[theone11]

IE keeps on telling me it has to shut down and after doing some investigating (read some of the advice you have given to other people such as downloading programs, going into safe mode, etc.), the problem seems to be with the file wndsk.dll. IE keeps pointing to this file as the problem as well.

I cannot delete the file unfortunately. It says it is locked or being used by another program. I have deleted it twice in safe mode, but it returns once I restart my computer while another related file I also deleted iomter.dll did not come back.

I don’t know if I should have posted a log because I think removing this file will work.

Any help is much appreciated.

[Advertisements]

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
• Under Additional Scans check the boxes beside Reg - Bot Check, Reg - Disabled MS Config Items, Reg - File Additional Folder Scans, File - Lop Check and File - Purity Scan.
• Under Drivers change it to Non-Microsoft.
• Under Rootkit Search change that to Yes.
• Now click the Run Scan button on the toolbar.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply.

[Rorschach112]

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
• Under Additional Scans check the boxes beside Reg - Bot Check, Reg - Disabled MS Config Items, Reg - File Additional Folder Scans, File - Lop Check and File - Purity Scan.
• Under Drivers change it to Non-Microsoft.
• Under Rootkit Search change that to Yes.
• Now click the Run Scan button on the toolbar.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply.

[theone11]

I cannot get into programs now as well (ie. Noptepad, wmp, the anti-virus programs, etc.) so I can't attach the file (I did it in safe mode just to get the code).

I copied it to Word before I left safe mode, but I can see why you don't want me to copy/paste that.

OK, I pasted it back into Notepad, but I'm not allowed to save it. I have another file saved, which I thought was this one (same file name) in Notepad, but the code is a lot longer and is from 1:30 pm.

Sorry for all the updates. I actually deleted the file (I hope that wasn't a mistake). It worked after my pc was off for a couple hours. I think I still need to scan the computer though cause I can't access most of my progams as I said before.

Edited by theone11, 20 February 2008 - 08:29 PM.

[Rorschach112]

If you cant get it working then do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[theone11]

I downloaded it, but like all other programs when I double click the icon it loads for a few seconds then stops. Nothing happens. However the internet is working fine now.

Basically I can do what I did in my last post (do it in safe mode), but I won't be able to open notepad once I restart my computer. I hope I didn't erase something that is the cause of this or perhaps all I need to do is restore something somehow.

So it seems now IE is working, but almost everything else isn't (Word does only when I click on a saved filed in My Documents, not the actual Word icon in my desktop).

I'm sorry if this doesn't help, but that's what I'm getting on my end. Thanks for the help though. I really appreciate it.

Attached Files

•  WinPFind35.Txt22.txt   254.78KB   146 downloads

[theone11]

 WinPFind35.Txt22.txt   254.78KB   169 downloads

This is from the winpfdindu scan from yesterday off of safe mode w/ networking.

Should have done this yesterday.

ps. The Deckards scan doesn't want me scanning in safe mode so I can't do that one.

Edited by theone11, 21 February 2008 - 08:48 AM.

[Rorschach112]

Hello

Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> ->
YY -> UC_SMB ->
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> {8670ee50-01f9-47da-ac1e-cf8549e9e521} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [eupeptic]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> {8670ee50-01f9-47da-ac1e-cf8549e9e521} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [eupeptic]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YY -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\isamonitor.exe -> C:\Program Files\Video ActiveX Object\isamonitor.exe [C:\Program Files\Video ActiveX Object\isamonitor.exe]
YY -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\isamini.exe -> C:\Program Files\Video ActiveX Object\isamonitor.exe [C:\Program Files\Video ActiveX Object\isamonitor.exe]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YN -> ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.]
YN -> msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
YY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
YY -> 10 C:\Documents and Settings\Mark\My Documents\*.tmp files -> C:\Documents and Settings\Mark\My Documents\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm
NY -> sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm
NY -> sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm
NY -> sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm
NY -> sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm
NY -> sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm
NY -> sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm
YY -> 9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
YY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
YY -> istsv_.exe -> C:\Documents and Settings\Mark\Local Settings\Temp\istsv_.exe
YY -> ~uga6psetup.exe -> C:\Documents and Settings\Mark\Local Settings\Temp\~uga6psetup.exe
YY -> 555 C:\Documents and Settings\Mark\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Mark\Local Settings\Temp\*.tmp
YY -> setup.exe -> C:\Documents and Settings\Mark\Local Settings\Temp\bye2CB.tmp\Disk1\setup.exe
YY -> setup.exe -> C:\Documents and Settings\Mark\Local Settings\Temp\NI.UGA6P_5555_N122M0312\setup.exe
YY -> InfoWindow.dll -> C:\Documents and Settings\Mark\Local Settings\Temp\InfoWindow.dll
YY -> QTInstallerHelper.dll -> C:\Documents and Settings\Mark\Local Settings\Temp\QTInstallerHelper.dll
YY -> sohujjyj.dll -> C:\Documents and Settings\Mark\Local Settings\Temp\sohujjyj.dll
YY -> 555 C:\Documents and Settings\Mark\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Mark\Local Settings\Temp\*.tmp
YY -> 555 C:\Documents and Settings\Mark\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Mark\Local Settings\Temp\*.tmp
YY -> setup.ini -> C:\Documents and Settings\Mark\Local Settings\Temp\bye2CB.tmp\Disk1\setup.ini
YY -> settings.ini -> C:\Documents and Settings\Mark\Local Settings\Temp\NI.UGA6P_5555_N122M0312\settings.ini
YY -> iottem.dll -> C:\WINDOWS\Temp\iottem.dll
YY -> 3 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.


