Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Spyware and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

 
Closed TopicStart new topic
> Unknown Infection With Multiple Popups, Not detected by Spyware Doc and McAfee
Cloud_D
post Apr 24 2008, 05:30 AM
Post #1


New Member
*

Group: Members
Posts: 13
Joined: 23-April 08
Member No.: 204,803
Hi,

My computer is infected with something but I don't know what it is as scans via Spyware Doctor and McAfee have showed up nothing. Tried the Kaspersky scanner and it found 8 items but I was unable to save the report. However, some of those items were trusted programs such as IRC so...

In any case, here's the problem.

When I start up my browser, either IE or FF, there would be popups in other tabs or via a new window. They seem to be different websites everytime, and below are some of them:

- <http://antispywaresuite.com/data/index.php?02005c5f570e6b100d025701574c3909036f084e0a665356073a43053a5c596e020451501f04580b
591f550a565748020d5d455e5e5f095a5b3a0157570e03023a040703015556510556525b0c095705
0608540f5d08010601510301035f5157033e56500d5102530003025a5b0e525755065a5d5b0b0601
0f5d5356500c55085151130555060953420109570a1e01095f01531f5f53090510065d5f541f5a45
3a085b04565e015556576b52660952595b04460a790c0105003a003d510b0204431257060452>

- <http://joybuyjoy.com/hobbies_games.html>

- <http://http://82.98.235.210/go//?cmp=impressions_se_juan&uid=E2A86B3A0F9511DD876E152743CFFFFF&guid=C24261DE68B646769DC22598C455B940&affid=152743&lid=http> (x)

- <http://82.98.235.210/go//?cmp=vm_cmp793_xt&uid=E2A86B3A0F9511DD876E152743CFFFFF&guid=C24261DE68B646769DC22598C455B940&affid=152743&rid=ccnt_ha&lid=http> (x)

- <http://83.149.75.33/info.png?cmp=ghrnc&uid=E2A86B3A0F9511DD876E152743CFFFFF&guid=C24261DE68B646769DC22598C455B940&affid=152743&lid=http&z=us> (x)

- <http://hopelessromantic.com/pop_install.php>

After some time I will also get the following message:

---------------------------
Microsoft Visual C++ Runtime Library
---------------------------
Buffer overrun detected!

Program: C:\Windows\Explorer.EXE

A buffer overrun has been detected which has corrupted the program's
internal state. The program cannot safely continue execution and must
now be terminated.

Could anyone assist me with getting rid of this infection? Thank you!


Here is main from the dss scan:

Deckard's System Scanner v20071014.68
Run by Daniel on 2008-04-24 16:09:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
8: 2008-04-22 14:45:41 UTC - RP30 - Spyware Doctor: Cleaning Threats
7: 2008-04-22 11:25:08 UTC - RP28 - Spyware Doctor: Cleaning Threats
6: 2008-04-21 10:05:53 UTC - RP26 - Installed Java™ 6 Update 5
5: 2008-04-19 14:45:28 UTC - RP25 - Windows Update
4: 2008-04-19 14:23:56 UTC - RP24 - Windows Update


-- First Restore Point --
1: 2008-04-19 07:19:53 UTC - RP21 - Installed Adobe Reader 8.1.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-24 16:14:31
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\System32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
E:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\taskeng.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Windows\System32\svchost.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Windows\System32\svchost.exe
E:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
E:\Users\Daniel\Desktop\dss.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\conime.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Daniel\AppData\Local\Temp\rqRKCRhh.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll,c
O4 - HKCU\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll",b
O4 - HKCU\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\xbikotwo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\xmkjvqao.dll",b (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\xmkjvqao.dll",b (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - E:\Program Files\Avanquest\Fix-It\mxtask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 11072 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-24 16:07:03 440 --a------ C:\Windows\Tasks\RegCure Program Check.job
2008-04-23 20:01:15 424 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{54C04306-396D-428A-A04D-8B1A362526F2}.job
2008-04-19 11:43:33 374 --a------ C:\Windows\Tasks\RegCure.job
2008-04-19 10:12:12 334 --a------ C:\Windows\Tasks\McQcTask.job
2008-04-19 10:12:11 342 --a------ C:\Windows\Tasks\McDefragTask.job


