Application Data\U3
2008-03-17 07:17

d

w C:\Program Files\Drop Down Wizard
2008-03-10 21:27

d

w C:\Program Files\ProjectGenius
2008-03-08 19:24 5,632 --sha-w C:\Program Files\Thumbs.db
2008-03-05 17:46

d

w C:\Program Files\MySurvey Messenger
2008-03-01 19:14

d

w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-29 18:31

d

w C:\Program Files\roboform
2008-02-29 05:18

d

w C:\Program Files\SMass Safelist Submitter
2008-02-28 22:33

d

w C:\Program Files\3DBoxShotMaker
2008-02-28 10:33

d

w C:\Program Files\templatemaker
2008-02-21 11:49

d

w C:\Program Files\hideIP
2008-02-17 18:28

d

w C:\Program Files\Doug Barger's Secret Site Stalker Software
2008-02-16 05:39

d

w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-10 09:39

d

w C:\Program Files\Uniblue
2008-02-10 09:34

d

w C:\Program Files\Nsasoft
2008-02-10 09:33

d

w C:\Program Files\RegAuditor
2008-02-10 09:33

d

w C:\Program Files\New Folder
2008-02-07 20:12

d

w C:\Program Files\VeryPDF PDF Editor v2.2
2008-02-05 04:14

d

w C:\Program Files\geoexplosion
2008-02-04 17:38

d

w C:\Program Files\FormAutoFiller
2008-02-04 17:10

d

w C:\Program Files\music_now
2008-02-03 05:57

d

w C:\Program Files\WPArticleUpload
2008-02-01 19:07

d

w C:\Program Files\SOFTplus
2008-01-31 03:49

d

w C:\Program Files\phpscripts
2008-01-30 23:01

d

w C:\Program Files\Web Site Fire
2008-01-29 09:53

d

w C:\Program Files\SmartFTP Client
2008-01-29 09:52

d

w C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-01-29 09:52

d

w C:\Program Files\smartFTP
2008-01-28 23:37

d

w C:\Program Files\Groovytastic Keyword Dominator
2008-01-28 21:58

d

w C:\Program Files\Siber Systems
2008-01-28 21:58

d

w C:\Documents and Settings\tali.PC211561639531\Application Data\GoodSync
2008-01-28 21:40

d

w C:\Program Files\roboform2
2008-01-28 02:04

d

w C:\Program Files\PingSlinger
2008-01-25 22:43 0 ----a-w C:\Program Files\New CorelDRAW X3 Graphic.CDR
2008-01-25 22:17 249,856

w C:\WINDOWS\Setup1.exe
2008-01-14 07:28 26,000 ----a-w C:\WINDOWS\system32\E3TL.DLL
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-01 18:06 784,396 ----a-w C:\Program Files\RegpairSetup.exe
2007-12-31 02:57 73,216

