MSN sending out messages without my consent in Security Cleanup

MSN sending out messages without my consent in Security Cleanup http://www.dslreports.com/forum/r22521535 en Thu, 03 Dec 2009 12:24:30 EDT Thu, 03 Dec 2009 12:24:30 EDT Re: MSN sending out messages without my consent http://www.dslreports.com/forum/remark,22528289 Milkster : Here is the log for ComboFix....

ComboFix 09-06-09.06 - caskenkp 06/10/2009 11:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3063.2318 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-10 12:22 . 2009-06-10 12:22 -------- d-----w- c:\windows\LastGood
2009-06-10 10:32 . 2009-06-10 10:32 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-09 18:18 . 2009-06-09 18:18 -------- d-----w- c:\program files\ESET
2009-06-09 18:02 . 2009-06-09 18:02 -------- d-----w- c:\documents and settings\Administrator.HYPATIA\Application Data\Malwarebytes
2009-06-09 18:01 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 18:01 . 2009-06-09 18:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 18:01 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 18:01 . 2009-06-09 18:01 -------- d-sh--w- c:\documents and settings\Administrator.HYPATIA\IETldCache
2009-06-09 13:53 . 2009-06-09 13:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-09 13:52 . 2009-06-09 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 13:35 . 2009-06-09 13:35 -------- d-----w- c:\program files\Trend Micro
2009-06-09 00:07 . 2008-04-14 09:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-06-09 00:07 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-06-08 13:57 . 2009-06-08 13:57 -------- d-----w- c:\windows\ie8updates
2009-06-08 13:54 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-08 13:44 . 2009-06-08 13:44 -------- d--h--r- C:\MSOCache
2009-06-08 04:34 . 2009-06-08 04:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-08 04:32 . 2009-06-08 04:32 -------- d-----w- c:\program files\MSSOAP
2009-06-08 04:31 . 2009-06-08 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-06-08 04:31 . 2009-06-08 04:31 -------- d-----w- c:\program files\Webroot
2009-06-08 04:31 . 2009-06-08 04:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2009-06-08 04:31 . 2009-05-13 19:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-06-08 04:31 . 2009-06-08 04:31 164 ----a-w- c:\windows\install.dat
2009-06-08 04:28 . 2009-06-08 04:28 164 ----a-w- C:\install.dat
2009-06-08 04:13 . 2009-06-08 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-06-08 04:10 . 2009-06-08 04:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-06-08 04:10 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-08 04:10 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-08 04:09 . 2009-06-08 04:09 -------- d-----w- c:\program files\iPod
2009-06-08 04:09 . 2009-06-08 04:10 -------- d-----w- c:\program files\iTunes
2009-06-08 04:09 . 2009-06-08 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-08 04:09 . 2009-06-08 04:09 -------- d-----w- c:\program files\Bonjour
2009-06-08 04:09 . 2003-02-25 15:20 58368 ----a-w- c:\windows\system32\HPDOMON.DLL
2009-06-08 04:08 . 2003-07-18 17:14 40960 ----a-w- c:\windows\system32\HPBMMON.DLL
2009-06-08 04:08 . 2003-02-25 15:19 94274 ----a-w- c:\windows\system32\HPBHEALR.DLL
2009-06-08 04:08 . 2009-06-08 04:09 -------- d-----w- c:\program files\QuickTime
2009-06-08 04:08 . 2009-06-08 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-08 04:08 . 2009-06-08 04:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2009-06-08 04:08 . 2009-06-08 04:08 -------- d-----w- c:\program files\Apple Software Update
2009-06-08 04:08 . 2009-06-08 04:09 -------- d-----w- c:\program files\Common Files\Apple
2009-06-08 04:08 . 2009-06-08 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-08 04:07 . 2009-06-08 04:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-06-08 03:53 . 2009-06-08 03:53 -------- d-----w- c:\program files\Citrix
2009-06-08 03:52 . 2009-06-08 03:52 70984 ----a-w- c:\documents and settings\Administrator\g2mdlhlpx.exe
2009-06-08 03:52 . 2009-06-08 03:52 -------- d-----w- c:\windows\Sun
2009-06-08 03:49 . 2009-06-08 03:50 -------- d-----w- C:\TMWIN
2009-06-08 03:48 . 2009-06-08 03:49 -------- d-----w- C:\TMNODE
2009-06-08 03:47 . 2009-06-08 03:47 -------- d--h--w- c:\windows\PIF
2009-06-08 03:11 . 2009-06-10 10:21 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-06-08 03:11 . 2009-06-08 03:11 -------- d-----w- c:\program files\Microsoft
2009-06-08 03:10 . 2009-06-08 03:10 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-08 03:10 . 2009-06-08 03:10 -------- d-----w- c:\program files\Windows Live
2009-06-08 03:04 . 2009-06-08 03:04 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-08 03:02 . 2009-06-08 03:02 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-06-08 03:02 . 2009-06-08 03:02 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-06-08 02:35 . 2009-06-08 02:35 9062 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{C0258B3B-48BE-4678-B9DA-AEF70D474A2C}\ARPPRODUCTICON.exe
2009-06-08 02:34 . 2006-05-26 17:47 81920 ----a-w- c:\windows\system32\GM7tp32.dll
2009-06-08 02:34 . 2006-05-26 17:47 1576960 ----a-w- c:\windows\system32\Gm7s32.dll
2009-06-08 02:34 . 2006-05-26 17:45 901120 ----a-w- c:\windows\system32\gmssl32.dll
2009-06-08 02:34 . 2006-05-26 17:43 3596288 ----a-w- c:\windows\system32\GmXml.dll
