I ran super antispyware scan. I'm trying to use combofix now. When I click on the icon on my desktop to install it, starts but then stops with this message "Combofix has detected the following real time scanner to be active "ThreatFire" I'm not sure what this refers to since i have so many different scanning programs. I'm thinking it is with Avira Antivirus personnel Free. I right clicked the icon to disable it and the umbrelia collapsed so I though I disabled it the right way. My firewall is disabled. I installed spy-bot the other night and today before running combofix I disabled tea-timmer in that program. I don't know of any other scanning software I might have.
In windows security center the virus protection tab says it is on, and my firewall is off. what virus software could be running. Larry
I finnaly got combofix to work see below it's scan log as well as a new HJT log after the combofix scan. Larry
ComboFix 09-01-01.02 - Larry VS 2009-01-02 20:46:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.129 [GMT -5:00]
Running from: c:\documents and settings\Larry VS\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://download.esd.intuit.com.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.
2009-01-02 20:42 . 2009-01-02 20:42 <DIR> d-------- c:\program files\ThreatFire
2009-01-02 20:42 . 2009-01-02 20:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-02 20:42 . 2008-11-17 13:05 51,488 --a------ c:\windows\system32\drivers\TfFsMon.sys
2009-01-02 20:42 . 2008-11-17 13:05 39,200 --a------ c:\windows\system32\drivers\TfSysMon.sys
2009-01-02 20:42 . 2008-11-17 13:05 33,056 --a------ c:\windows\system32\drivers\TfNetMon.sys
2009-01-02 20:42 . 2008-11-17 13:05 12,576 --a------ c:\windows\system32\drivers\TfKbMon.sys
2009-01-02 14:20 . 2009-01-02 14:20 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\Apple Computer
2009-01-02 14:01 . 2009-01-02 14:01 <DIR> d-------- c:\program files\Avira
2009-01-02 14:01 . 2009-01-02 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-31 19:15 . 2008-12-31 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-30 18:44 . 2008-12-31 19:16 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-30 18:41 . 2008-12-30 18:48 47,861 --a------ c:\windows\hpiins01.dat
2008-12-30 18:41 . 2005-04-25 11:32 0 --------- c:\windows\hpimdl01.dat
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmpFE7C7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmpD85C7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmpAB8C7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmpA73C7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmp98BC7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmp599C7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmp20AC7.FOT
2008-12-27 12:58 . 2008-12-27 12:58 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\OpenOffice.org
2008-12-26 11:42 . 2008-12-26 11:41 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-25 16:41 . 2008-12-25 16:41 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\Netscape
2008-12-24 09:12 . 2008-12-31 22:17 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\WeatherBug
2008-12-22 20:53 . 2008-12-22 20:53 <DIR> d-------- c:\documents and settings\Larry VS\Medtronic
2008-12-22 20:53 . 2008-12-22 20:53 194,362 --a------ c:\windows\system32\drivers\windrvr6.sys
2008-12-22 20:19 . 2008-12-22 20:19 <DIR> d-------- c:\documents and settings\Larry VS\My PaperPort Documents
2008-12-22 20:18 . 2009-01-01 19:16 <DIR> d-------- c:\documents and settings\Larry VS\My Downloads
2008-12-22 20:17 . 2008-12-22 20:18 <DIR> d-------- c:\documents and settings\Larry VS\My Albums
2008-12-22 20:04 . 2009-01-02 14:29 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\Intuit
2008-12-22 19:53 . 2008-12-22 19:53 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\PCToolsFirewallPlus
2008-12-22 19:50 . 2009-01-02 19:32 <DIR> d-------- c:\documents and settings\Larry VS
2008-12-21 20:38 . 2009-01-02 19:27 <DIR> d-------- c:\documents and settings\Guest
2008-12-21 09:52 . 2008-12-21 09:52 <DIR> d-------- c:\program files\OpenOffice.org 3
2008-12-21 09:52 . 2008-12-21 09:52 <DIR> d-------- c:\program files\JRE
2008-12-20 10:15 . 2008-12-20 10:15 <DIR> d-------- c:\program files\Bonjour
2008-12-13 17:55 . 2008-12-17 12:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2008-12-12 13:54 . 2008-12-12 13:54 10 --a------ c:\windows\popcinfo.dat
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-12-10 20:29 . 2008-12-10 20:29 164,352 --a------ c:\windows\system32\SpoonUninstall.exe
2008-12-06 12:21 . 2008-12-06 12:21 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2008-12-06 12:14 . 2008-12-06 12:14 <DIR> d-------- c:\program files\TurboTax
2008-12-05 18:45 . 2008-12-05 18:45 0 --ah----- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-05 18:45 . 2008-12-05 18:45 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-05 18:44 . 2008-12-05 18:44 0 --ah----- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-05 18:35 . 2008-12-05 18:35 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-05 18:35 . 2008-12-05 18:35 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-05 18:34 . 2008-12-10 14:26 1,366,890 --a------ c:\windows\setupapi.log.1.old
2008-12-05 18:34 . 2008-03-21 13:57 14,640 --------- c:\windows\system32\spmsgXP_2k3.dll
2008-12-05 18:32 . 2008-12-05 18:36 <DIR> d-------- c:\program files\Zune
2008-12-05 18:29 . 2008-05-02 08:25 465,920 --------- c:\windows\system32\imapi2fs.dll
2008-12-05 18:29 . 2008-05-02 08:25 465,920 -----c--- c:\windows\system32\dllcache\imapi2fs.dll
2008-12-05 18:29 . 2008-05-02 08:25 317,952 --------- c:\windows\system32\imapi2.dll
2008-12-05 18:29 . 2008-05-02 08:25 317,952 -----c--- c:\windows\system32\dllcache\imapi2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 01:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 00:16 --------- d-----w c:\program files\HP
