Infected With Trojan-downloader.win32.agent.bq

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post.

- BleepingComputer Management

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Infected With Trojan-downloader.win32.agent.bq, Thank you for your help

Options

blue97 View Member Profile	Aug 28 2008, 01:39 PM Post #1
New Member Group: Members Posts: 7 Joined: 26-August 08 Member No.: 233,603	Symptoms: Background replaced with spyware notification. "Windows Security Alert" pops up periodically saying that a windows firewall has detected activity of harmful software "Enable protection link" to spyware removal program. Bit Defender (housecall had problems with download) McAfee Stinger Also known as Trojan-Spy.HTML.Bankfraud.dq I have run: Adaware Spybot Cleaned temp files Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:04:06 AM, on 8/24/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hp\QuickPlay\QPService.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\ProgramData\WebCmd\hutqnups.exe C:\ProgramData\tofixwjs\rivalkbk.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Vongo\Tray.exe C:\Windows\System32\rundll32.exe C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\ProgramData\MntWebSys\fyjcjafw.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEUser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Orbitdownloader\orbitdm.exe C:\Program Files\Orbitdownloader\orbitnet.exe C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [WebCmd] C:\ProgramData\WebCmd\hutqnups.exe O4 - HKCU\..\Run: [lphca5tj0etst] C:\Windows\system32\lphca5tj0etst.exe O4 - HKCU\..\Run: [GurV0KPIm7] C:\ProgramData\tofixwjs\rivalkbk.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ProcHlpApl] C:\ProgramData\ProcHlpApl\psxepmvu.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Vongo Tray.lnk = ? O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O13 - Gopher Prefix: O15 - Trusted Zone: http://www.cnn.com O15 - Trusted Zone: http://www.ringfactory.net O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 9733 bytes

Thunder View Member Profile	Aug 30 2008, 02:58 AM Post #2
Forum Addict Group: HJT Team Posts: 2,353 Joined: 12-December 05 From: Belgium Member No.: 44,294	Hello Blue97 and welcome to BleepingComputer, 1. * Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tab Under Browsing History, click Delete. Click Delete Files, Delete cookies and Delete history Click Close below. * Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options. Click Privacy in the menu.. Click the Clear now button below.. A new window will popup what to clear. Select all and click the Clear button again. Click OK to close the Options window * Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Press OK to remove them. 2. Please download Malwarebytes' Anti-Malware from Here or Here Doubleclick mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply along with a fresh HijackThis log. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. 3. Restart your computer. 4. Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !). The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC) In the event you already have Combofix, and you're notified a more current version is available, please download the latest version as described in the tutorial. It must be saved directly to your desktop. Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze. Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. If you have any questions along the way, STOP and ask them before proceeding !! Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ... ----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware. ----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference

blue97 View Member Profile	Aug 30 2008, 08:21 AM Post #3
New Member Group: Members Posts: 7 Joined: 26-August 08 Member No.: 233,603	Thank you, Thunder. Here is the HJT log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:04:06 AM, on 8/24/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hp\QuickPlay\QPService.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\ProgramData\WebCmd\hutqnups.exe C:\ProgramData\tofixwjs\rivalkbk.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Vongo\Tray.exe C:\Windows\System32\rundll32.exe C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\ProgramData\MntWebSys\fyjcjafw.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEUser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Orbitdownloader\orbitdm.exe C:\Program Files\Orbitdownloader\orbitnet.exe C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [WebCmd] C:\ProgramData\WebCmd\hutqnups.exe O4 - HKCU\..\Run: [lphca5tj0etst] C:\Windows\system32\lphca5tj0etst.exe O4 - HKCU\..\Run: [GurV0KPIm7] C:\ProgramData\tofixwjs\rivalkbk.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ProcHlpApl] C:\ProgramData\ProcHlpApl\psxepmvu.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Vongo Tray.lnk = ? O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O13 - Gopher Prefix: O15 - Trusted Zone: http://www.cnn.com O15 - Trusted Zone: http://www.ringfactory.net O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 9733 bytes Here is the Combofix log ComboFix 08-08-29.02 - mwilk 2008-08-30 7:50:39.3 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.340 [GMT -5:00] Running from: C:\Users\mwilk\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3RXBHV6N\bin.clearspring.com C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3RXBHV6N\bin.clearspring.com\clearspring.sol C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3RXBHV6N\interclick.com C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3RXBHV6N\interclick.com\ud.sol C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol . ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 ))))))))))))))))))))))))))))))) . 2008-08-30 07:43 . 2008-08-30 07:43 <DIR> d-------- C:\Users\All Users\webenmsg 2008-08-30 07:43 . 2008-08-30 07:43 <DIR> d-------- C:\Users\All Users\GenInfo 2008-08-30 07:43 . 2008-08-30 07:43 <DIR> d-------- C:\ProgramData\webenmsg 2008-08-30 07:43 . 2008-08-30 07:43 <DIR> d-------- C:\ProgramData\GenInfo 2008-08-28 23:51 . 2008-08-28 23:51 <DIR> d-------- C:\Users\All Users\smartdb 2008-08-28 23:51 . 2008-08-28 23:51 <DIR> d-------- C:\Users\All Users\ProcAplUtil 2008-08-28 23:51 . 2008-08-28 23:51 <DIR> d-------- C:\ProgramData\smartdb 2008-08-28 23:51 . 2008-08-28 23:51 <DIR> d-------- C:\ProgramData\ProcAplUtil 2008-08-28 12:21 . 2008-08-28 12:21 <DIR> d-------- C:\Windows\BDOSCAN8 2008-08-28 11:50 . 2008-08-28 11:50 <DIR> d-------- C:\Users\All Users\enchk 2008-08-28 11:50 . 2008-08-28 11:50 <DIR> d-------- C:\Users\All Users\apien 2008-08-28 11:50 . 2008-08-28 11:50 <DIR> d-------- C:\ProgramData\enchk 2008-08-28 11:50 . 2008-08-28 11:50 <DIR> d-------- C:\ProgramData\apien 2008-08-28 07:46 . 2008-08-28 07:48 <DIR> d-------- C:\Users\All Users\Lavasoft 2008-08-28 07:46 . 2008-08-28 07:48 <DIR> d-------- C:\ProgramData\Lavasoft 2008-08-28 07:46 . 2008-08-28 07:46 <DIR> d-------- C:\Program Files\Lavasoft 2008-08-28 07:45 . 2008-08-28 07:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-26 20:49 . 2008-08-26 20:49 <DIR> d-------- C:\Users\All Users\ShStr 2008-08-26 20:49 . 2008-08-26 20:49 <DIR> d-------- C:\Users\All Users\apiact 2008-08-26 20:49 . 2008-08-26 20:49 <DIR> d-------- C:\ProgramData\ShStr 2008-08-26 20:49 . 2008-08-26 20:49 <DIR> d-------- C:\ProgramData\apiact 2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\Malwarebytes 2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\Users\All Users\Malwarebytes 2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\ProgramData\Malwarebytes 2008-08-26 19:20 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-26 19:20 . 2008-08-17 15:01 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys 2008-08-26 19:20 . 2008-08-17 15:01 17,144 --a------ C:\Windows\System32\drivers\mbam.sys 2008-08-25 06:53 . 2008-08-25 06:53 <DIR> d-------- C:\Users\All Users\MonProcCom 2008-08-25 06:53 . 2008-08-25 06:53 <DIR> d-------- C:\Users\All Users\HlpProc 2008-08-25 06:53 . 2008-08-25 06:53 <DIR> d-------- C:\ProgramData\MonProcCom 2008-08-25 06:53 . 2008-08-25 06:53 <DIR> d-------- C:\ProgramData\HlpProc 2008-08-24 18:37 . 2008-08-24 18:37 <DIR> d-------- C:\Users\All Users\hlpgenchk 2008-08-24 18:37 . 2008-08-24 18:37 <DIR> d-------- C:\Users\All Users\HlpCmdSet 2008-08-24 18:37 . 2008-08-24 18:37 <DIR> d-------- C:\ProgramData\hlpgenchk 2008-08-24 18:37 . 2008-08-24 18:37 <DIR> d-------- C:\ProgramData\HlpCmdSet 2008-08-24 17:20 . 2008-08-24 17:20 <DIR> d-------- C:\Users\All Users\Grisoft 2008-08-24 17:20 . 2008-08-24 17:20 <DIR> d-------- C:\ProgramData\Grisoft 2008-08-24 13:41 . 2008-08-24 05:08 <DIR> d-------- C:\SDFix 2008-08-24 11:46 . 2008-08-24 11:46 <DIR> d-------- C:\Users\All Users\ProcSetMsg 2008-08-24 11:46 . 2008-08-24 11:46 <DIR> d-------- C:\Users\All Users\ActMntCfg 2008-08-24 11:46 . 2008-08-24 11:46 <DIR> d-------- C:\ProgramData\ProcSetMsg 2008-08-24 11:46 . 2008-08-24 11:46 <DIR> d-------- C:\ProgramData\ActMntCfg 2008-08-24 11:12 . 2008-08-24 13:23 <DIR> d-a------ C:\Users\All Users\TEMP 2008-08-24 11:12 . 2008-08-24 13:23 <DIR> d-a------ C:\ProgramData\TEMP 2008-08-24 08:03 . 2008-08-24 08:03 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-24 07:47 . 2008-08-24 07:47 <DIR> d-------- C:\Users\All Users\ProcHlpApl 2008-08-24 07:47 . 2008-08-24 07:47 <DIR> d-------- C:\Users\All Users\MntWebSys 2008-08-24 07:47 . 