2009-06-08 02:32 . 2009-06-08 02:32 9062 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{489F5116-4D08-4234-A21F-1FFA620A76E3}\ARPPRODUCTICON.exe
2009-06-08 02:28 . 2009-06-08 02:28 86016 ----a-w- c:\windows\system32\OdbcJdbcSetup.dll
2009-06-08 02:28 . 2009-06-08 02:28 225280 ----a-w- c:\windows\system32\IscDbc.dll
2009-06-08 02:28 . 2009-06-08 02:28 200704 ----a-w- c:\windows\system32\OdbcJdbc.dll
2009-06-08 02:28 . 2006-04-20 00:44 356437 ----a-w- c:\windows\system32\gds32.dll
2009-06-08 02:28 . 2009-06-08 02:28 -------- d-----w- c:\program files\Firebird
2009-06-08 02:27 . 2009-06-08 02:52 -------- d-----w- c:\program files\GoldMine
2009-06-08 02:26 . 2009-06-08 02:26 -------- d-----w- c:\windows\Downloaded Installations
2009-06-08 02:22 . 2009-06-08 02:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-08 02:12 . 2009-06-08 02:12 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-08 02:12 . 2009-06-08 02:12 -------- d-----w- c:\program files\MSBuild
2009-06-08 02:12 . 2009-06-08 02:12 -------- d-----w- c:\program files\Reference Assemblies
2009-06-08 02:12 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-08 02:12 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-08 02:12 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-08 02:12 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-08 02:12 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-08 02:12 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-08 02:12 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-08 02:08 . 2009-06-08 02:08 -------- dc-h--w- c:\windows\ie8
2009-06-08 02:07 . 2009-06-08 02:07 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-08 01:32 . 2009-06-08 02:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-06-08 01:30 . 2009-06-08 01:30 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-08 01:29 . 2009-06-08 01:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2009-06-08 01:23 . 2009-06-08 01:23 -------- d-----w- c:\program files\JRE
2009-06-08 01:23 . 2009-06-08 01:23 -------- d-----w- c:\program files\OpenOffice.org 3
2009-06-08 01:23 . 2009-05-21 15:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-05 16:41 . 2009-06-03 15:40 6611357 ----a-w- c:\windows\FramePkg.exe
2009-06-05 15:36 . 2008-04-14 02:14 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-05 12:32 . 2009-06-05 12:32 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-06-05 12:32 . 2009-06-05 12:32 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-06-05 12:31 . 2009-06-05 12:31 134272 ----a-w- c:\windows\system32\drivers\snman380.sys
2009-06-05 12:31 . 2009-06-05 12:32 -------- d-----w- c:\program files\Common Files\Acronis
2009-06-05 12:31 . 2009-06-05 12:31 -------- d-----w- c:\program files\Acronis
2009-06-05 12:12 . 2009-06-05 12:12 -------- d-----w- c:\windows\ServicePackFiles
2009-06-04 19:28 . 2008-11-20 19:19 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-06-04 19:28 . 2008-11-20 19:19 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-06-04 19:23 . 2009-06-08 19:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-06-04 19:23 . 2009-06-04 19:23 -------- d-----w- c:\windows\system32\IOSUBSYS
2009-06-04 19:23 . 2009-06-08 19:09 -------- d-----w- c:\program files\Google
2009-06-04 19:17 . 2009-06-04 19:17 -------- d-----w- c:\windows\ShellNew
2009-06-04 19:15 . 2009-06-04 19:15 -------- d-----w- c:\windows\Twain32
2009-06-04 19:15 . 2009-06-04 19:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microsoft Web Folders
2009-06-04 18:56 . 2009-06-04 18:56 -------- d-----w- c:\program files\ltmoh
2009-06-04 18:56 . 2006-10-18 08:39 487424 ----a-w- c:\windows\system32\cselect.exe
2009-06-04 18:56 . 2003-10-31 19:59 45056 ----a-w- c:\windows\system32\csellang.dll
2009-06-04 18:22 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-04 18:22 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-06-04 18:22 . 2009-06-04 15:30 -------- d-----w- c:\windows\iehome
2009-06-04 18:22 . 2009-06-04 18:22 -------- d-----w- c:\program files\Datalode
2009-06-04 17:43 . 2009-06-04 17:43 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-04 17:23 . 2009-06-04 17:23 -------- d-----w- c:\program files\MSXML 6.0
2009-06-04 17:12 . 2007-04-09 17:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2009-06-04 17:11 . 2009-06-04 17:11 -------- d-----w- c:\program files\Common Files\L&H
2009-06-04 17:11 . 2009-06-04 17:11 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-04 17:09 . 2009-03-08 08:34 1206784 -c--a-w- c:\windows\system32\dllcache\urlmon.dll
2009-06-04 17:09 . 2009-03-08 08:34 914944 -c--a-w- c:\windows\system32\dllcache\wininet.dll
2009-06-04 17:09 . 2009-03-02 23:04 1499136 -c----w- c:\windows\system32\dllcache\shdocvw.dll
2009-06-04 17:09 . 2009-03-08 08:41 5937152 -c--a-w- c:\windows\system32\dllcache\mshtml.dll
2009-06-04 17:09 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-04 17:09 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-04 17:08 . 2009-06-04 17:08 -------- d-sh--w- c:\documents and settings\Administrator\UserData
2009-06-04 16:37 . 2007-04-23 18:29 68456 ----a-w- c:\documents and settings\__sbs_netsetup__\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 15:42 . 2009-06-04 15:42 -------- d-----w- c:\windows\SchCache
2009-06-04 15:42 . 2009-06-04 15:42 -------- d-----w- c:\program files\Microsoft Windows Small Business Server

