AV Security Suite -Hijack this Log -Advice Please

rolo1_2

Hi all
My daughter by mistake downloaded the AV Security Suite on to her Laptop. I have managed to hopefully sort it!!!!!. I booted in safe mode with networking and ran Malwarebytes, and think I have removed it. Then ran microsoft essentials, other threats detected called
worm.win32/pushbot.gen!
TrojanDownloader.win32/Bubnix.A
Trian.Win32/Meredrop
Trojan:Win32/Hilotigen

All above now quarantined or removed.

OS is Vista.
AV is Microsoft security essentials
Malwarebytes and Spybot installed also.

Anyway I have posted Hijack this Log, so possibly any computer wiz kids out there can advise if all now ok, or is there anything else dodgy I should be concerned about. Thanks for any advice given.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:21:56, on 14/06/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Users\kathryn\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\kathryn\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:49336
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ript - {91D9091B-2046-42f7-903E-1215A29E21EA} - C:\Program Files\Ript\mscoree.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [googletalk] C:\Users\kathryn\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\kathryn\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows System Guard] C:\Users\Public\msng.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?!!!!!Toshibaukbholink-21&site=home (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O13 - Gopher Prefix:
O16 - DPF: {2665693B-C4F3-434B-83DB-7574CF50C8B7} (Kaspersky License Finder) - http://www.kaspersky.co.uk/downloads/misc/kasperskylicensefinder.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/activex/e-Safekey/NB/e-Safekey.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: lxct_device - - C:\Windows\system32\lxctcoms.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11238 bytes

The_Grandmaster

Please post the last malwarebytes and other logs here which show infections.

Think these can be removed: (Someone will hopefully check if they can go)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos=home (file missing)

rolo1_2

Ta -Have to nip out, but will check back later.

aliEnRIK

Please open malwarebytes, goto LOGS and post the WHOLE of the log

rolo1_2

aliEnRIK wrote: »

Please open malwarebytes, goto LOGS and post the WHOLE of the log

Malwarebytes' Anti-Malware 1.46
https://www.malwarebytes.org

Database version: 4190

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

14/06/2010 18:20:32
mbam-log-2010-06-14 (18-20-32).txt

Scan type: Quick scan
Objects scanned: 121569
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

aliEnRIK

The log that removed it please

rolo1_2

aliEnRIK wrote: »

The log that removed it please

Yep, that would make sense:o

I will check her laptop 2morrow, and post the Log. Thanks aliEnRIK

rolo1_2

aliEnRIK wrote: »

Please open malwarebytes, goto LOGS and post the WHOLE of the log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4190

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18928

12/06/2010 13:52:03
mbam-log-2010-06-12 (13-52-03).txt

Scan type: Quick scan
Objects scanned: 118591
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tpojulato (Trojan.Hiloti) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\kathryn\AppData\Local\baleli.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\kathryn\downloads\facebook-photo-2010-05-24-jpg.scr (Backdoor.EggDrop) -> Quarantined and deleted successfully.

Also every time computer is booted up MSE detects the following
worm.win32/pushbot.Gen!C This is then removed, but likely to return and next boot up. As well as this the last time it booted up the UAC advised a program was trying to start. I did not regognise it so obviously refused permission. Computer seems to run fine now, but concerned about anything lurking in background. Am I right in saying that the pushboot worm was likely to have originated from windows messenger or the like?
Thanks

aliEnRIK

rolo1 wrote: »

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4190

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18928

12/06/2010 13:52:03
mbam-log-2010-06-12 (13-52-03).txt

Scan type: Quick scan
Objects scanned: 118591
Time elapsed: 5 minute(s), 52 second(s)

Please UPDATE malwarebytes, run a FULL scan and post the whole of that log

then
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)

rolo1_2

Malwarebytes' Anti-Malware 1.46
https://www.malwarebytes.org

Database version: 4199

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

15/06/2010 13:57:09
mbam-log-2010-06-15 (13-57-09).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 245459
Time elapsed: 1 hour(s), 12 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\kathryn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OF54E66L\iv[1].exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\kathryn\AppData\Local\Temp\5920.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.

rolo1_2

ComboFix 10-06-14.03 - kathryn 15/06/2010 14:08:28.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1048 [GMT 1:00]
Running from: c:\users\kathryn\Downloads\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.