-- Files created between 2008-03-24 and 2008-04-24 -----------------------------

2008-04-23 18:18:56 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-04-21 20:55:27 0 d-------- C:\Program Files\AviSynth 2.5
2008-04-21 18:07:07 0 d-------- C:\Program Files\Java
2008-04-21 18:06:26 0 d-------- C:\Program Files\Common Files\Java
2008-04-20 23:30:18 0 d--h----- C:\Users\All Users\CanonBJ
2008-04-19 22:26:20 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-19 12:15:12 0 d-------- C:\Users\All Users\BVRP Software
2008-04-19 12:13:40 0 dr-hs---- C:\_Backup.RC
2008-04-19 12:13:35 0 d--h----- C:\_Backup
2008-04-19 12:11:23 0 d-------- C:\Users\All Users\Avanquest
2008-04-19 12:06:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 10:53:50 0 d-------- C:\Users\All Users\Adobe Systems
2008-04-19 10:39:34 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-19 10:36:43 0 d-------- C:\Users\All Users\Adobe
2008-04-19 10:36:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-19 04:01:28 0 d-------- C:\Windows\Panther
2008-04-19 03:55:08 0 d-------- C:\Windows.old
2008-04-19 03:06:48 0 d-------- C:\Windows\SoftwareDistribution
2008-04-19 03:04:41 0 d-------- C:\Windows\Debug
2008-04-19 03:02:37 0 d-------- C:\Windows\Prefetch
2008-04-19 02:00:11 0 d-------- C:\Users\All Users\SiteAdvisor
2008-04-19 02:00:11 0 d-------- C:\Program Files\SiteAdvisor
2008-04-19 01:58:25 0 d-------- C:\Program Files\McAfee.com
2008-04-19 01:58:21 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-19 01:58:20 0 d-------- C:\Program Files\McAfee
2008-04-19 01:52:15 0 d-------- C:\Users\All Users\McAfee
2008-04-19 00:18:39 0 d-------- C:\Users\All Users\Messenger Plus!
2008-04-18 16:27:56 0 d-------- C:\Windows\system32\Macromed
2008-04-18 16:18:54 0 d-------- C:\Program Files\uTorrent
2008-04-18 15:59:27 0 d-------- C:\Program Files\iPod
2008-04-18 15:57:45 0 d-------- C:\Program Files\Bonjour
2008-04-18 15:56:59 0 d-------- C:\Program Files\QuickTime
2008-04-18 15:56:58 0 d-------- C:\Users\All Users\Apple Computer
2008-04-18 15:56:26 0 d-------- C:\Program Files\Apple Software Update
2008-04-18 15:55:36 0 d-------- C:\Program Files\Common Files\Apple
2008-04-18 15:55:35 0 d-------- C:\Users\All Users\Apple
2008-04-18 15:45:52 0 d-------- C:\Program Files\Microsoft Works
2008-04-18 15:45:12 0 d-------- C:\Program Files\Microsoft.NET
2008-04-18 15:42:52 0 d-------- C:\Users\All Users\Microsoft Help
2008-04-18 15:42:28 0 dr-h----- C:\MSOCache
2008-04-18 15:37:49 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-18 15:31:45 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:31:40 0 d-------- C:\Program Files\Windows Live
2008-04-18 15:30:37 0 d-------- C:\Users\All Users\WLInstaller
2008-04-18 15:14:40 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:10:12 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 15:10:00 0 d-------- C:\Windows\PCHEALTH
2008-04-18 14:49:33 0 d--hs---- C:\Windows\Installer
2008-04-18 14:49:25 0 d-------- C:\Users\All Users\PC Tools
2008-04-18 14:48:00 0 d-a------ C:\Users\All Users\TEMP
2008-04-18 14:31:53 0 d-------- C:\PerfLogs
2008-04-18 14:15:41 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 14:01:58 0 d-------- C:\bc4df1d51d879d6c5c156d0475
2008-04-18 13:31:53 0 d-------- C:\Users\All Users\NVIDIA
2008-04-18 13:28:20 0 d-------- C:\Windows\system32\RTCOM
2008-04-18 13:27:11 0 d-------- C:\Program Files\CONEXANT
2008-04-18 12:19:23 0 d-------- C:\Users\Daniel\Contacts
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Templates
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Start Menu
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\SendTo
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Recent
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\PrintHood
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\NetHood
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\My Documents
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Local Settings
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Cookies
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Application Data
2008-04-18 12:19:15 1310720 --ahs---- C:\Users\Daniel\NTUSER.DAT
2008-04-18 12:19:15 0 d--h----- C:\Users\Daniel\AppData
2008-04-18 11:51:30 0 d--hs---- C:\Boot
2008-04-18 11:22:43 0 d-------- C:\$WIN_NT$.~BT
2008-04-18 09:04:39 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-04-24 16:05:24 0 d-------- C:\Users\Daniel\AppData\Roaming\uTorrent
2008-04-21 22:03:00 0 d-------- C:\Users\Daniel\AppData\Roaming\BSplayer Pro
2008-04-21 20:40:53 0 d-------- C:\Users\Daniel\AppData\Roaming\vlc
2008-04-21 19:11:16 0 d-------- C:\Users\Daniel\AppData\Roaming\Apple Computer
2008-04-21 18:59:59 0 d-------- C:\Users\Daniel\AppData\Roaming\CopyTrans
2008-04-21 18:06:26 0 d-------- C:\Program Files\Common Files
2008-04-19 15:22:44 0 d-------- C:\Users\Daniel\AppData\Roaming\Adobe
2008-04-19 14:38:33 0 d-------- C:\Users\Daniel\AppData\Roaming\SiteAdvisor
2008-04-19 12:19:22 0 d-------- C:\Users\Daniel\AppData\Roaming\Mozilla
2008-04-19 12:11:23 0 d-------- C:\Users\Daniel\AppData\Roaming\Avanquest
2008-04-19 11:51:14 0 d-------- C:\Users\Daniel\AppData\Roaming\Media Player Classic
2008-04-19 11:17:30 0 d-------- C:\Users\Daniel\AppData\Roaming\Auslogics
2008-04-19 00:54:54 0 d-------- C:\Users\Daniel\AppData\Roaming\PC Tools
2008-04-18 16:27:59 0 d-------- C:\Users\Daniel\AppData\Roaming\Macromedia
2008-04-18 14:38:34 174 --ahs---- C:\Program Files\desktop.ini
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Sidebar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Mail
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Calendar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Movie Maker
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Journal
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Collaboration
2008-04-18 14:32:36 0 d-------- C:\Program Files\Windows Defender
2008-04-18 12:19:26 0 d-------- C:\Users\Daniel\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 11:38 PM]
"RtHDVCpl"="RtHDVCpl.exe" [10/25/2007 05:52 AM C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [08/28/2007 01:59 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/28/2007 01:59 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/28/2007 01:59 AM]
"ThreatFire"="E:\Program Files\ThreatFire\TFTray.exe" [02/16/2008 01:20 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 05:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/16/2005 05:48 AM]
"ISTray"="E:\Program Files\Spyware Doctor\pctsTray.exe" [12/10/2007 02:53 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/25/2007 05:57 AM]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [04/19/2008 10:18 AM]
"MSServer"="C:\Users\Daniel\AppData\Local\Temp\rqRKCRhh.dll,#1" []
"cmds"="C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll,c" []
"040040a6"="C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll,b" []
"BM0733733a"="C:\Users\Daniel\AppData\Local\Temp\xbikotwo.dll,s" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"040040a6"=rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\xmkjvqao.dll",b