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 10:32 . 2007-04-22 21:00 -------- d-----w- c:\program files\Java
2009-06-09 19:03 . 2009-06-04 16:40 -------- d-----w- c:\program files\Lexmark
2009-06-08 14:32 . 2009-06-04 15:30 74328 ----a-w- c:\documents and settings\ken\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-08 02:23 . 2007-04-23 18:29 74328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-08 01:42 . 2007-04-22 21:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-05 16:48 . 2009-06-05 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-05 16:48 . 2009-06-05 16:48 -------- d-----w- c:\program files\Common Files\McAfee
2009-06-05 16:48 . 2009-06-05 16:41 -------- d-----w- c:\program files\McAfee
2009-06-05 16:47 . 2009-06-05 16:47 2585872 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8600\Install\[u]0[/u]000\WindowsInstaller-KB893803-v2-x86.exe
2009-06-05 16:47 . 2009-06-05 16:47 95568 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8600\Install\[u]0[/u]000\setupvse.exe
2009-06-05 16:47 . 2009-06-05 16:47 94208 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8600\Install\[u]0[/u]000\UnInst.exe
2009-06-05 16:47 . 2009-06-05 16:47 102400 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8600\Install\[u]0[/u]000\UnInstX64.exe
2009-06-05 16:42 . 2009-06-05 16:42 -------- d-----w- c:\program files\Common Files\Cisco Systems
2009-06-05 12:15 . 2007-04-22 20:16 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-04 19:18 . 2009-06-04 19:18 5058 ----a-w- c:\windows\Help\hhcolreg.dat
2009-06-04 18:39 . 2007-04-22 20:46 -------- d-----w- c:\program files\TOSHIBA
2009-06-04 17:10 . 2009-06-04 17:10 -------- d-----w- c:\program files\Microsoft.NET
2009-06-04 16:46 . 2007-04-23 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-04 16:40 . 2009-06-04 16:40 -------- d-----w- c:\program files\Lexmark_HostCD
2009-06-04 16:40 . 2009-06-04 16:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Protector Suite
2009-06-04 15:33 . 2007-04-22 20:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-04 15:30 . 2009-06-04 15:30 0 --sha-r- c:\windows\system32\drivers\TOSHIBA_TECRA A9_S3A6253D001_PTS52C-MH709C.MRK
2009-06-04 15:28 . 2009-06-09 18:00 -------- d-----w- c:\documents and settings\Administrator.HYPATIA\Application Data\Intel
2009-06-04 15:28 . 2009-06-04 16:37 -------- d-----w- c:\documents and settings\__sbs_netsetup__\Application Data\Intel
2009-06-04 15:28 . 2009-06-04 15:30 -------- d-----w- c:\documents and settings\ken\Application Data\Intel
2009-06-04 15:28 . 2007-04-22 20:45 -------- d-----w- c:\program files\Intel
2009-06-04 15:27 . 2009-06-04 15:27 315392 ----a-w- c:\windows\HideWin.exe
2009-06-04 15:27 . 2009-06-04 15:27 -------- d-----w- c:\program files\Realtek
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-21 22:27 . 2009-04-21 22:27 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-04-21 22:27 . 2009-04-21 22:27 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-04-21 22:27 . 2009-04-21 22:27 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-05-13 19:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\366\g2mstart.exe" [2009-06-08 31552]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"00THotkey"="c:\windows\system32\[u]0[/u]0THotkey.exe" [2006-07-05 19:14 258048]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-26 90112]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-09 344144]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-05 30208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe" [2009-01-19 1285504]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe" [2009-01-18 884928]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-18 140568]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-03-10 136512]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-08 68592]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"000StTHK"="000StTHK.exe" - c:\windows\system32\[u]0[/u]00StTHK.exe [2001-06-23 11:28 24576]
"TOSDCR"="TOSDCR.EXE" - c:\windows\system32\TOSDCR.exe [2005-12-13 57344]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-04-10 622592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-12 16125440]
"TFncKy"="TFncKy.exe" [BU]
"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2007-02-02 110592]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-07-26 315392]