2008-12-30 23:44 --------- d-----w c:\program files\Common Files\HP
2008-12-26 16:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-26 15:22 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-23 00:07 --------- d-----w c:\program files\CCleaner
2008-12-21 14:46 --------- d-----w c:\program files\Java
2008-12-06 17:18 --------- d-----w c:\program files\Common Files\Intuit
2008-12-06 17:18 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-12-06 17:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 14:38 --------- d-----w c:\program files\IncrediMail
2008-11-30 19:32 --------- d-----w c:\program files\Amazon
2008-11-22 14:36 --------- d-----w c:\program files\iTunes
2008-11-22 14:36 --------- d-----w c:\program files\iPod
2008-11-22 14:36 --------- d-----w c:\program files\Common Files\Apple
2008-11-22 14:36 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 14:33 --------- d-----w c:\program files\QuickTime
2008-11-12 16:22 --------- d-----w c:\program files\Plus!
2008-11-10 17:23 60,032 ----a-w c:\windows\system32\ZuneBusEnum.exe
2008-11-10 17:23 243,840 ----a-w c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 17:09 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 17:09 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll
2008-11-10 17:09 40,832 ----a-w c:\windows\system32\drivers\zumbus.sys
2008-11-10 17:09 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll
2008-11-10 17:09 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 17:09 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll
2008-11-10 17:09 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll
2008-11-10 00:38 --------- d-----w c:\program files\RegCure
2008-11-06 00:50 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-11-06 00:21 --------- d-----w c:\program files\Quicken
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 20:47 6 ----a-w c:\windows\Fonts\wfonts.key
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 -c--a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 -c--a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 -c--a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 -c--a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 -c--a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 -c--a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 19:07 208,744 -c--a-w c:\windows\system32\muweb.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-05-07 17:49 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2008-11-09 243072]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2008-11-17 263456]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Larry^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Larry\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--a--c--- 2004-07-20 08:34 851968 c:\program files\Brother\ControlCenter2\brctrcen.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
-----c--- 2004-05-25 08:16 49152 c:\program files\Brother\Brmfl04a\BrStDvPt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
-----c--- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-01-02 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-01-02 39200]
R2 IntuitUpdateService;Intuit Update Service;"c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [2008-10-10 13088]
R3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys [2009-01-02 33056]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service []
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-03-30 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-03-30 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-03-30 9088]
S3 MusCDriver;MusCDriver;c:\windows\system32\drivers\MusCDriver.sys [2008-10-23 23096]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\DRIVERS\MusCVideo32.sys [2008-10-23 3768]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS []
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\sbfwim.sys [2008-07-25 65576]
S3 USR1806;U.S. Robotics Faxmodem Driver 1806;c:\windows\system32\DRIVERS\USR1806.SYS [2008-01-19 793598]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
*Newly Created Service* - TFFSMON
*Newly Created Service* - TFNETMON
*Newly Created Service* - TFSYSMON
*Newly Created Service* - THREATFIRE
.
Contents of the 'Scheduled Tasks' folder
2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-01-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 16:21]
.
- - - - ORPHANS REMOVED - - - -
Notify-!SASWinLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.charter.net/uInternet Connection Wizard,ShellNext =
hxxp://www.incredimail.com/app/?tag=pag ... ncrediMailc:\windows\Downloaded Program Files\AxCtp2.dll - O16 -: PackageCab
hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cabc:\windows\Downloaded Program Files\OSD2EA.OSD
FF - ProfilePath - c:\documents and settings\Larry VS\Application Data\Mozilla\Firefox\Profiles\24fp81vs.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.charter.net/index.phpFF - plugin: c:\documents and settings\Larry VS\Application Data\Mozilla\plugins\npPxPlay.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-02 20:53:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(828)
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
- - - - - - - > 'lsass.exe'(884)
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2009-01-02 20:55:41
ComboFix-quarantined-files.txt 2009-01-03 01:55:36
Pre-Run: 29,627,047,936 bytes free
Post-Run: 29,658,275,840 bytes free
242 --- E O F --- 2008-12-17 23:29:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:00 PM, on 2009-01-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.charter.net/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.incredimail.com/app/?tag=pag ... ncrediMailO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PackageCab -
http://ak.imgag.com/imgag/cp/install/AxCtp2.cabO18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
--
End of file - 6344 bytes