2010-06-15 13:15 . 2010-06-15 13:15

---

d

---

w- c:\users\kathryn\AppData\Local\temp
2010-06-15 13:15 . 2010-06-15 13:15

---

d

---

w- c:\users\Public\AppData\Local\temp
2010-06-15 13:15 . 2010-06-15 13:15

---

d

---

w- c:\users\Default\AppData\Local\temp
2010-06-15 07:20 . 2010-06-15 07:20 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{16690A2B-0ADD-136F-61D8-317E200FAB0D}-msng.exe
2010-06-14 16:44 . 2010-06-15 12:35

---

d

---

w- c:\users\kathryn\AppData\Roaming\QuickScan
2010-06-14 16:43 . 2010-05-31 15:34 702120 ----a-w- c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-06-14 16:43 . 2010-05-31 15:34 868456 ----a-w- c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-06-13 11:57 . 2010-06-13 11:57

---

d

---

w- c:\users\kathryn\AppData\Local\BlinkBox
2010-06-13 11:56 . 2010-06-13 11:56

---

d

---

w- c:\program files\blinkbox
2010-06-12 17:26 . 2010-06-02 10:37 80896 ----a-w- c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
2010-06-12 17:26 . 2010-06-02 10:37 50176 ----a-w- c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
2010-06-12 13:11 . 2010-06-12 13:11 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{2CF69BAE-9266-833C-11C2-A92DB433F8ED}-msng.exe
2010-06-12 12:41 . 2010-06-12 12:41

---

d

---

w- c:\users\kathryn\AppData\Roaming\Malwarebytes
2010-06-12 12:41 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-12 12:41 . 2010-06-12 12:41

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2010-06-12 12:41 . 2010-06-12 12:41

---

d

---

w- c:\programdata\Malwarebytes
2010-06-12 12:41 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-12 12:34 . 2010-06-12 12:34

---

d

---

w- c:\program files\Trend Micro
2010-06-11 20:39 . 2010-06-11 20:39 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{BBC00322-99CD-F401-0E9F-0370F6B55A41}-msng.exe
2010-06-11 20:24 . 2010-06-11 20:24 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{EF69577A-068F-7F88-F35A-87DCBE8EFE99}-msng.exe
2010-06-11 18:09 . 2010-06-11 18:09 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{50A40C93-A490-A527-5F23-2A8193BEC341}-msng.exe
2010-06-11 18:08 . 2010-06-11 18:08 120 ----a-w- c:\users\kathryn\AppData\Local\Esahohoqusi.dat
2010-06-11 18:08 . 2010-06-11 18:08 0 ----a-w- c:\users\kathryn\AppData\Local\Xbapovunikanu.bin
2010-06-11 07:17 . 2010-06-11 07:17 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{BE9BD4B0-05B4-7C28-28E6-29E1AEA8A192}-msng.exe
2010-06-10 18:09 . 2010-06-10 18:09 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{6B2E65D5-80E8-6790-0F92-83D565DC6C98}-msng.exe
2010-06-10 07:07 . 2010-06-10 07:07 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{D844F33E-331D-E335-AA1D-5C68AB0C3634}-msng.exe
2010-06-09 17:16 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 17:03 . 2010-06-09 17:03 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{2B293B42-D0FA-F590-12E1-DB273A204FCC}-msng.exe
2010-06-08 15:30 . 2010-06-08 15:30 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{1BEE6EAD-F03D-E99C-3BDA-EF12E44462B4}-msng.exe
2010-06-07 16:29 . 2010-06-07 16:29 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{99D38118-FD4F-78A3-FE33-F6DC57F97D47}-msng.exe
2010-06-06 15:57 . 2010-06-06 15:57 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{29A53854-608B-D412-25FB-D1E78174D8BE}-msng.exe
2010-06-04 17:04 . 2010-06-04 17:04 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{3CEF0BC1-9645-CEBD-E8CC-1A642489BA6F}-msng.exe
2010-06-02 15:23 . 2010-06-02 15:23 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{B387A174-979B-0B88-AF7B-4E54B5E2126F}-msng.exe
2010-06-02 07:10 . 2010-06-02 07:10 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{19018DD1-F1CE-5802-101F-F0166EDAADDC}-msng.exe
2010-06-01 16:24 . 2010-06-01 16:24 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F7FB516C-22C8-7B62-28C3-6CEF2A6FCA51}-msng.exe
2010-05-30 16:45 . 2010-05-30 16:45 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{A09497D8-F4C6-53AE-9931-1F4E98ED9575}-msng.exe
2010-05-29 21:46 . 2010-05-29 21:46 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{9700E7DE-F3DD-6C80-50FD-0EE4FCAF8915}-msng.exe
2010-05-29 17:29 . 2010-05-29 17:29 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{A2A60282-81BA-0525-4C04-1F45E2452AF3}-msng.exe
2010-05-29 08:50 . 2010-05-29 08:50 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{B31E8FC5-44E2-31B1-FBB4-B36E6BFFB39D}-msng.exe
2010-05-28 18:50 . 2010-05-28 18:50