w C:\WINDOWS\ST6UNST.EXE
2007-12-30 15:12 1,084,688 ----a-w C:\Program Files\Pro-Starter_Downline_Team_BuildersTOOLBAR.exe
2007-12-14 17:12 3,717 ----a-w C:\Program Files\ST5UNST.LOG
2007-09-28 17:22 2,605,056 ----a-w C:\Program Files\SEOStudio.exe
2007-08-25 15:14 1,623,927 ----a-w C:\Program Files\ArtDirSubmitter_V1.7.exe
2007-08-25 15:10 234,306 ----a-w C:\Program Files\Install_ArticleSubmitPro.exe
2007-07-21 15:00 9,940 ----a-w C:\Documents and Settings\tali.PC211561639531\Application Data\unins000.dat
2007-07-21 14:56 683,801 ----a-w C:\Documents and Settings\tali.PC211561639531\Application Data\unins000.exe
2007-06-18 15:54 60 ----a-w C:\Documents and Settings\tali.PC211561639531\Application Data\wklnhst.dat
2007-06-17 00:40 0 ----a-w C:\Documents and Settings\Natalie Chan\Application Data\wklnhst.dat
2007-06-16 15:57 457,448 ----a-w C:\Program Files\WindowsXP-KB887742-x86-ENU.exe
2007-06-15 21:59 6,403,752 ----a-w C:\Program Files\RecoverMyFiles-Setup.exe
2007-06-15 17:46 47,541,144 ----a-w C:\Program Files\gc_ep_w01_enu.exe
2007-02-02 16:06 335,872 ----a-w C:\Program Files\HWPenSignU.exe
2007-02-02 16:06 327,680 ----a-w C:\Program Files\HWPenSign.exe
2007-02-01 04:56 139,264 ----a-w C:\Program Files\HWSmoothDraw.dll
2006-10-13 19:08 127,039 ----a-w C:\Program Files\SEOStudioError.dll
2006-03-16 17:07 65,536 ----a-w C:\Program Files\CYHook.dll
2005-12-02 00:07 73,728 ----a-w C:\Program Files\PenSignEng.dll
2005-11-25 23:29 28,436 ----a-w C:\Program Files\Signeng.chm
2005-11-12 00:55 584 ----a-w C:\Program Files\hwshell.ini
2005-11-09 17:09 73,728 ----a-w C:\Program Files\PenSignCht.dll
2005-11-09 17:09 73,728 ----a-w C:\Program Files\PenSignChs.dll
2005-09-24 07:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2005-09-23 22:49 917,504 ----a-w C:\Program Files\hwshell.exe
2005-07-26 03:08 756,736 ----a-w C:\Program Files\PDFCreatorPilot2.DLL
2005-03-27 22:22 86,016 ----a-w C:\Program Files\VBLinks.ocx
2005-03-27 22:22 28,672 ----a-w C:\Program Files\LPHelper.dll
2005-03-27 22:17 86,016 ----a-w C:\Program Files\DateConverter.exe
2005-03-25 06:33 17,219 ----a-w C:\Program Files\Readme.txt
2005-03-25 06:20 13,325 ----a-w C:\Program Files\License.txt
2005-03-24 06:17 479,232 ----a-w C:\Program Files\CSSBuilder.ocx
2005-02-16 17:06 598,016 ----a-w C:\Program Files\ExEdit.dll
2005-02-16 17:06 155,648 ----a-w C:\Program Files\ExPrint.dll
2005-02-13 05:18 3,638 ----a-w C:\Program Files\SEOStudioLogo.ico
2005-02-10 05:10 196,608 ----a-w C:\Program Files\VB Splitter.ocx
2005-01-17 05:59 622,592 ----a-w C:\Program Files\ExComboBox.dll
2005-01-17 02:06 1,015,808 ----a-w C:\Program Files\ExGrid.dll
2005-01-14 17:25 880,640 ----a-w C:\Program Files\ChilkatXml.dll
2005-01-14 17:24 1,343,488 ----a-w C:\Program Files\ChilkatMail2.dll
2005-01-12 21:43 20,480 ----a-w C:\Program Files\Scheduler.exe
2004-09-11 00:35 953,344 ----a-w C:\Program Files\HTML2PDF.DLL
2004-08-10 22:16 431,104 ----a-w C:\Program Files\BTNexgenIPL32u.dll
2004-08-10 22:15 427,520 ----a-w C:\Program Files\BTNexgenIPL32.dll
2004-07-01 21:19 360,448 ----a-w C:\Program Files\ExplorerBar.dll
2003-12-31 01:46 28,672 ----a-w C:\Program Files\StrCat.dll
2003-10-06 20:37 160,424 ----a-w C:\Program Files\XCSSParser.dll
2003-05-25 00:42 1,773,568 ----a-w C:\Program Files\gdiplus.dll
2003-05-21 03:25 45,056 ----a-w C:\Program Files\HWGetPadID.dll
2003-05-08 01:09 147,456 ----a-w C:\Program Files\AbsoluteHttp.dll
2003-01-23 17:30 492,592 ----a-w C:\Program Files\IGToolBars50.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9C590067-8A6A-4DB6-B052-069283790B04}"= "C:\Program Files\SeoQuake\seoquake.dll" [2007-11-14 11:51 241664]