C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-24 16:17:58 ------------

Here's the extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 3.40GHz
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 1022.71 MiB / 409.88 MiB
Pagefile Memory (total/avail): 2309.76 MiB / 1261.14 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1883.59 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 44.81 GiB total, 22.1 GiB free.
D: is Fixed (NTFS) - 68.38 GiB total, 25.41 GiB free.
E: is Fixed (NTFS) - 30.1 GiB total, 20.38 GiB free.
F: is Fixed (FAT32) - 5.75 GiB total, 0.95 GiB free.
G: is CDROM (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG HD160JJ/P ATA Device - 149.05 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 44.81 GiB - C:
\PARTITION1 - Unknown - 5.76 GiB - F:
\PARTITION2 - Extended w/Extended Int 13 - 98.48 GiB - D: - E:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AV: ThreatFire v3.0.14.16 (PC Tools)
AS: Spyware Doctor v5.5.0.178 (PC Tools)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: ThreatFire v3.0.14.16 (PC Tools)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Daniel\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DANIEL-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Daniel
LOCALAPPDATA=C:\Users\Daniel\AppData\Local
LOGONSERVER=\\DANIEL-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Daniel\AppData\Local\Temp
TMP=C:\Users\Daniel\AppData\Local\Temp
USERDOMAIN=Daniel-PC
USERNAME=Daniel
USERPROFILE=C:\Users\Daniel
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Daniel


