Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection With Multiple Popups


  • This topic is locked This topic is locked
8 replies to this topic

#1 Cloud_D

Cloud_D

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 24 April 2008 - 05:30 AM

Hi,

My computer is infected with something but I don't know what it is as scans via Spyware Doctor and McAfee have showed up nothing. Tried the Kaspersky scanner and it found 8 items but I was unable to save the report. However, some of those items were trusted programs such as IRC so...

In any case, here's the problem.

When I start up my browser, either IE or FF, there would be popups in other tabs or via a new window. They seem to be different websites everytime, and below are some of them:

- <http://antispywaresuite.com/data/index.php?02005c5f570e6b100d025701574c3909036f084e0a665356073a43053a5c596e020451501f04580b591f550a565748020d5d455e5e5f095a5b3a0157570e03023a040703015556510556525b0c0957050608540f5d08010601510301035f5157033e56500d5102530003025a5b0e525755065a5d5b0b06010f5d5356500c55085151130555060953420109570a1e01095f01531f5f53090510065d5f541f5a453a085b04565e015556576b52660952595b04460a790c0105003a003d510b0204431257060452>

- <http://joybuyjoy.com/hobbies_games.html>

- <http://http://82.98.235.210/go//?cmp=impressions_se_juan&uid=E2A86B3A0F9511DD876E152743CFFFFF&guid=C24261DE68B646769DC22598C455B940&affid=152743&lid=http> (x)

- <http://82.98.235.210/go//?cmp=vm_cmp793_xt&uid=E2A86B3A0F9511DD876E152743CFFFFF&guid=C24261DE68B646769DC22598C455B940&affid=152743&rid=ccnt_ha&lid=http> (x)

- <http://83.149.75.33/info.png?cmp=ghrnc&uid=E2A86B3A0F9511DD876E152743CFFFFF&guid=C24261DE68B646769DC22598C455B940&affid=152743&lid=http&z=us> (x)

- <http://hopelessromantic.com/pop_install.php>


After some time I will also get the following message:

---------------------------
Microsoft Visual C++ Runtime Library
---------------------------
Buffer overrun detected!

Program: C:\Windows\Explorer.EXE

A buffer overrun has been detected which has corrupted the program's
internal state. The program cannot safely continue execution and must
now be terminated.


Could anyone assist me with getting rid of this infection? Thank you!


Here is main from the dss scan:

Deckard's System Scanner v20071014.68
Run by Daniel on 2008-04-24 16:09:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
8: 2008-04-22 14:45:41 UTC - RP30 - Spyware Doctor: Cleaning Threats
7: 2008-04-22 11:25:08 UTC - RP28 - Spyware Doctor: Cleaning Threats
6: 2008-04-21 10:05:53 UTC - RP26 - Installed Java™ 6 Update 5
5: 2008-04-19 14:45:28 UTC - RP25 - Windows Update
4: 2008-04-19 14:23:56 UTC - RP24 - Windows Update


-- First Restore Point --
1: 2008-04-19 07:19:53 UTC - RP21 - Installed Adobe Reader 8.1.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-24 16:14:31
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\System32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
E:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\taskeng.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Windows\System32\svchost.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Windows\System32\svchost.exe
E:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
E:\Users\Daniel\Desktop\dss.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\conime.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Daniel\AppData\Local\Temp\rqRKCRhh.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll,c
O4 - HKCU\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll",b
O4 - HKCU\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\xbikotwo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\xmkjvqao.dll",b (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\xmkjvqao.dll",b (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - E:\Program Files\Avanquest\Fix-It\mxtask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 11072 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-24 16:07:03 440 --a------ C:\Windows\Tasks\RegCure Program Check.job
2008-04-23 20:01:15 424 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{54C04306-396D-428A-A04D-8B1A362526F2}.job
2008-04-19 11:43:33 374 --a------ C:\Windows\Tasks\RegCure.job
2008-04-19 10:12:12 334 --a------ C:\Windows\Tasks\McQcTask.job
2008-04-19 10:12:11 342 --a------ C:\Windows\Tasks\McDefragTask.job