[HKEY_CLASSES_ROOT\clsid\{9c590067-8a6a-4db6-b052-069283790b04}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 11:18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 01:58 65536]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 07:11 132496]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-30 12:04 286720]
"SnoopFreeUI"="SnoopFreeUI.exe" [2008-03-26 08:49 221184 C:\WINDOWS\SnoopFreeUI.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Hanvon Shell.lnk - C:\Program Files\hwshell.exe [2008-01-17 21:25:07 917504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe"
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
"RecGuard"=C:\Windows\SMINST\RecGuard.exe
"ProgramChecker"=C:\Program Files\Zenturi\ProgramChecker\pcheckp.exe
"InCD"=C:\Program Files\Ahead\InCD\InCD.exe
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
"Hanvon Tablet Tray Service"=C:\WINDOWS\system32\HWTabTray.exe
"Hanvon Key Pus"=C:\WINDOWS\system32\HWKeyPlus.exe
"3DBoxShot"=C:\PROGRA~1\3DBOXS~1\3DBoxShot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FTP\\free ftp\\freeftp\\FREEFTP.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Conference\\Conference.dll"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\wamp\\Apache2\\bin\\httpd.exe"=
"C:\\Program Files\\Wysigot\\Wysigot.exe"=
"C:\\Program Files\\Viable Software Alternatives\\Alert Post-A-Board\\viaboard.exe"=
"C:\\Program Files\\Easy Mapper\\EM-Basic.exe"=
"C:\\Program Files\\profilemanager\\pm3.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R0 hypen;Hy Pen;C:\WINDOWS\system32\Drivers\hypen.sys [2002-04-26 15:22]
R2 HWSuperPowerTablet;HWSuperPowerTablet;C:\WINDOWS\system32\JWPEN.exe [2007-01-15 16:19]
R2 Seagate Sync Service;Seagate Sync Service;"C:\Program Files\Seagate\Sync\SeaSyncServices.exe" [2007-01-18 13:20]
R2 StudioPro;StudioPro webcam;C:\WINDOWS\system32\DRIVERS\StudioPro.sys [2007-01-05 21:18]
R2 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
R2 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-07-06 13:14]
R3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys [2007-04-22 19:27]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 02:06]
S2 Tshjrhtk;Tshjrhtk;C:\WINDOWS\system32\khhjvhzc.exe []
S3 MySQL5;MySQL5;"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.0\my.ini" MySQL5 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a6f9634-c616-11dc-9832-0014a5b6b41d}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa9d0c89-7b82-11dc-97f6-0014a5b6b41d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca196761-1cf5-11dc-b0d9-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 10:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-03-25 23:43:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-29 10:30:14 C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job"
- C:\Program Files\errorkiller\ErrorKiller.ex
- C:\Program Files\errorkiller
"2008-03-22 16:07:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-09-28 17:11:06 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 12:12:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL5"
.
Completion time: 2008-03-29 12:15:18
ComboFix-quarantined-files.txt 2008-03-29 19:15:16
Pre-Run: 59,481,108,480 bytes free
Post-Run: 59,468,746,752 bytes free
.
2008-03-20 10:03:00 --- E O F ---

Hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:55 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\JWPEN.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
c:\wamp\apache2\bin\httpd.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\wamp\apache2\bin\httpd.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\hwshell.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?716834&e23f93498ca4401fe0db6d1aad49db8b
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SeoQuake - {9C590067-8A6A-4db6-B052-069283790B04} - C:\Program Files\SeoQuake\seoquake.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Hanvon Shell.lnk = C:\Program Files\hwshell.exe
O8 - Extra context menu item: &Spurl! - http://www.spurl.net/rclick.php
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\videocapture\flashcapture\fciext.dll (file missing)
O9 - Extra button: (no name) - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Spurl! - {057AB0AA-0896-44A7-9940-1D3118C870FB} - http://www.spurl.net/rclick.php (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Bookmark the current page to Spurl.net - {057AB0AA-0896-44A7-9940-1D3118C870FB} - http://www.spurl.net/rclick.php (file missing) (HKCU)
O9 - Extra button: Spurl bar - {104D0F17-ED01-4E81-8EFF-53E956FC6D49} - Shdocvw.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Spurl bar - {104D0F17-ED01-4E81-8EFF-53E956FC6D49} - Shdocvw.dll (file missing) (HKCU)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182114510125
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://programchecker.com/dll/nixon.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://online.invokesolutions.com/events/bin/5.5.0.1437/MILive.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HWSuperPowerTablet - HanWang - C:\WINDOWS\system32\JWPEN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Tshjrhtk - Unknown owner - C:\WINDOWS\system32\khhjvhzc.exe (file missing)
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 12301 bytes

I guess I need some tips with regards to recovery console and how to fix my files.....not sure what on earth happened to cause my IE browser probs and my inability to fix my system restore.

I will be very grateful if you could help me approach this the right way
Thanks!

Thomas · March 2008

Some of the items disabled were likely disabled by malware, so we will check on all that. But to be straight forward on two things first.

You need to follow the steps exactly as posted, so for ComboFix to be run from the desktop, it needs to be on the desktop. And TeaTimer also shows as a startup still, which suggests perhaps no reboot was done after disabling it, or one other step for that was not followed. Doing these as posted is what you need to do to successfully repair things there. Please make sure you recheck those TeaTimer disable steps then do what is needed to disable that.

And unless you are a reviewer of new free software, you will really want to slow down the practice of downloading and installing free this and that tools and apps. And games and others. The number of questionable software I notice just by sight-reading the logs suggests this.

For now, though I am not sure how many I can note right off that need removals, let's first check what all is installed there. This way they can be uninstalled, instead of the more labor intensive manual steps. Don't like stopping the flow of malware removal but just too many to leave unchecked for now.

Open Hijackthis.
Click Config - Misc Tools - Open Uninstall Manager.
A list of the entries in Add/Remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents back here for review.

BB1 · March 2008

Hi there thanks very much for your help and tips and for taking the time to look at my hijack this .....I know how tiring it can be sifting throught it

I managed to solve my problem after going through my admin tools => event viewer and noticed a lot of IE related dll errors and also noted that my firefox was working well but my IE browser was just crashing the whole time. I experimented around by removing any add-ons but it still didn't work and no patches or deleting all history or using more antivirus and spyware checkers or Regcure didn't work, and ........

......so I just reinstalled explorer 7 ......I figured hell it's my last bet unless I want to reinstall XP which is an absolute nono....

and voila/... my help center and systems restore worked, my explorer tools=> options worked, even my roboform suddenly worked.

So thanks for taking the time to look at everything ....I've learnt quite a lot from your tips and just going through my whole comp

;):D

Thomas · March 2008

I won't belabor the point if you are okay with your system now. I see rogue software like AdwareAlert and errorkiller, and some
Pro-Starter Downline Team Builders Community Toolbar! (toolbar powered by Conduit, of When-U adware/spyware fame) and on and on in just looking at the log file info.

Click here

Here

And especially here

Do yourself a favor and check your software against those, and start removing some of that stuff.

BB1 · March 2008

Thanks for the link I will be saving those. I've disabled adwarealert and errorkiller quite a long time ago so the original files are probably still there and i have to find them. THe other toolbar I decided against using..., and I've found adfactorypro safe to use....it's from a well known graphics internet marketer which I make good use of.
Thanks very much again for your help

Thomas · March 2008

Personal opinions I can tell about that AdPro stuff - the web page really smacks of pyramid scheming. And very much your personal choices. Be well.

Veka · April 2008

Glad we could be of assistance! The help you received here was free.

This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead

_______________________________

Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.

Cannot access help and support + system restore + explorer tools => options function

Comments