2008-08-24 07:47 <DIR> d-------- C:\ProgramData\ProcHlpApl 2008-08-24 07:47 . 2008-08-24 07:47 <DIR> d-------- C:\ProgramData\MntWebSys 2008-08-24 07:17 . 2008-08-24 11:46 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy 2008-08-24 07:17 . 2008-08-24 11:46 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy 2008-08-24 07:17 . 2008-08-24 10:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\Users\All Users\WebCmd 2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\Users\All Users\tofixwjs 2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\Users\All Users\SmartUtil 2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\ProgramData\WebCmd 2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\ProgramData\tofixwjs 2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\ProgramData\SmartUtil 2008-08-18 14:18 . 2008-08-18 14:18 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\Template 2008-08-18 14:18 . 2008-08-18 14:18 0 --a------ C:\Users\mwilk\AppData\Roaming\wklnhst.dat 2008-08-14 09:52 . 2008-08-14 09:56 <DIR> d-------- C:\Program Files\Windows Live 2008-08-14 09:52 . 2008-08-14 09:56 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-08-14 09:48 . 2008-08-14 09:52 <DIR> d-------- C:\Users\All Users\WLInstaller 2008-08-14 09:48 . 2008-08-14 09:52 <DIR> d-------- C:\ProgramData\WLInstaller 2008-08-14 07:02 . 2008-07-15 20:32 2,048 --a------ C:\Windows\System32\tzres.dll 2008-08-14 06:57 . 2008-08-14 06:57 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-08-13 18:23 . 2008-06-26 20:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb 2008-08-13 18:23 . 2008-06-26 23:15 827,392 --a------ C:\Windows\System32\wininet.dll 2008-08-13 18:23 . 2008-04-10 00:12 738,304 --a------ C:\Windows\System32\inetcomm.dll 2008-08-13 18:23 . 2008-06-18 22:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL 2008-08-13 18:23 . 2008-04-18 00:48 269,312 --a------ C:\Windows\System32\es.dll 2008-08-02 22:31 . 2008-08-02 22:31 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf 2008-08-02 03:11 . 2008-08-02 03:11 <DIR> d-------- C:\PerfLogs 2008-08-01 13:52 . 2008-01-19 02:38 4,595,712 --a------ C:\Windows\System32\AuthFWSnapin.dll 2008-08-01 13:51 . 2008-01-19 02:33 8,139,264 --a------ C:\Windows\System32\ssBranded.scr 2008-08-01 13:50 . 2008-01-19 02:32 5,714,432 --a------ C:\Windows\System32\logon.scr 2008-08-01 13:49 . 2008-01-19 01:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL 2008-08-01 13:48 . 2008-01-19 02:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll 2008-08-01 13:48 . 2008-01-19 02:34 305,152 --a------ C:\Windows\System32\msdelta.dll 2008-08-01 13:48 . 2008-01-19 02:34 258,560 --a------ C:\Windows\System32\dpx.dll 2008-08-01 13:48 . 2008-01-19 02:34 246,784 --a------ C:\Windows\System32\drvstore.dll 2008-08-01 13:48 . 2008-01-19 02:36 218,624 --a------ C:\Windows\System32\wdscore.dll 2008-08-01 13:48 . 2008-01-19 02:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll 2008-08-01 13:48 . 2008-01-19 02:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe 2008-08-01 13:48 . 2008-01-19 02:35 35,328 --a------ C:\Windows\System32\mspatcha.dll 2008-07-31 22:01 . 2008-07-31 22:01 <DIR> d-------- C:\Program Files\Common Files\LightScribe 2008-07-31 19:24 . 2008-08-02 09:19 <DIR> d-------- C:\Users\All Users\NVIDIA 2008-07-31 19:24 . 2008-08-02 09:19 <DIR> d-------- C:\ProgramData\NVIDIA 2008-07-31 19:11 . 2007-01-03 11:20 1,732 --a------ C:\Windows\System32\drivers\nvphy.bin 2008-07-31 19:08 . 2008-07-31 19:08 838,094 --a------ C:\Windows\System32\oem24.inf 2008-07-31 19:07 . 2008-08-20 03:00 <DIR> d-------- C:\Program Files\Microsoft Silverlight 2008-07-31 17:59 . 2008-07-31 17:59 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\InstallShield 2008-07-28 12:49 . 2008-07-28 12:49 <DIR> d-------- C:\Program Files\Apple Software Update 2008-07-23 09:11 . 2008-06-25 20:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll 2008-07-14 12:11 . 2008-07-14 12:11 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-30 12:46 --------- d-----w C:\Users\mwilk\AppData\Roaming\Orbit 2008-08-24 06:20 --------- d-----w C:\Users\mwilk\AppData\Roaming\LimeWire 2008-08-18 14:58 --------- d-----w C:\Program Files\Orbitdownloader 2008-08-15 12:02 --------- d-----w C:\ProgramData\Microsoft Help 2008-08-14 15:02 41,662 ----a-w C:\Users\mwilk\AppData\Roaming\nvModes.dat 2008-08-14 14:59 --------- d-----w C:\Program Files\Windows Mail 2008-08-05 22:56 --------- d-----w C:\Users\mwilk\AppData\Roaming\Move Networks 2008-08-02 08:22 174 --sha-w C:\Program Files\desktop.ini 2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Sidebar 2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Photo Gallery 2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Journal 2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Collaboration 2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Calendar 2008-08-02 08:12 --------- d-----w C:\Program Files\Windows Defender 2008-08-01 19:13 82,432 ----a-w C:\Windows\System32\axaltocm.dll 2008-08-01 19:13 101,888 ----a-w C:\Windows\System32\ifxcardm.dll 2008-08-01 04:26 --------- d-----w C:\Users\mwilk\AppData\Roaming\Hewlett-Packard 2008-08-01 03:34 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-08-01 03:33 --------- d-----w C:\ProgramData\CyberLink 2008-08-01 03:31 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-01 03:31 --------- d-----w C:\Program Files\Hp 2008-08-01 02:54 --------- d-----w C:\Program Files\Hewlett-Packard 2008-08-01 02:46 --------- d-----w C:\ProgramData\Hewlett-Packard 2008-08-01 00:06 --------- d-----w C:\Program Files\CONEXANT 2008-06-29 21:07 --------- d-----w C:\Program Files\LimeWire 2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll 2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll 2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll 2008-06-11 20:41 21,248 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe 2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll 2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll 2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe 2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll 2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll 2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll 2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll 2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll 2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll 2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll 2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll 2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll 2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll 2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll 2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll 2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin 2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin 2008-05-16 16:58 12,632 ----a-w C:\Windows\System32\lsdelete.exe 2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll 2008-05-08 21:59 90,112 ----a-w C:\Windows\System32\wshext.dll 2008-05-08 21:59 430,080 ----a-w C:\Windows\System32\vbscript.dll 2008-05-08 21:59 180,224 ----a-w C:\Windows\System32\scrobj.dll 2008-05-08 21:59 172,032 ----a-w C:\Windows\System32\scrrun.dll 2008-05-08 21:59 155,648 ----a-w C:\Windows\System32\wscript.exe 2008-05-08 21:58 135,168 ----a-w C:\Windows\System32\cscript.exe 2008-05-07 14:37 21,760 ----a-w C:\Windows\Help\OEM\scripts\HPHS_Launcher.exe 2008-04-23 14:56 56,912 ----a-w C:\Users\mwilk\g2mdlhlpx.exe . ((((((((((((((((((((((((((((( snapshot@2008-08-26_18.46.29.48 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-09 20:01:48 118,784 ----a-w C:\Windows\BDOSCAN8\bdupd.dll + 2008-01-09 20:01:48 53,248 ----a-w C:\Windows\BDOSCAN8\ipsupd.dll + 2008-01-09 20:01:48 53,248 ----a-w C:\Windows\bdoscandel.exe + 2008-01-09 20:01:48 118,784 ----a-w C:\Windows\Downloaded Program Files\bdupd.dll + 2008-01-09 20:01:48 53,248 ----a-w C:\Windows\Downloaded Program Files\ipsupd.dll - 2008-08-26 13:41:33 602,680 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat + 2008-08-30 12:40:49 602,680 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat - 2008-08-26 13:47:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2008-08-30 12:41:56 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2008-08-26 13:47:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2008-08-30 12:41:56 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2008-08-26 13:48:16 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT + 2008-08-30 12:42:55 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT - 2008-08-02 08:22:41 2,641,057 -c--a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat + 2008-08-27 12:15:43 2,641,057 -c--a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat - 2008-08-26 13:48:41 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT + 2008-08-30 12:42:57 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT - 2008-08-26 13:47:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2008-08-30 12:40:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-08-26 13:47:49 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-08-30 12:40:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2008-08-26 13:47:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-08-30 12:40:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2008-08-26 23:40:36 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat + 2008-08-30 12:50:32 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat + 2008-04-29 16:19:50 12,960 ----a-w C:\Windows\System32\drivers\Awrtpd.sys + 2008-04-29 16:19:54 15,648 ----a-w C:\Windows\System32\drivers\Awrtrd.sys + 2008-04-29 16:20:00 15,648 ----a-w C:\Windows\System32\drivers\NSDriver.sys - 2008-01-19 07:34:49 35,328 ----a-w C:\Windows\System32\mimefilt.dll + 2008-05-27 05:18:32 40,448 ----a-w C:\Windows\System32\mimefilt.dll - 2008-01-19 07:35:13 248,832 ----a-w C:\Windows\System32\msshsq.dll + 2008-05-27 05:18:32 231,936 ----a-w C:\Windows\System32\msshsq.dll - 2008-01-19 07:35:13 333,824 ----a-w C:\Windows\System32\mssph.dll + 2008-05-27 05:18:25 350,208 ----a-w C:\Windows\System32\mssph.dll - 2008-01-19 07:35:13 167,936 ----a-w C:\Windows\System32\mssphtb.dll + 2008-05-27 05:18:55 203,776 ----a-w C:\Windows\System32\mssphtb.dll - 2008-01-19 07:35:13 52,224 ----a-w C:\Windows\System32\msstrc.dll + 2008-05-27 05:18:40 44,032 ----a-w C:\Windows\System32\msstrc.dll - 2008-01-19 07:35:13 1,696,768 ----a-w C:\Windows\System32\mssvp.dll + 2008-05-27 05:18:56 670,208 ----a-w C:\Windows\System32\mssvp.dll - 2008-01-19 07:35:38 122,368 ----a-w C:\Windows\System32\nlhtml.dll + 2008-05-27 05:18:30 136,704 ----a-w C:\Windows\System32\nlhtml.dll - 2008-08-26 13:52:26 101,350 ----a-w C:\Windows\System32\perfc009.dat + 2008-08-30 12:46:33 101,350 ----a-w C:\Windows\System32\perfc009.dat - 2008-08-26 13:52:26 595,684 ----a-w C:\Windows\System32\perfh009.dat + 2008-08-30 12:46:33 595,684 ----a-w C:\Windows\System32\perfh009.dat - 2008-01-19 07:36:11 65,536 ----a-w C:\Windows\System32\propdefs.dll + 2008-05-27 05:18:06 71,680 ----a-w C:\Windows\System32\propdefs.dll - 2008-01-19 07:36:17 26,624 ----a-w C:\Windows\System32\rtffilt.dll + 2008-05-27 05:18:30 38,400 ----a-w C:\Windows\System32\rtffilt.dll - 2008-01-19 07:33:28 302,080 ----a-w C:\Windows\System32\SearchIndexer.exe + 2008-05-27 05:18:43 439,808 ----a-w C:\Windows\System32\SearchIndexer.exe - 2008-01-19 07:33:28 179,200 ----a-w