---

d

---

w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-28 18:49 . 2010-05-28 18:49

---

d

---

w- c:\program files\Microsoft
2010-05-28 17:57 . 2010-05-28 17:57 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{D626955E-4C22-4246-D2F5-498E27568941}-msng.exe
2010-05-26 21:08 . 2010-05-26 21:08

---

d

---

w- c:\programdata\WindowsSearch
2010-05-26 15:19 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-26 15:13 . 2010-05-26 15:13 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{4983FA7F-A668-5E5E-3F5A-C55DD43C26A6}-msng.exe
2010-05-25 17:05 . 2010-05-25 17:05 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{8FF262C2-776A-0CE0-B4CA-B5B7AEBF4A1E}-msng.exe
2010-05-21 20:48 . 2010-05-21 21:01

---

d

---

w- c:\programdata\Norton
2010-05-21 20:48 . 2010-05-21 20:48

---

d

---

w- c:\programdata\Symantec
2010-05-21 20:48 . 2010-05-21 20:48

---

d

---

w- c:\programdata\NortonInstaller
2010-05-20 19:10 . 2010-05-20 19:10

---

d

---

w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 09:35 . 2009-08-09 18:48 1 ----a-w- c:\users\kathryn\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-12 15:12 . 2010-04-24 15:55

---

d

---

w- c:\program files\Defraggler
2010-06-10 07:19 . 2006-11-02 11:18

---

d

---

w- c:\program files\Windows Mail
2010-06-10 07:18 . 2009-09-07 19:05

---

d

---

w- c:\program files\Lx_cats
2010-06-07 16:20 . 2009-10-26 07:59

---

d

---

w- c:\program files\Microsoft Silverlight
2010-05-30 17:57 . 2008-02-22 11:29

---

d

---

w- c:\program files\Google
2010-05-28 18:51 . 2009-06-10 09:20

---

d

---

w- c:\program files\Windows Live
2010-05-26 17:06 . 2010-06-09 17:17 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 17:17 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 13:14 . 2009-10-08 19:51 221568

---

w- c:\windows\system32\MpSigStub.exe
2010-05-07 11:55 . 2010-05-07 11:55 255472 ----a-w- c:\users\kathryn\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-05-04 05:59 . 2010-06-09 17:17 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-09 17:17 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-09 17:17 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-09 17:17 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-02 12:54 . 2009-05-07 14:18