-- Add/Remove Programs ---------------------------------------------------------

µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AusLogics Disk Defrag --> "E:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BS.Player PRO --> "E:\Program Files\Webteh\BSplayerPro\uninstall.exe"
Combined Community Codec Pack 2008-01-24 --> "E:\Program Files\Combined Community Codec Pack\unins000.exe"
Fix-It Utilities 8 Professional --> MsiExec.exe /I{5158974E-2D28-4018-9335-7694C2974746}
Google Gmail Notifier --> "E:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\UIU32m.exe -U -ITrx200Cz.INF
Spyware Doctor 5.5 --> E:\Program Files\Spyware Doctor\unins000.exe /LOG
ThreatFire 3.0 --> "E:\Program Files\ThreatFire\unins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
VideoLAN VLC media player 0.8.6f --> E:\Program Files\VideoLAN\VLC\uninstall.exe
Videora iPod touch Converter 3.07 --> E:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1513 / Success
Event Submitted/Written: 04/24/2008 04:08:13 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1508 / Success
Event Submitted/Written: 04/24/2008 04:07:37 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type1507 / Success
Event Submitted/Written: 04/24/2008 04:07:27 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type1504 / Success
Event Submitted/Written: 04/24/2008 04:07:06 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type1483 / Success
Event Submitted/Written: 04/24/2008 03:56:26 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15869 / Error
Event Submitted/Written: 04/24/2008 04:06:57 PM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos

Event Record #/Type15862 / Error
Event Submitted/Written: 04/24/2008 04:06:40 PM
Event ID/Source: 2 / Microsoft-Windows-Kernel-Processor-Power
Event Description:
1

Event Record #/Type15860 / Error
Event Submitted/Written: 04/24/2008 04:06:40 PM
Event ID/Source: 2 / Microsoft-Windows-Kernel-Processor-Power
Event Description:
0

Event Record #/Type15735 / Error
Event Submitted/Written: 04/24/2008 03:55:10 PM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos

Event Record #/Type15726 / Error
Event Submitted/Written: 04/24/2008 03:54:53 PM
Event ID/Source: 2 / Microsoft-Windows-Kernel-Processor-Power
Event Description:
0



-- End of Deckard's System Scanner: finished at 2008-04-24 16:17:58 ------------
Further link deactivation ~ OB

This post has been edited by Orange Blossom: Apr 24 2008, 04:16 PM
Go to the top of the page
 
+Quote Post
Thunder
post Apr 25 2008, 02:58 AM
Post #2


Forum Addict
******

Group: HJT Team
Posts: 2,098
Joined: 12-December 05
From: Belgium
Member No.: 44,294
Hello Cloud_D and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. wink.gif

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder


--------------------
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
- If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> <-- And make a difference
Go to the top of the page
 
+Quote Post
Cloud_D
post Apr 25 2008, 08:49 AM
Post #3


New Member
*

Group: Members
Posts: 13
Joined: 23-April 08
Member No.: 204,803
Thanks for the reply. =)

I'l now proceed according to the instrutions and will post here when I'm done.
Go to the top of the page
 
+Quote Post
Cloud_D
post Apr 25 2008, 10:01 AM
Post #4


New Member
*

Group: Members
Posts: 13
Joined: 23-April 08
Member No.: 204,803
Malware scan log:

Malwarebytes' Anti-Malware 1.11
Database version: 681

Scan type: Quick Scan
Objects scanned: 29907
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM0733733a (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
rundll32.exe (Trojan.Agent) -> No action taken.
C:\Users\Daniel\AppData\Local\Temp\ptjhffcl.dll (Trojan.Agent) -> No action taken.