Then try run DSS from Normal Mode again

[theone11]

Ok, I went to safe mode to do it, but it would say not responding everytime I clicked run fix. So I go back to normal mode and it seems like everything is fine because the bottom toolbar on my desktop shows all the icons and I clicked Notepad and it opened....but a couple seconds later I get a message saying you have no firewall running and then everything goes back to normal (can't open any programs).

I will try the DSS again, but it probably won't work.

[Rorschach112]

Do this instead then if DSS doesn't work

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[theone11]

Won't open either. I also have a file named iottem.dll as well now.

When you say desktop, do you mean the file, because I don't have it.

[Rorschach112]

What happens when you try open it ?

Desktop is your background where all your desktop icons are and screensaver

Try run it in Safe Mode if Normal Mode fails again

[theone11]

 ComboFix.txt   16.25KB   104 downloads

Here's the combofix log. I will do the hijack lock next.

[theone11]

 hijackthis.log2.txt   10.44KB   109 downloads

Here's the hijack log. Wouldn't let me do it in the previous post.

[Rorschach112]

Hello

You can post the reports unless I ask you to attach them

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\wndsk.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\trashicon.exe

Folder::
C:\Program Files\Xasjce

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jpjnk"=-

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[theone11]

Just so you know, I can work in normal mode now...I assume that's good.

Here's the virustotal report

Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.21 -
AntiVir 7.6.0.67 2008.02.21 TR/Spy.Gen
Authentium 4.93.8 2008.02.21 -
Avast 4.7.1098.0 2008.02.21 -
AVG 7.5.0.516 2008.02.21 Downloader.Small.60.BJ
BitDefender 7.2 2008.02.22 -
CAT-QuickHeal 9.50 2008.02.21 TrojanClicker.Agent.ss
ClamAV 0.92.1 2008.02.21 -
DrWeb 4.44.0.09170 2008.02.21 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5552 2008.02.21 -
Ewido 4.0 2008.02.21 -
FileAdvisor 1 2008.02.22 -
Fortinet 3.14.0.0 2008.02.21 -
F-Prot 4.4.2.54 2008.02.20 W32/Injector.A.gen!Eldorado
F-Secure 6.70.13260.0 2008.02.21 Trojan-Clicker.Win32.Agent.ss
Ikarus T3.1.1.20 2008.02.21 Trojan-Spy
Kaspersky 7.0.0.125 2008.02.22 Trojan-Clicker.Win32.Agent.ss
McAfee 5235 2008.02.21 -
Microsoft 1.3204 2008.02.21 -
NOD32v2 2894 2008.02.21 -
Norman 5.80.02 2008.02.21 -
Panda 9.0.0.4 2008.02.21 Trj/Downloader.SRZ
Prevx1 V2 2008.02.22 -
Rising 20.32.32.00 2008.02.21 -
Sophos 4.26.0 2008.02.21 Mal/Emogen-G
Sunbelt 3.0.884.0 2008.02.21 -
Symantec 10 2008.02.22 -
TheHacker 6.2.9.225 2008.02.21 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.21 -
Webwasher-Gateway 6.6.2 2008.02.21 Trojan.Spy.Gen
Additional information
File size: 32256 bytes
MD5: 9181f760ca25e3e91b78240e88324e89
SHA1: 2b49684e802a7fa936d8ba956e061edcb572d018
PEiD: -
packers: PE_Patch.UPX, UPX