-- Files created between 2008-03-24 and 2008-04-24 -----------------------------

2008-04-23 18:18:56 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-04-21 20:55:27 0 d-------- C:\Program Files\AviSynth 2.5
2008-04-21 18:07:07 0 d-------- C:\Program Files\Java
2008-04-21 18:06:26 0 d-------- C:\Program Files\Common Files\Java
2008-04-20 23:30:18 0 d--h----- C:\Users\All Users\CanonBJ
2008-04-19 22:26:20 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-19 12:15:12 0 d-------- C:\Users\All Users\BVRP Software
2008-04-19 12:13:40 0 dr-hs---- C:\_Backup.RC
2008-04-19 12:13:35 0 d--h----- C:\_Backup
2008-04-19 12:11:23 0 d-------- C:\Users\All Users\Avanquest
2008-04-19 12:06:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 10:53:50 0 d-------- C:\Users\All Users\Adobe Systems
2008-04-19 10:39:34 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-19 10:36:43 0 d-------- C:\Users\All Users\Adobe
2008-04-19 10:36:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-19 04:01:28 0 d-------- C:\Windows\Panther
2008-04-19 03:55:08 0 d-------- C:\Windows.old
2008-04-19 03:06:48 0 d-------- C:\Windows\SoftwareDistribution
2008-04-19 03:04:41 0 d-------- C:\Windows\Debug
2008-04-19 03:02:37 0 d-------- C:\Windows\Prefetch
2008-04-19 02:00:11 0 d-------- C:\Users\All Users\SiteAdvisor
2008-04-19 02:00:11 0 d-------- C:\Program Files\SiteAdvisor
2008-04-19 01:58:25 0 d-------- C:\Program Files\McAfee.com
2008-04-19 01:58:21 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-19 01:58:20 0 d-------- C:\Program Files\McAfee
2008-04-19 01:52:15 0 d-------- C:\Users\All Users\McAfee
2008-04-19 00:18:39 0 d-------- C:\Users\All Users\Messenger Plus!
2008-04-18 16:27:56 0 d-------- C:\Windows\system32\Macromed
2008-04-18 16:18:54 0 d-------- C:\Program Files\uTorrent
2008-04-18 15:59:27 0 d-------- C:\Program Files\iPod
2008-04-18 15:57:45 0 d-------- C:\Program Files\Bonjour
2008-04-18 15:56:59 0 d-------- C:\Program Files\QuickTime
2008-04-18 15:56:58 0 d-------- C:\Users\All Users\Apple Computer
2008-04-18 15:56:26 0 d-------- C:\Program Files\Apple Software Update
2008-04-18 15:55:36 0 d-------- C:\Program Files\Common Files\Apple
2008-04-18 15:55:35 0 d-------- C:\Users\All Users\Apple
2008-04-18 15:45:52 0 d-------- C:\Program Files\Microsoft Works
2008-04-18 15:45:12 0 d-------- C:\Program Files\Microsoft.NET
2008-04-18 15:42:52 0 d-------- C:\Users\All Users\Microsoft Help
2008-04-18 15:42:28 0 dr-h----- C:\MSOCache
2008-04-18 15:37:49 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-18 15:31:45 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:31:40 0 d-------- C:\Program Files\Windows Live
2008-04-18 15:30:37 0 d-------- C:\Users\All Users\WLInstaller
2008-04-18 15:14:40 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:10:12 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 15:10:00 0 d-------- C:\Windows\PCHEALTH
2008-04-18 14:49:33 0 d--hs---- C:\Windows\Installer
2008-04-18 14:49:25 0 d-------- C:\Users\All Users\PC Tools
2008-04-18 14:48:00 0 d-a------ C:\Users\All Users\TEMP
2008-04-18 14:31:53 0 d-------- C:\PerfLogs
2008-04-18 14:15:41 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 14:01:58 0 d-------- C:\bc4df1d51d879d6c5c156d0475
2008-04-18 13:31:53 0 d-------- C:\Users\All Users\NVIDIA
2008-04-18 13:28:20 0 d-------- C:\Windows\system32\RTCOM
2008-04-18 13:27:11 0 d-------- C:\Program Files\CONEXANT
2008-04-18 12:19:23 0 d-------- C:\Users\Daniel\Contacts
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Templates
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Start Menu
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\SendTo
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Recent
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\PrintHood
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\NetHood
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\My Documents
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Local Settings
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Cookies
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Application Data
2008-04-18 12:19:15 1310720 --ahs---- C:\Users\Daniel\NTUSER.DAT
2008-04-18 12:19:15 0 d--h----- C:\Users\Daniel\AppData
2008-04-18 11:51:30 0 d--hs---- C:\Boot
2008-04-18 11:22:43 0 d-------- C:\$WIN_NT$.~BT
2008-04-18 09:04:39 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-04-24 16:05:24 0 d-------- C:\Users\Daniel\AppData\Roaming\uTorrent
2008-04-21 22:03:00 0 d-------- C:\Users\Daniel\AppData\Roaming\BSplayer Pro
2008-04-21 20:40:53 0 d-------- C:\Users\Daniel\AppData\Roaming\vlc
2008-04-21 19:11:16 0 d-------- C:\Users\Daniel\AppData\Roaming\Apple Computer
2008-04-21 18:59:59 0 d-------- C:\Users\Daniel\AppData\Roaming\CopyTrans
2008-04-21 18:06:26 0 d-------- C:\Program Files\Common Files
2008-04-19 15:22:44 0 d-------- C:\Users\Daniel\AppData\Roaming\Adobe
2008-04-19 14:38:33 0 d-------- C:\Users\Daniel\AppData\Roaming\SiteAdvisor
2008-04-19 12:19:22 0 d-------- C:\Users\Daniel\AppData\Roaming\Mozilla
2008-04-19 12:11:23 0 d-------- C:\Users\Daniel\AppData\Roaming\Avanquest
2008-04-19 11:51:14 0 d-------- C:\Users\Daniel\AppData\Roaming\Media Player Classic
2008-04-19 11:17:30 0 d-------- C:\Users\Daniel\AppData\Roaming\Auslogics
2008-04-19 00:54:54 0 d-------- C:\Users\Daniel\AppData\Roaming\PC Tools
2008-04-18 16:27:59 0 d-------- C:\Users\Daniel\AppData\Roaming\Macromedia
2008-04-18 14:38:34 174 --ahs---- C:\Program Files\desktop.ini
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Sidebar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Mail
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Calendar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Movie Maker
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Journal
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Collaboration
2008-04-18 14:32:36 0 d-------- C:\Program Files\Windows Defender
2008-04-18 12:19:26 0 d-------- C:\Users\Daniel\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 11:38 PM]
"RtHDVCpl"="RtHDVCpl.exe" [10/25/2007 05:52 AM C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [08/28/2007 01:59 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/28/2007 01:59 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/28/2007 01:59 AM]
"ThreatFire"="E:\Program Files\ThreatFire\TFTray.exe" [02/16/2008 01:20 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 05:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/16/2005 05:48 AM]
"ISTray"="E:\Program Files\Spyware Doctor\pctsTray.exe" [12/10/2007 02:53 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/25/2007 05:57 AM]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [04/19/2008 10:18 AM]
"MSServer"="C:\Users\Daniel\AppData\Local\Temp\rqRKCRhh.dll,#1" []
"cmds"="C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll,c" []
"040040a6"="C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll,b" []
"BM0733733a"="C:\Users\Daniel\AppData\Local\Temp\xbikotwo.dll,s" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"040040a6"=rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\xmkjvqao.dll",b