Combofix:

ComboFix 08-04-22.5 - Daniel 2008-04-25 22:44:32.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.346 [GMT 8:00]
Running from: E:\Users\Daniel\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-25 22:44 . 2008-04-25 22:44 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{e1fd1c72-12d3-11dd-be59-0019212c5eb4}.TMContainer00000000000000000002.regtrans-ms
2008-04-25 22:44 . 2008-04-25 22:44 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{e1fd1c72-12d3-11dd-be59-0019212c5eb4}.TMContainer00000000000000000001.regtrans-ms
2008-04-25 22:44 . 2008-04-25 22:44 65,536 --ahs---- C:\Users\Public\NTUSER.DAT{e1fd1c72-12d3-11dd-be59-0019212c5eb4}.TM.blf
2008-04-25 22:42 . 2008-04-25 22:42 <DIR> d-------- C:\327882R2FWJFW
2008-04-25 22:12 . 2008-04-25 22:12 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2008-04-25 22:12 . 2008-04-25 22:12 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-04-25 22:12 . 2008-04-25 22:12 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-04-24 16:09 . 2008-04-24 16:09 <DIR> d-------- C:\Deckard
2008-04-23 18:18 . 2008-04-23 18:18 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-04-21 20:55 . 2008-04-21 20:55 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-04-21 20:40 . 2008-04-21 20:40 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\vlc
2008-04-21 18:57 . 2008-04-21 18:59 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\CopyTrans
2008-04-21 18:07 . 2008-04-21 18:08 <DIR> d-------- C:\Program Files\Java
2008-04-21 18:06 . 2008-04-21 18:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-20 23:30 . 2008-04-20 23:30 <DIR> d--h----- C:\Users\All Users\CanonBJ
2008-04-20 23:30 . 2008-04-20 23:30 <DIR> d--h----- C:\ProgramData\CanonBJ
2008-04-19 22:26 . 2008-04-19 22:26 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-19 22:05 . 2008-04-19 22:05 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-04-19 12:15 . 2008-04-19 12:15 <DIR> d-------- C:\Users\All Users\BVRP Software
2008-04-19 12:15 . 2008-04-19 12:15 <DIR> d-------- C:\ProgramData\BVRP Software
2008-04-19 12:13 . 2008-04-19 12:13 <DIR> dr-hs---- C:\_Backup.RC
2008-04-19 12:13 . 2008-04-19 12:13 <DIR> d--h----- C:\_Backup
2008-04-19 12:11 . 2008-04-19 12:11 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Avanquest
2008-04-19 12:11 . 2008-04-19 12:11 <DIR> d-------- C:\Users\All Users\Avanquest
2008-04-19 12:11 . 2008-04-19 12:11 <DIR> d-------- C:\ProgramData\Avanquest
2008-04-19 12:06 . 2008-04-19 12:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 11:51 . 2008-04-19 11:51 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Media Player Classic
2008-04-19 11:17 . 2008-04-19 11:17 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Auslogics
2008-04-19 10:53 . 2008-04-19 10:53 <DIR> d-------- C:\Users\All Users\Adobe Systems
2008-04-19 10:53 . 2008-04-19 10:53 <DIR> d-------- C:\ProgramData\Adobe Systems
2008-04-19 10:39 . 2008-04-19 10:39 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-19 10:36 . 2008-04-19 15:21 <DIR> d-------- C:\Users\All Users\Adobe
2008-04-19 10:36 . 2008-04-19 15:21 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-19 04:01 . 2008-04-18 12:10 <DIR> d-------- C:\Windows\Panther
2008-04-19 03:07 . 2008-04-21 22:03 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\BSplayer Pro
2008-04-19 03:04 . 2008-04-18 12:46 <DIR> d-------- C:\Windows\Debug
2008-04-19 03:02 . 2008-04-19 03:02 524,288 --ahs---- C:\Windows\System32\config\systemprofile\ntuser.dat{f9817944-0d79-11dd-b61f-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms
2008-04-19 03:02 . 2008-04-25 22:44 524,288 --ahs---- C:\Windows\System32\config\systemprofile\ntuser.dat{f9817944-0d79-11dd-b61f-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
2008-04-19 03:02 . 2008-04-25 22:44 65,536 --ahs---- C:\Windows\System32\config\systemprofile\ntuser.dat{f9817944-0d79-11dd-b61f-806e6f6e6963}.TM.blf
2008-04-19 02:00 . 2008-04-19 14:38 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\SiteAdvisor