This is the combofix report

ComboFix 08-02-22 - Mark 2008-02-22 19:12:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.480 [GMT -5:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\trashicon.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Xasjce
C:\WINDOWS\trashicon.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-22 18:49 . 2008-02-22 18:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 18:03 . 2008-02-21 18:03 1,598,422 --a------ C:\ComboFix.exe
2008-02-21 09:50 . 2008-02-21 09:50 32,256 --a------ C:\WINDOWS\wndsk.dll
2008-02-21 09:33 . 2008-02-21 09:33 <DIR> d-------- C:\Deckard
2008-02-21 09:18 . 2008-02-21 18:02 686,630 --a------ C:\dss.exe
2008-02-20 17:20 . 2008-02-21 17:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-20 17:20 . 2008-02-20 17:20 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\PC Tools
2008-02-20 17:20 . 2008-02-22 19:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-20 17:20 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-20 17:20 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-20 17:20 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-20 17:20 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-20 15:02 . 2004-08-03 22:59 34,688 --a------ C:\WINDOWS\system32\drivers\lbrtfdc.sys
2008-02-20 15:02 . 2004-08-03 22:59 34,688 --a------ C:\WINDOWS\system32\dllcache\lbrtfdc.sys
2008-02-20 15:02 . 2001-08-17 13:57 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-02-20 15:02 . 2001-08-17 13:57 14,080 --a------ C:\WINDOWS\system32\dllcache\battc.sys
2008-02-20 15:02 . 2001-08-17 13:47 13,056 --a------ C:\WINDOWS\system32\drivers\inport.sys
2008-02-20 15:02 . 2001-08-17 13:47 13,056 --a------ C:\WINDOWS\system32\dllcache\inport.sys
2008-02-20 15:02 . 2004-08-03 23:00 8,192 --a------ C:\WINDOWS\system32\drivers\changer.sys
2008-02-20 15:02 . 2004-08-03 23:00 8,192 --a------ C:\WINDOWS\system32\dllcache\changer.sys
2008-02-20 12:53 . 2008-02-20 12:53 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Grisoft
2008-02-20 12:53 . 2008-02-20 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-20 12:53 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-14 17:02 . 2008-02-20 12:02 2,858 --a------ C:\WINDOWS\rules.dat
2008-02-09 16:03 . 2008-02-09 16:04 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Move Networks
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-27 19:18 . 2008-01-27 19:18 <DIR> d-------- C:\Program Files\TVUPlayer
2008-01-27 19:18 . 2008-01-27 19:18 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\TVU networks
2008-01-27 19:18 . 2008-01-27 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU networks
2008-01-27 12:40 . 2008-02-15 21:21 <DIR> d-------- C:\Program Files\UFile 2007