c:\documents and settings\Administrator.HYPATIA\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2009-6-4 298]

c:\documents and settings\__sbs_netsetup__\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2009-6-4 298]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2009-6-5 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 21:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Acronis\\TrueImageEchoWorkstation\\TrueImage.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [6/5/2009 8:31 AM 134272]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [3/22/2007 4:07 PM 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [6/4/2009 11:31 AM 5888]
R2 AcronisAgent;Acronis Remote Agent;c:\program files\Common Files\Acronis\Agent\agent.exe [1/18/2009 8:07 PM 517848]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 6:00 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 5:59 PM 33024]
R2 FirebirdGuardianDefaultInstance;FirebirdGuardian - DefaultInstance;c:\program files\Firebird\firebird_1_5\bin\fbguard.exe [4/19/2006 8:09 PM 65536]
R2 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\firebird_1_5\bin\fbserver.exe -s [?]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 5:33 PM 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [6/4/2009 11:31 AM 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [6/8/2009 12:32 AM 1205760]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/22/2007 4:20 PM 35968]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [6/4/2009 11:33 AM 435072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-04 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2007-04-22 09:42]

2009-06-10 c:\windows\Tasks\User_Feed_Synchronization-{DBCF6069-EB84-4D65-8C65-4682FB09D6FA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

2009-06-10 c:\windows\Tasks\wrSpySweeper_1F2B4464FF314BF3B423F14FA81CFB39.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-06-08 19:40]

2009-06-10 c:\windows\Tasks\wrSpySweeper_1F2B4464FF314BF3B423F14FA81CFB39.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-06-08 19:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-06-10 11:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_1704.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1080)
c:\windows\system32\relog_ap.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-06-10 11:47
ComboFix-quarantined-files.txt 2009-06-10 15:47

Pre-Run: 87,639,932,928 bytes free
Post-Run: 87,868,571,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg

345 --- E O F --- 2009-06-04 19:08]]> http://www.dslreports.com/forum/remark,22528289 Wed, 10 Jun 2009 13:55:41 EDT Re: MSN sending out messages without my consent http://www.dslreports.com/forum/remark,22525045 CalamityJane : Thanks for getting this to the right forum :)

What the Eset scan found earlier was a remnant from the Ask toolbar and not the cause of this type of problem.

However, nothing giving a clue in the HijackThis log - it does sound like a MSN worm of some sort. Let's dig a little deeper with this tool next, please.

For those casually looking on, this tool isn't for everyday use by just anybody and is only meant to be run under supervised use and when called for by a helper trained in it's use by the author of the tool.

Download ComboFix from here:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Remember to re-enable them after the final steps are done here.