C:\Windows\System32\SearchProtocolHost.exe + 2008-05-27 05:18:16 184,832 ----a-w C:\Windows\System32\SearchProtocolHost.exe - 2008-08-15 07:22:32 6,553,600 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT + 2008-08-30 02:31:32 6,553,600 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT - 2008-08-26 13:49:33 10,192 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2115636563-2388709207-2260462170-1000_UserData.bin + 2008-08-30 12:44:25 10,578 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2115636563-2388709207-2260462170-1000_UserData.bin - 2008-08-26 13:49:32 53,012 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2008-08-30 12:44:25 53,356 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2008-08-26 13:49:30 40,502 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2008-08-30 12:44:24 41,836 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin - 2008-08-26 16:09:29 179,628 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin + 2008-08-28 21:58:06 181,518 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin - 2008-01-19 07:37:11 27,136 ----a-w C:\Windows\System32\wsepno.dll + 2008-05-27 05:18:35 29,184 ----a-w C:\Windows\System32\wsepno.dll - 2008-01-19 07:37:12 110,592 ----a-w C:\Windows\System32\xmlfilter.dll + 2008-05-27 05:18:32 56,320 ----a-w C:\Windows\System32\xmlfilter.dll - 2008-08-14 12:03:04 135,794,146 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin + 2008-08-28 18:09:22 138,173,288 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin + 2008-05-27 05:17:28 301,568 ----a-w C:\Windows\winsxs\x86_desktop_shell-search-srchadmin_31bf3856ad364e35_7.0.6001.16503_none_13fcab3737a334c2\srchadmin.dll + 2008-05-27 05:18:30 136,704 ----a-w C:\Windows\winsxs\x86_microsoft-windows-content-filter-html_31bf3856ad364e35_7.0.6001.16503_none_13ff1de93d266b97\nlhtml.dll + 2008-05-27 05:18:32 56,320 ----a-w C:\Windows\winsxs\x86_microsoft-windows-content-filter-html_31bf3856ad364e35_7.0.6001.16503_none_13ff1de93d266b97\xmlfilter.dll + 2008-05-27 05:18:32 40,448 ----a-w C:\Windows\winsxs\x86_microsoft-windows-content-filter-mime_31bf3856ad364e35_7.0.6001.16503_none_10a358dd3f57c0de\mimefilt.dll + 2008-05-27 05:17:23 194,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-content-filter-office_31bf3856ad364e35_7.0.6001.16503_none_fab3f42bbfadf408\offfilt.dll + 2008-05-27 05:18:30 38,400 ----a-w C:\Windows\winsxs\x86_microsoft-windows-content-filter-rtf_31bf3856ad364e35_7.0.6001.16503_none_485964bf76e0570a\rtffilt.dll + 2008-05-27 05:17:46 754,176 ----a-w C:\Windows\winsxs\x86_microsoft-windows-propsys_31bf3856ad364e35_7.0.6001.16503_none_f3d11aeeb9526bbb\propsys.dll + 2008-05-27 05:18:35 29,184 ----a-w C:\Windows\winsxs\x86_microsoft-windows-search-profilenotify_31bf3856ad364e35_7.0.6001.16503_none_d86cd72c8d3c237e\wsepno.dll + 2008-05-27 05:17:16 6,103,040 ----a-w C:\Windows\winsxs\x86_microsoft-windows-w..-chinesetraditional_31bf3856ad364e35_7.0.6001.16503_none_df2000cce0d8c017\chtbrkr.dll + 2008-05-27 05:17:16 313,344 ----a-w C:\Windows\winsxs\x86_microsoft-windows-w..breakerstemmer-thai_31bf3856ad364e35_7.0.6001.16503_none_d40428cfc6b6fdf9\thawbrkr.dll + 2008-05-27 05:17:16 143,872 ----a-w C:\Windows\winsxs\x86_microsoft-windows-w..eakerstemmer-korean_31bf3856ad364e35_7.0.6001.16503_none_14072d09797cf93d\korwbrkr.dll + 2008-05-27 05:17:13 1,671,680 ----a-w C:\Windows\winsxs\x86_microsoft-windows-w..r-chinesesimplified_31bf3856ad364e35_7.0.6001.16503_none_4cbdb704b61543d2\chsbrkr.dll + 2008-05-27 05:18:43 13,824 ----a-w C:\Windows\winsxs\x86_windowssearch-wtrservicingsupport_31bf3856ad364e35_7.0.6001.16503_none_163fe74a2171e12e\WSWTRSvc.exe + 2008-05-27 05:18:32 231,936 ----a-w C:\Windows\winsxs\x86_windowssearchengine-structuredquery_31bf3856ad364e35_7.0.6001.16503_none_98586419f9103903\msshsq.dll + 2008-05-27 04:59:39 106,605 ----a-w C:\Windows\winsxs\x86_windowssearchengine..uredqueryschema.bin_31bf3856ad364e35_7.0.6001.1650 3_none_88f88929e3c77aa3\StructuredQuerySchema.bin + 2008-05-27 04:59:40 18,904 ----a-w C:\Windows\winsxs\x86_windowssearchengine..uredqueryschema.bin_31bf3856ad364e35_7.0.6001.1650 3_none_88f88929e3c77aa3\StructuredQuerySchemaTrivial.bin + 2008-05-27 05:17:42 34,816 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\msscb.dll + 2008-05-27 05:17:25 60,416 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\msscntrs.dll + 2008-05-27 05:17:36 11,776 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\msshooks.dll + 2008-05-27 05:17:25 87,552 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\mssitlb.dll + 2008-05-27 05:18:25 350,208 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\mssph.dll + 2008-05-27 05:18:55 203,776 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\mssphtb.dll + 2008-05-27 05:17:26 32,768 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\mssprxy.dll + 2008-05-27 05:21:24 1,418,240 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\mssrch.dll + 2008-05-27 05:18:40 44,032 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\msstrc.dll + 2008-05-27 05:18:56 670,208 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\mssvp.dll + 2008-05-27 05:18:06 71,680 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\propdefs.dll + 2008-05-27 05:17:55 87,552 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\SearchFilterHost.exe + 2008-05-27 05:18:43 439,808 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\SearchIndexer.exe + 2008-05-27 05:18:16 184,832 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\SearchProtocolHost.exe + 2008-05-27 05:21:07 1,582,592 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3 dd\tquery.