2008-04-19 02:00 . 2008-04-25 18:27 <DIR> d-------- C:\Users\All Users\SiteAdvisor
2008-04-19 02:00 . 2008-04-25 18:27 <DIR> d-------- C:\ProgramData\SiteAdvisor
2008-04-19 02:00 . 2008-04-21 19:22 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-19 02:00 . 2008-04-25 22:42 13,747 --a------ C:\Windows\System32\Config.MPF
2008-04-19 01:58 . 2008-04-19 01:58 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-19 01:58 . 2008-04-19 11:43 <DIR> d-------- C:\Program Files\McAfee
2008-04-19 01:58 . 2008-04-19 01:58 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-19 01:58 . 2007-11-22 06:44 201,320 --a------ C:\Windows\System32\drivers\mfehidk.sys
2008-04-19 01:58 . 2007-07-13 06:21 125,728 --a------ C:\Windows\System32\drivers\Mpfp.sys
2008-04-19 01:58 . 2007-11-22 06:44 79,304 --a------ C:\Windows\System32\drivers\mfeavfk.sys
2008-04-19 01:58 . 2007-12-02 12:51 40,488 --a------ C:\Windows\System32\drivers\mfesmfk.sys
2008-04-19 01:58 . 2007-11-22 06:44 35,240 --a------ C:\Windows\System32\drivers\mfebopk.sys
2008-04-19 01:58 . 2007-11-22 06:44 33,832 --a------ C:\Windows\System32\drivers\mferkdk.sys
2008-04-19 01:52 . 2008-04-19 02:00 <DIR> d-------- C:\Users\All Users\McAfee
2008-04-19 01:52 . 2008-04-19 02:00 <DIR> d-------- C:\ProgramData\McAfee
2008-04-19 01:39 . 2008-04-19 01:39 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{db662672-0d62-11dd-9cee-0019212c5eb4}.TMContainer00000000000000000002.regtrans-ms
2008-04-19 01:39 . 2008-04-19 01:39 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{db662672-0d62-11dd-9cee-0019212c5eb4}.TMContainer00000000000000000001.regtrans-ms
2008-04-19 01:39 . 2008-04-19 01:39 65,536 --ahs---- C:\Users\Public\NTUSER.DAT{db662672-0d62-11dd-9cee-0019212c5eb4}.TM.blf
2008-04-19 01:39 . 2008-04-25 22:44 5,120 --ah----- C:\Users\Public\NTUSER.DAT.LOG1
2008-04-19 01:39 . 2008-04-19 01:39 0 --ah----- C:\Users\Public\NTUSER.DAT.LOG2
2008-04-19 00:55 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-04-19 00:55 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-04-19 00:55 . 2007-12-10 14:53 41,864 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-04-19 00:55 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-04-19 00:54 . 2008-04-19 00:54 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\PC Tools
2008-04-19 00:18 . 2008-04-19 00:18 <DIR> d-------- C:\Users\All Users\Messenger Plus!
2008-04-19 00:18 . 2008-04-19 00:18 <DIR> d-------- C:\ProgramData\Messenger Plus!
2008-04-18 16:27 . 2008-04-18 16:27 <DIR> d-------- C:\Windows\System32\Macromed
2008-04-18 16:18 . 2008-04-25 22:39 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\uTorrent
2008-04-18 16:18 . 2008-04-18 16:18 <DIR> d-------- C:\Program Files\uTorrent
2008-04-18 15:59 . 2008-04-21 19:11 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Apple Computer
2008-04-18 15:59 . 2008-04-18 15:59 <DIR> d-------- C:\Program Files\iPod
2008-04-18 15:57 . 2008-04-18 15:57 <DIR> d-------- C:\Program Files\Bonjour
2008-04-18 15:56 . 2008-04-18 15:59 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-04-18 15:56 . 2008-04-18 15:59 <DIR> d-------- C:\ProgramData\Apple Computer
2008-04-18 15:56 . 2008-04-18 15:57 <DIR> d-------- C:\Program Files\QuickTime
2008-04-18 15:56 . 2008-04-18 15:56 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-18 15:55 . 2008-04-18 15:55 <DIR> d-------- C:\Users\All Users\Apple
2008-04-18 15:55 . 2008-04-18 15:55 <DIR> d-------- C:\ProgramData\Apple
2008-04-18 15:55 . 2008-04-18 15:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-18 15:46 . 2006-10-26 19:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-04-18 15:45 . 2008-04-18 15:45 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-18 15:45 . 2008-04-18 15:45 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-18 15:42 . 2008-04-19 22:51 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-04-18 15:42 . 2008-04-19 22:51 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-04-18 15:42 . 2008-04-18 15:42 <DIR> dr-h----- C:\MSOCache