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

[att=1]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

[att=2]

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2009
Proud Member of ASAP (Alliance of Security Analysis Professionals)

]]> http://www.dslreports.com/forum/remark,22525045 Tue, 09 Jun 2009 22:03:40 EDT Re: MSN sending out messages without my consent http://www.dslreports.com/forum/remark,22522534 Milkster : Ok, I ran the scanns again in Safemode and here are the results:

ESET OnLine Scanner: Did not find anything

Malwarebytes' Anti-Malware 1.37
Database version: 2255
Windows 5.1.2600 Service Pack 3

6/9/2009 2:14:35 PM
mbam-log-2009-06-09 (14-14-35).txt

Scan type: Quick Scan
Objects scanned: 103070
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:15 PM, on 6/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [00THotkey] "C:\WINDOWS\system32\00THotkey.exe"
O4 - HKLM\..\Run: [000StTHK] "000StTHK.exe"
O4 - HKLM\..\Run: [ThpSrv] "C:\WINDOWS\system32\thpsrv" /logon
O4 - HKLM\..\Run: [TOSDCR] "TOSDCR.EXE"
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [TFNF5] "TFNF5.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" /Service
O4 - HKLM\..\Run: [TMESRV.EXE] "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" /Logon
O4 - HKLM\..\Run: [TAudEffect] "C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe" /run
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.exe"
O4 - HKLM\..\Run: [TPSODDCtl] "TPSODDCtl.exe"
O4 - HKLM\..\Run: [TPSMain] "TPSMain.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe" "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - »https://odin/connectcomputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »update.microsoft.com/microsoftup···25902593
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - »download.eset.com/special/eos/On···nner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain
O17 - HKLM\Software\..\Telephony: DomainName = domain
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FirebirdGuardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\firebird_1_5\bin\fbserver.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 12330 bytes]]> http://www.dslreports.com/forum/remark,22522534 Tue, 09 Jun 2009 14:51:48 EDT Re: MSN sending out messages without my consent http://www.dslreports.com/forum/remark,22521586 Milkster : damn, i just realized that i didn't do the scanning in safe mode....I will repost the logs when scanning is done.... sorry]]> http://www.dslreports.com/forum/remark,22521586 Tue, 09 Jun 2009 12:40:00 EDT MSN sending out messages without my consent http://www.dslreports.com/forum/remark,22521535 Milkster : I have a co-worker whose machine I just restored to factory defaults (its a laptop) and re-installed all his necessary programs.

After giving the laptop back to him I started seeing messages sent to me over MSN Messenger from him with a link to a phishing website.

I have ran ESET online scanner which found 1 file:

C:\Documents and Settings\Administrator\Local Settings\Temp\is-O56JM.tmp\askBarSetup.exe
a variant of Win32/AdInstaller applicationcleaned by deleting - quarantined

I then ran Malwarebytes and it was clean:

Malwarebytes' Anti-Malware 1.37
Database version: 2252
Windows 5.1.2600 Service Pack 3

6/9/2009 10:54:21 AM
mbam-log-2009-06-09 (10-54-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 222025
Time elapsed: 1 hour(s), 0 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

After that I ran HijackThis, and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:07 AM, on 6/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Firebird\firebird_1_5\bin\fbguard.exe
C:\Program Files\Firebird\firebird_1_5\bin\fbserver.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mlauncher.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [00THotkey] "C:\WINDOWS\system32\00THotkey.exe"
O4 - HKLM\..\Run: [000StTHK] "000StTHK.exe"
O4 - HKLM\..\Run: [ThpSrv] "C:\WINDOWS\system32\thpsrv" /logon
O4 - HKLM\..\Run: [TOSDCR] "TOSDCR.EXE"
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [TFNF5] "TFNF5.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" /Service
O4 - HKLM\..\Run: [TMESRV.EXE] "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" /Logon
O4 - HKLM\..\Run: [TAudEffect] "C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe" /run
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.exe"
O4 - HKLM\..\Run: [TPSODDCtl] "TPSODDCtl.exe"
O4 - HKLM\..\Run: [TPSMain] "TPSMain.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe" "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - »https://odin/connectcomputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »update.microsoft.com/microsoftup···25902593
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - »download.eset.com/special/eos/On···nner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = medirex
O17 - HKLM\Software\..\Telephony: DomainName = medirex
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = medirex
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FirebirdGuardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\firebird_1_5\bin\fbserver.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 15391 bytes

After all that was performed he still continues to send Messages out over Messanger live to his contacts.

I know have asked him to change his MSN password. I'll have to wait and see if this continues.

Attached is an example of the message that he sends out to his contacts...]]> http://www.dslreports.com/forum/remark,22521535 Tue, 09 Jun 2009 12:32:35 EDT