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 02:33 1233920] "HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 17:23 1773568] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 18:43 4670704] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 02:33 202240] "LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 15:27 455968] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] "WebCmd"="C:\ProgramData\WebCmd\hutqnups.exe" [2008-08-24 07:04 94208] "GurV0KPIm7"="C:\ProgramData\tofixwjs\rivalkbk.exe" [2008-08-24 07:04 69632] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272] "ProcHlpApl"="C:\ProgramData\ProcHlpApl\psxepmvu.exe" [2008-08-24 07:47 94208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 02:05 1045800] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 13:28 180224] "HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 13:42 70912] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-04-30 02:06 77824] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 15:15 480560] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-12-19 19:27 468264] "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-07 02:35 86016] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-07 02:35 8534560] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-07 02:35 81920] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-07 19:39 44128] C:\Users\mwilk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Vongo Tray.lnk - C:\Windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-04-30 01:44:01 53248] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy] "<NO NAME>"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "<NO NAME>"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications] "<NO NAME>"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List] "<NO NAME>"= "C:\\Program Files\\Vongo\\VongoService.exe"= C:\Program Files\Vongo\VongoService.exe::enabled:VongoService [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{8B1EFD3F-0865-45BE-ADA7-CCCC619B71D8}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{2EB80D87-88A9-4C82-90C4-9AEF4D208859}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{8EA3AED1-C1B5-4A18-AB62-8AE628E1498A}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{6A3B5310-9011-4130-A7F0-4C3C4AC56CFC}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{9BD6E2B5-F7BE-491E-ADE1-21667DCE93D9}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{4F0200F0-E972-4675-9D7D-F12481964368}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{ADE15D3D-D0CC-41D3-A211-07F709F240BF}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{A9251460-71C1-4F7D-B46F-8D2B3391E92E}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{50957FA8-2931-4B49-9EB5-6FE2558893C3}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent "{AC07E3DD-1A18-43E7-9D40-C4F392A5524F}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent "{074E7DB8-23E8-494C-BA1C-E0AEF4539AE4}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{7BE784DA-9E52-492A-AE51-7440BA56F492}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{7F0714ED-9C25-467B-B66B-887733CB65EF}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{78CB8100-768D-45EF-AEC9-1189192C12A2}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{6AAEA570-47CB-4269-A6EE-C32B116D458F}"= UDP:C:\Program Files\Ring Factory\RingFactory.exe:Ring Factory 3.0 "{6EA1E709-D3F2-4D0C-9E54-84A6CAAFFC76}"= TCP:C:\Program Files\Ring Factory\RingFactory.exe:Ring Factory 3.0 "{6651B302-0BB9-4E08-8A93-908687588710}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{B17B46A7-639C-4A84-8A8A-8915B2FC4FD2}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{7D1AE115-C847-4734-B817-D78723116222}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes "{120EE7A5-79A0-4347-8B67-66F74478AFDD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes "TCP Query User{B7FE613C-4D6F-4E05-B768-2275A578E95F}C:\\program files\\orbitdownloader\\orbitnet.exe"= UDP:C:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader "UDP Query User{1BA1068B-1119-441D-9A81-DE0ED4519829}C:\\program files\\orbitdownloader\\orbitnet.exe"= TCP:C:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader "{BA9A2661-6DF5-4D1C-8A4F-13D8C784E5E2}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play "{A626C42D-47F8-485F-85E7-128C72E3F716}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program "{1D8D24E8-E623-4A45-BDE5-19A4C5CE4DE7}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{06DEB4EA-938F-485E-8D0F-72C1F485E4EC}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe::Enabled:Earthlink "C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe::Enabled:BitTorrent "C:\\Program Files\\Orbitdownloader\\orbitdm.exe"= C:\Program Files\Orbitdownloader\orbitdm.exe::Enabled:Orbit "C:\\Program Files\\Orbitdownloader\\orbitnet.exe"= C:\Program Files\Orbitdownloader\orbitnet.exe::Enabled:Orbit R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-03 05:10] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2008-08-30 C:\Windows\Tasks\HPCeeScheduleFormwilk.job - C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-03-23 16:23] . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.cnn.com/ R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop O8 -: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 -: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 -: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 -: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 . *********************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-30 07:55:18 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-08-30 7:57:08 ComboFix-quarantined-files.txt 2008-08-30 12:57:05 ComboFix2.txt 2008-08-27 00:38:11 ComboFix3.txt 2008-08-26 23:47:23 Pre-Run: 33,598,521,344 bytes free Post-Run: 33,777,446,912 bytes free 400 --- E O F --- 2008-08-29 05:46:21