2008-04-18 15:37 . 2008-04-18 15:37 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-04-18 15:31 . 2008-04-18 15:35 <DIR> d-------- C:\Program Files\Windows Live
2008-04-18 15:31 . 2008-04-18 15:35 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:30 . 2008-04-18 15:30 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-04-18 15:30 . 2008-04-18 15:30 <DIR> d-------- C:\ProgramData\WLInstaller
2008-04-18 15:14 . 2008-04-18 15:14 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:10 . 2008-04-18 15:10 <DIR> d-------- C:\Windows\PCHEALTH
2008-04-18 15:10 . 2008-04-18 15:10 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 14:49 . 2008-04-21 18:08 <DIR> d--hs---- C:\Windows\Installer
2008-04-18 14:49 . 2008-04-18 14:49 <DIR> d-------- C:\Users\All Users\PC Tools
2008-04-18 14:49 . 2008-04-18 14:49 <DIR> d-------- C:\ProgramData\PC Tools
2008-04-18 14:49 . 2008-02-15 10:20 51,520 --a------ C:\Windows\System32\drivers\TfFsMon.sys
2008-04-18 14:49 . 2008-02-15 10:21 41,280 --a------ C:\Windows\System32\drivers\TfSysMon.sys
2008-04-18 14:49 . 2008-02-15 10:21 33,088 --a------ C:\Windows\System32\drivers\TfNetMon.sys
2008-04-18 14:49 . 2008-02-15 10:21 12,608 --a------ C:\Windows\System32\drivers\TfKbMon.sys
2008-04-18 14:48 . 2008-04-25 22:48 <DIR> d-a------ C:\Users\All Users\TEMP
2008-04-18 14:48 . 2008-04-25 22:48 <DIR> d-a------ C:\ProgramData\TEMP
2008-04-18 14:31 . 2008-04-18 14:31 <DIR> d-------- C:\PerfLogs
2008-04-18 14:15 . 2008-04-18 14:01 152,576 --a------ C:\Windows\System32\SPWizUI.dll
2008-04-18 14:15 . 2008-04-18 14:01 47,560 --a------ C:\Windows\System32\SPReview.exe
2008-04-18 14:06 . 2008-01-18 23:33 193,024 --a------ C:\Windows\System32\recdisc.exe
2008-04-18 14:06 . 2008-01-18 23:36 6,656 --a------ C:\Windows\System32\sdspres.dll
2008-04-18 14:02 . 2008-04-18 14:16 49,152 --a------ C:\Windows\SPInstall.etl
2008-04-18 14:02 . 2008-01-18 23:33 44,032 --a------ C:\Windows\System32\cbsra.exe
2008-04-18 14:01 . 2008-04-18 14:01 <DIR> d-------- C:\bc4df1d51d879d6c5c156d0475
2008-04-18 13:31 . 2008-04-18 14:39 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-04-18 13:31 . 2008-04-18 14:39 <DIR> d-------- C:\ProgramData\NVIDIA
2008-04-18 13:29 . 2007-08-28 01:59 1,073,152 --a------ C:\Windows\System32\nvcpluir.dll
2008-04-18 13:29 . 2007-08-28 01:59 753,664 --a------ C:\Windows\System32\nvcplui.exe
2008-04-18 13:29 . 2007-08-28 01:59 413,696 --a------ C:\Windows\System32\nvcpl.cpl
2008-04-18 13:29 . 2007-08-28 01:59 307,200 --a------ C:\Windows\System32\nvexpbar.dll
2008-04-18 13:29 . 2007-08-28 01:59 124,376 --a------ C:\Windows\System32\nvapps.xml
2008-04-18 13:29 . 2007-08-28 01:59 17,254 --a------ C:\Windows\System32\nvwsapps.xml
2008-04-18 13:28 . 2008-04-18 14:24 <DIR> d-------- C:\Windows\System32\RTCOM
2008-04-18 13:28 . 2008-04-18 13:28 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-04-18 13:27 . 2008-04-18 13:27 <DIR> d-------- C:\Program Files\CONEXANT
2008-04-18 13:07 . 2008-04-18 13:07 1,820 --a------ C:\Windows\System32\rasctrnm.h
2008-04-18 13:01 . 2008-04-18 13:01 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-04-18 12:56 . 2008-01-18 23:34 15,872 --a------ C:\Windows\System32\hcrstco.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 06:38 174 --sha-w C:\Program Files\desktop.ini
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Mail
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Journal
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Defender
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Collaboration
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Calendar
2008-04-18 06:20 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-04-18 06:20 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-01-29 04:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-04-19 10:18 219952]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]