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 18:53 --------- d-----w C:\Program Files\DIGStream
2008-02-20 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-02-17 17:23 --------- d-----w C:\Program Files\iTunes
2008-02-17 17:22 --------- d-----w C:\Program Files\iPod
2008-02-17 17:21 --------- d-----w C:\Program Files\QuickTime
2008-02-02 17:26 --------- d-----w C:\Program Files\Lexmark 2200 Series
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-24 23:19 --------- d-----w C:\Program Files\LimeWire
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-04-28 03:32 379 ----a-w C:\Documents and Settings\Robert\Application Data\internaldb1942.dat
2007-04-28 03:19 177,152 ----a-w C:\Documents and Settings\Robert\Application Data\internaldb5686.dat
2007-04-28 03:19 151 ----a-w C:\Documents and Settings\Robert\Application Data\internaldb1381.dat
2007-04-28 03:19 13,046 ----a-w C:\Documents and Settings\Robert\Application Data\internaldb2032.dat
2007-04-28 03:19 0 ----a-w C:\Documents and Settings\Robert\Application Data\internaldb5768.dat
2007-04-28 00:07 382 ----a-w C:\Documents and Settings\Mark\Application Data\internaldb1942.dat
2007-04-28 00:04 177,152 ----a-w C:\Documents and Settings\Mark\Application Data\internaldb4827.dat
2007-04-28 00:04 151 ----a-w C:\Documents and Settings\Mark\Application Data\internaldb3434.dat
2007-04-28 00:04 13,046 ----a-w C:\Documents and Settings\Mark\Application Data\internaldb5436.dat
2007-04-28 00:04 0 ----a-w C:\Documents and Settings\Mark\Application Data\internaldb4604.dat
2007-04-20 00:14 379 ----a-w C:\Documents and Settings\Chris\Application Data\internaldb1942.dat
2007-04-20 00:13 177,152 ----a-w C:\Documents and Settings\Chris\Application Data\internaldb3119.dat
2007-04-20 00:13 151 ----a-w C:\Documents and Settings\Chris\Application Data\internaldb6385.dat
2007-04-20 00:13 13,046 ----a-w C:\Documents and Settings\Chris\Application Data\internaldb563.dat
2007-04-20 00:13 0 ----a-w C:\Documents and Settings\Chris\Application Data\internaldb4088.dat
2007-04-14 15:11 379 ----a-w C:\Documents and Settings\Dorothy\Application Data\internaldb1942.dat
2007-04-14 15:06 177,152 ----a-w C:\Documents and Settings\Dorothy\Application Data\internaldb1354.dat
2007-04-14 15:06 151 ----a-w C:\Documents and Settings\Dorothy\Application Data\internaldb9227.dat
2007-04-14 15:06 13,046 ----a-w C:\Documents and Settings\Dorothy\Application Data\internaldb8086.dat
2007-04-14 15:06 0 ----a-w C:\Documents and Settings\Dorothy\Application Data\internaldb9707.dat
2006-12-01 00:15 177,152 ----a-w C:\Documents and Settings\Mark\Application Data\internaldb1869.dat
2006-11-29 23:26 0 ----a-w C:\Documents and Settings\Chris\Application Data\internaldb7126.dat
2006-11-29 23:26 0 ----a-w C:\Documents and Settings\Chris\Application Data\internaldb2821.dat
2006-11-29 23:26 0 ----a-w C:\Documents and Settings\Chris\Application Data\internaldb212.dat
2006-11-29 23:26 0 ----a-w C:\Documents and Settings\Chris\Application Data\internaldb2053.dat
2006-11-23 15:41 0 ----a-w C:\Documents and Settings\Dorothy\Application Data\internaldb2476.dat
2006-11-18 16:38 0 ----a-w C:\Documents and Settings\Robert\Application Data\internaldb8178.dat
2006-11-18 04:55 0 ----a-w C:\Documents and Settings\Mark\Application Data\internaldb2391.dat
2006-11-16 23:41 0 ----a-w C:\Documents and Settings\Robert\Application Data\internaldb3430.dat
2006-11-16 23:41 0 ----a-w C:\Documents and Settings\Robert\Application Data\internaldb2097.dat
2006-11-16 23:41 0 ----a-w C:\Documents and Settings\Robert\Application Data\internaldb1013.dat
2006-11-16 04:54 0 ----a-w C:\Documents and Settings\Mark\Application Data\internaldb153.dat
2006-11-15 22:00 0 ----a-w C:\Documents and Settings\Dorothy\Application Data\internaldb2902.dat
2006-11-15 22:00 0 ----a-w C:\Documents and Settings\Dorothy\Application Data\internaldb284.dat
2006-11-15 22:00 0 ----a-w C:\Documents and Settings\Dorothy\Application Data\internaldb1615.dat
2006-11-13 02:48 0 ----a-w C:\Documents and Settings\Mark\Application Data\internaldb3902.dat
2006-11-13 02:48 0 ----a-w C:\Documents and Settings\Mark\Application Data\internaldb1538.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 17:42 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-04-20 05:01 438272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 00:10 339968]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2003-09-30 18:39 36864]
"UC_SMB"="" []
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-04-20 05:01 438272]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01 110592]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 15:12 90112]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 17:08 57344 C:\WINDOWS\system32\ico.exe]
"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2004-03-29 19:02 40960 C:\WINDOWS\system32\SKDAEMON.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 02:21 176128]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-03-31 23:34 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 11:38 241664]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2004-05-04 17:17 491520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-30 03:29 180269]
"IBM Warranty Notification"="C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe" [2004-03-12 21:24 106496]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11 135251]
"Camera Detector"="C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.exe" [2002-12-09 14:35 208896]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [ ]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 15:21 28672]
"hplampc"="C:\WINDOWS\system32\hplampc.exe" [2002-01-17 10:40 40448]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20 866584]
"Lexmark 2200 Series"="C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 08:08 57344]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2004-02-04 15:33 294912]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2004-09-23 20:39]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 22:16]
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16:55]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 16:25]
R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2004-04-27 15:11]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 22:16]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 15:11]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]
S3 hp4200c;%usbscan.SvcDesc%;C:\WINDOWS\system32\DRIVERS\hp4200c.sys [2001-02-18 10:09]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-14 03:23:44 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-22 23:43:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-02 03:24:08 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY4822J35YU1.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7700#MY4822J35YU1
"2008-02-21 18:42:01 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2008-02-22 23:37:49 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-01-24 22:11:21 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-02-22 23:42:38 C:\WINDOWS\Tasks\User_Feed_Synchronization-{763AB149-50BF-4C50-8599-78D3972D2FE1}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2008-02-21 16:58:00 C:\WINDOWS\Tasks\WebReg 20050128115829.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exeb/TaskName 20050128115829 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 19:19:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-22 19:20:36
ComboFix-quarantined-files.txt 2008-02-23 00:20:33
ComboFix2.txt 2008-02-22 23:46:17
.
2008-02-19 20:08:56 --- E O F ---