Thunder View Member Profile	Aug 30 2008, 12:09 PM Post #4
Forum Addict Group: HJT Team Posts: 2,353 Joined: 12-December 05 From: Belgium Member No.: 44,294	Hello Blue97, Let's clean up some more : Open Notepad - don't use any other texteditor than Notepad or the script will fail ! Copy/paste the bold, blue text below into an empty notepad window: Folder:: C:\Users\All Users\webenmsg C:\Users\All Users\GenInfo C:\ProgramData\webenmsg C:\ProgramData\GenInfo C:\Users\All Users\smartdb C:\Users\All Users\ProcAplUtil C:\ProgramData\smartdb C:\ProgramData\ProcAplUtil C:\Users\All Users\enchk C:\Users\All Users\apien C:\ProgramData\enchk C:\ProgramData\apien C:\Users\All Users\ShStr C:\Users\All Users\apiact C:\ProgramData\ShStr C:\ProgramData\apiact C:\Users\All Users\MonProcCom C:\Users\All Users\HlpProc C:\ProgramData\MonProcCom C:\ProgramData\HlpProc C:\Users\All Users\hlpgenchk C:\Users\All Users\HlpCmdSet C:\ProgramData\hlpgenchk C:\ProgramData\HlpCmdSet C:\Users\All Users\ProcSetMsg C:\Users\All Users\ActMntCfg C:\ProgramData\ProcSetMsg C:\ProgramData\ActMntCfg C:\Users\All Users\ProcHlpApl C:\Users\All Users\MntWebSys C:\ProgramData\ProcHlpApl C:\ProgramData\MntWebSys C:\Users\All Users\WebCmd C:\Users\All Users\tofixwjs C:\Users\All Users\SmartUtil C:\ProgramData\WebCmd C:\ProgramData\tofixwjs C:\ProgramData\SmartUtil Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WebCmd"=- "GurV0KPIm7"=- "ProcHlpApl"=- Save this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below. This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog. Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ... ----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware. ----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference

blue97

Sep 1 2008, 05:41 PM

Post #5

New Member

Group: Members
Posts: 7
Joined: 26-August 08
Member No.: 233,603

Thank you Thunder. My latest logs.

ComboFix log:

ComboFix 08-09-01.01 - mwilk 2008-09-01 17:30:57.5 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.336 [GMT -5:00]
Running from: C:\Users\mwilk\Desktop\ComboFix.exe
Command switches used :: C:\Users\mwilk\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\ActMntCfg
C:\ProgramData\ActMntCfg\onedslkl.exe
C:\ProgramData\apiact
C:\ProgramData\apiact\ehmvifop.exe
C:\ProgramData\apien
C:\ProgramData\apien\jargjgng.exe
C:\ProgramData\enchk
C:\ProgramData\enchk\jsrcfedy.exe
C:\ProgramData\GenInfo
C:\ProgramData\GenInfo\qlefovun.exe
C:\ProgramData\HlpCmdSet
C:\ProgramData\HlpCmdSet\ebejshyh.exe
C:\ProgramData\hlpgenchk
C:\ProgramData\hlpgenchk\irirujqn.exe
C:\ProgramData\HlpProc
C:\ProgramData\HlpProc\ahkbgzsr.exe
C:\ProgramData\MntWebSys
C:\ProgramData\MntWebSys\fyjcjafw.exe
C:\ProgramData\MonProcCom
C:\ProgramData\MonProcCom\qvypipkh.exe
C:\ProgramData\ProcAplUtil
C:\ProgramData\ProcAplUtil\xunqneje.exe
C:\ProgramData\ProcHlpApl
C:\ProgramData\ProcSetMsg
C:\ProgramData\ProcSetMsg\wnmpsrch.exe
C:\ProgramData\ShStr
C:\ProgramData\ShStr\oludajul.exe
C:\ProgramData\smartdb
C:\ProgramData\smartdb\pgfwhafi.exe
C:\ProgramData\SmartUtil
C:\ProgramData\SmartUtil\pujcboxw.exe
C:\ProgramData\tofixwjs
C:\ProgramData\tofixwjs\rivalkbk.exe
C:\ProgramData\WebCmd
C:\ProgramData\webenmsg
C:\ProgramData\webenmsg\avirshyt.exe
C:\Users\All Users\ActMntCfg\onedslkl.exe
C:\Users\All Users\apiact\ehmvifop.exe
C:\Users\All Users\apien\jargjgng.exe
C:\Users\All Users\enchk\jsrcfedy.exe
C:\Users\All Users\GenInfo\qlefovun.exe
C:\Users\All Users\HlpCmdSet\ebejshyh.exe
C:\Users\All Users\hlpgenchk\irirujqn.exe
C:\Users\All Users\HlpProc\ahkbgzsr.exe
C:\Users\All Users\MntWebSys\fyjcjafw.exe
C:\Users\All Users\MonProcCom\qvypipkh.exe
C:\Users\All Users\ProcAplUtil\xunqneje.exe
C:\Users\All Users\ProcSetMsg\wnmpsrch.exe
C:\Users\All Users\ShStr\oludajul.exe
C:\Users\All Users\smartdb\pgfwhafi.exe
C:\Users\All Users\SmartUtil\pujcboxw.exe
C:\Users\All Users\tofixwjs\rivalkbk.exe
C:\Users\All Users\webenmsg\avirshyt.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-09-01 17:26 . 2008-09-01 17:26 <DIR> d-------- C:\Users\All Users\procwebstr
2008-09-01 17:26 . 2008-09-01 17:26 <DIR> d-------- C:\Users\All Users\cmdadm
2008-09-01 17:26 . 2008-09-01 17:26 <DIR> d-------- C:\ProgramData\procwebstr
2008-09-01 17:26 . 2008-09-01 17:26 <DIR> d-------- C:\ProgramData\cmdadm
2008-09-01 17:12 . 2008-09-01 17:12 <DIR> d-------- C:\Users\All Users\strwebsmart
2008-09-01 17:12 . 2008-09-01 17:12 <DIR> d-------- C:\Users\All Users\ShAdm
2008-09-01 17:12 . 2008-09-01 17:12 <DIR> d-------- C:\ProgramData\strwebsmart
2008-09-01 17:12 . 2008-09-01 17:12 <DIR> d-------- C:\ProgramData\ShAdm
2008-08-31 06:58 . 2008-08-31 06:58 <DIR> d-------- C:\Users\All Users\smartdsc
2008-08-31 06:58 . 2008-08-31 06:58 <DIR> d-------- C:\Users\All Users\CmdWebMnt
2008-08-31 06:58 . 2008-08-31 06:58 <DIR> d-------- C:\ProgramData\smartdsc
2008-08-31 06:58 . 2008-08-31 06:58 <DIR> d-------- C:\ProgramData\CmdWebMnt
2008-08-28 12:21 . 2008-08-28 12:21 <DIR> d-------- C:\Windows\BDOSCAN8
2008-08-28 07:46 . 2008-08-28 07:48 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-08-28 07:46 . 2008-08-28 07:48 <DIR> d-------- C:\ProgramData\Lavasoft
2008-08-28 07:46 . 2008-08-28 07:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-28 07:45 . 2008-08-28 07:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\Malwarebytes
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-26 19:20 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-26 19:20 . 2008-08-17 15:01 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-26 19:20 . 2008-08-17 15:01 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-24 17:20 . 2008-08-24 17:20 <DIR> d-------- C:\Users\All Users\Grisoft
2008-08-24 17:20 . 2008-08-24 17:20 <DIR> d-------- C:\ProgramData\Grisoft
2008-08-24 13:41 . 2008-08-24 05:08 <DIR> d-------- C:\SDFix
2008-08-24 11:12 . 2008-08-24 13:23 <DIR> d-a------ C:\Users\All Users\TEMP
2008-08-24 11:12 . 2008-08-24 13:23 <DIR> d-a------ C:\ProgramData\TEMP
2008-08-24 08:03 . 2008-08-24 08:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-24 07:17 . 2008-08-24 11:46 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-24 07:17 . 2008-08-24 11:46 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-24 07:17 . 2008-08-24 10:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 14:18 . 2008-08-18 14:18 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\Template
2008-08-18 14:18 . 2008-08-18 14:18 0 --a------ C:\Users\mwilk\AppData\Roaming\wklnhst.dat
2008-08-14 09:52 . 2008-08-14 09:56 <DIR> d-------- C:\Program Files\Windows Live
2008-08-14 09:52 . 2008-08-14 09:56 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-14 09:48 . 2008-08-14 09:52 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-08-14 09:48 . 2008-08-14 09:52 <DIR> d-------- C:\ProgramData\WLInstaller
2008-08-14 07:02 . 2008-07-15 20:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 06:57 . 2008-08-14 06:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-13 18:23 . 2008-06-26 20:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 18:23 . 2008-06-26 23:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 18:23 . 2008-04-10 00:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-13 18:23 . 2008-06-18 22:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 18:23 . 2008-04-18 00:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-02 22:31 . 2008-08-02 22:31 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-02 03:11 . 2008-08-02 03:11 <DIR> d-------- C:\PerfLogs
2008-08-01 13:52 . 2008-01