"cmds"="C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll" [2008-04-21 19:27 271872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-18 23:38 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 05:52 4702208 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-08-28 01:59 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-08-28 01:59 8473120]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-08-28 01:59 81920]
"ThreatFire"="E:\Program Files\ThreatFire\TFTray.exe" [2008-02-16 01:20 1152320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 05:48 479232]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-25 05:57 36640]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Malwarebytes Anti-Malware Reboot"="E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"040040a6"="C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll" [ ]
"BM0733733a"="C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= E:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E599BC19-3B42-44E6-BE01-6FB40ED1C2EE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9154AB29-380C-47D4-B530-77AF56BC7EA5}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CD44DEE8-66FF-4364-BC13-630737E0146C}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A8F5827A-6218-4D55-8DDA-ACE8A124BC3A}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{B6A42924-FF49-4688-AD5C-1A7DF131D684}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{1CE32E32-80C5-4CB5-8074-5413C7ABE3FA}"= UDP:E:\Program Files\iTunes\iTunes.exe:iTunes
"{7E94B0C2-412B-4531-B0AA-2168C6E94A07}"= TCP:E:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{65A3C2D5-19C8-4387-A239-EBA9E7910421}E:\\program files\\mirc\\mirc.exe"= UDP:E:\program files\mirc\mirc.exe:mIRC
"UDP Query User{18B52C2C-4516-4434-9F6A-3D194B5F97A7}E:\\program files\\mirc\\mirc.exe"= TCP:E:\program files\mirc\mirc.exe:mIRC
"{F409F231-4356-4152-97F0-B495D23FB826}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 TfFsMon;TfFsMon;C:\Windows\system32\drivers\TfFsMon.sys [2008-02-15 10:20]
R0 TfSysMon;TfSysMon;C:\Windows\system32\drivers\TfSysMon.sys [2008-02-15 10:21]
R2 ThreatFire;ThreatFire;E:\Program Files\ThreatFire\TFService.exe service []
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 07:36]
R3 TfNetMon;TfNetMon;C:\Windows\system32\drivers\TfNetMon.sys [2008-02-15 10:21]
S3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 15:41]
S3 VSTHWBS2;VSTHWBS2;C:\Windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 15:41]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 02:12:11 C:\Windows\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-19 02:12:12 C:\Windows\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-25 14:28:59 C:\Windows\Tasks\RegCure Program Check.job"
- E:\Program Files\RegCure\RegCure.exe
"2008-04-19 03:43:33 C:\Windows\Tasks\RegCure.job"
- E:\Program Files\RegCure\RegCure.exe
"2008-04-25 11:37:31 C:\Windows\Tasks\User_Feed_Synchronization-{54C04306-396D-428A-A04D-8B1A362526F2}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 22:48:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
-> C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll
.
Completion time: 2008-04-25 22:49:36
ComboFix-quarantined-files.txt 2008-04-25 14:49:28

Pre-Run: 27,676,045,312 bytes free
Post-Run: 27,556,278,272 bytes free

240 --- E O F --- 2008-04-19 14:51:27


Main:

Deckard's System Scanner v20071014.68
Run by Daniel on 2008-04-25 22:54:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-25 22:54:55
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
E:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Windows\System32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Windows\System32\svchost.exe
E:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\microsoft shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\System32\SearchProtocolHost.exe
C:\Windows\System32\SearchFilterHost.exe
E:\Users\Daniel\Desktop\dss.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Windows\System32\wbem\WmiPrvSE.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll",b (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll",b (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9B