---

d

---

w- c:\programdata\Kaspersky Lab
2010-05-02 12:42 . 2008-02-22 10:44

---

d

---

w- c:\program files\Java
2010-05-02 12:38 . 2010-05-02 12:38

---

d

---

w- c:\program files\Microsoft Security Essentials
2010-04-21 17:48 . 2008-02-22 11:29

---

d

---

w- c:\program files\Picasa2
2010-04-21 17:45 . 2009-04-22 16:11 1766 ----a-w- c:\users\kathryn\AppData\Roaming\wklnhst.dat
2010-04-16 23:04 . 2010-04-16 23:04 306032 ----a-w- c:\windows\WLXPGSS.SCR
2010-04-16 21:12 . 2010-04-16 21:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-12 16:29 . 2010-05-02 12:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-05 17:01 . 2010-06-09 17:17 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-03-28 19:35 . 2010-03-28 19:35 31 ---ha-w- c:\windows\UKCpInfo.sys
2010-03-21 15:16 . 2010-03-21 15:16 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-15_12.00.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-06-15 13:00 45642 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-06-15 13:00 74890 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-04-22 15:44 . 2010-06-15 11:23 10276 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2641201609-788405178-2231458804-1000_UserData.bin
+ 2009-04-22 15:44 . 2010-06-15 13:00 10276 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2641201609-788405178-2231458804-1000_UserData.bin
+ 2009-04-22 15:37 . 2010-06-15 12:58 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-22 15:37 . 2010-06-15 11:21 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-22 15:37 . 2010-06-15 11:21 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-22 15:37 . 2010-06-15 12:58 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-22 15:37 . 2010-06-15 12:58 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-04-22 15:37 . 2010-06-15 11:21 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-15 13:02 . 2010-06-15 13:02 21504 c:\windows\Installer\3d85b.msi
- 2010-06-15 11:21 . 2010-06-15 11:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-15 12:58 . 2010-06-15 12:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-15 12:58 . 2010-06-15 12:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-06-15 11:21 . 2010-06-15 11:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-04-22 15:53 . 2010-06-15 12:57 2421200 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-04-22 15:53 . 2010-06-15 08:21 2421200 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-29 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"googletalk"="c:\users\kathryn\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Google Update"="c:\users\kathryn\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-07-08 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-22 1836544]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"lxctmon.exe"="c:\program files\Lexmark 5400 Series\lxctmon.exe" [2006-11-22 291760]
"Lexmark 5400 Series Fax Server"="c:\program files\Lexmark 5400 Series\fm3032.exe" [2006-11-22 304048]
"EzPrint"="c:\program files\Lexmark 5400 Series\ezprint.exe" [2006-11-22 82864]
"LXCTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 245810]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\users\kathryn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cf,7c,a9,99,43,ec,c9,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 136176]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-29 937984]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-08-31 20352]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 17:57]

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 17:57]

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2641201609-788405178-2231458804-1000Core1cac66b30c20a4f.job
- c:\users\kathryn\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-08 18:36]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://google.co.uk/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:49336
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?!!!!!Toshibaukbholink-21&site=home
Trusted Zone: northernbank.co.uk\ebanking
DPF: {2665693B-C4F3-434B-83DB-7574CF50C8B7} - hxxp://www.kaspersky.co.uk/downloads/misc/kasperskylicensefinder.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://ebanking.northernbank.co.uk/html/activex/e-Safekey/NB/e-Safekey.cab
FF - ProfilePath - c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\
FF - component: c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
FF - component: c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
FF - component: c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\kathryn\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - plugin: c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\kathryn\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-15 14:15
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????T]r{?????V???V???V?0 V?X

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-06-15 14:18:24
ComboFix-quarantined-files.txt 2010-06-15 13:18
ComboFix2.txt 2010-06-15 12:03

Pre-Run: 41,253,449,728 bytes free
Post-Run: 41,226,272,768 bytes free

- - End Of File - - C691DDB843873068A21A547BC0F631B8