C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-24 16:17:58 ------------

Here's the extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 3.40GHz
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 1022.71 MiB / 409.88 MiB
Pagefile Memory (total/avail): 2309.76 MiB / 1261.14 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1883.59 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 44.81 GiB total, 22.1 GiB free.
D: is Fixed (NTFS) - 68.38 GiB total, 25.41 GiB free.
E: is Fixed (NTFS) - 30.1 GiB total, 20.38 GiB free.
F: is Fixed (FAT32) - 5.75 GiB total, 0.95 GiB free.
G: is CDROM (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG HD160JJ/P ATA Device - 149.05 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 44.81 GiB - C:
\PARTITION1 - Unknown - 5.76 GiB - F:
\PARTITION2 - Extended w/Extended Int 13 - 98.48 GiB - D: - E:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AV: ThreatFire v3.0.14.16 (PC Tools)
AS: Spyware Doctor v5.5.0.178 (PC Tools)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: ThreatFire v3.0.14.16 (PC Tools)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Daniel\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DANIEL-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Daniel
LOCALAPPDATA=C:\Users\Daniel\AppData\Local
LOGONSERVER=\\DANIEL-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Daniel\AppData\Local\Temp
TMP=C:\Users\Daniel\AppData\Local\Temp
USERDOMAIN=Daniel-PC
USERNAME=Daniel
USERPROFILE=C:\Users\Daniel
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Daniel


-- Add/Remove Programs ---------------------------------------------------------

µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AusLogics Disk Defrag --> "E:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BS.Player PRO --> "E:\Program Files\Webteh\BSplayerPro\uninstall.exe"
Combined Community Codec Pack 2008-01-24 --> "E:\Program Files\Combined Community Codec Pack\unins000.exe"
Fix-It Utilities 8 Professional --> MsiExec.exe /I{5158974E-2D28-4018-9335-7694C2974746}
Google Gmail Notifier --> "E:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\UIU32m.exe -U -ITrx200Cz.INF
Spyware Doctor 5.5 --> E:\Program Files\Spyware Doctor\unins000.exe /LOG
ThreatFire 3.0 --> "E:\Program Files\ThreatFire\unins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
VideoLAN VLC media player 0.8.6f --> E:\Program Files\VideoLAN\VLC\uninstall.exe
Videora iPod touch Converter 3.07 --> E:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1513 / Success
Event Submitted/Written: 04/24/2008 04:08:13 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1508 / Success
Event Submitted/Written: 04/24/2008 04:07:37 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type1507 / Success
Event Submitted/Written: 04/24/2008 04:07:27 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type1504 / Success
Event Submitted/Written: 04/24/2008 04:07:06 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type1483 / Success
Event Submitted/Written: 04/24/2008 03:56:26 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15869 / Error
Event Submitted/Written: 04/24/2008 04:06:57 PM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos

Event Record #/Type15862 / Error
Event Submitted/Written: 04/24/2008 04:06:40 PM
Event ID/Source: 2 / Microsoft-Windows-Kernel-Processor-Power
Event Description:
1

Event Record #/Type15860 / Error
Event Submitted/Written: 04/24/2008 04:06:40 PM
Event ID/Source: 2 / Microsoft-Windows-Kernel-Processor-Power
Event Description:
0

Event Record #/Type15735 / Error
Event Submitted/Written: 04/24/2008 03:55:10 PM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos

Event Record #/Type15726 / Error
Event Submitted/Written: 04/24/2008 03:54:53 PM
Event ID/Source: 2 / Microsoft-Windows-Kernel-Processor-Power
Event Description:
0



-- End of Deckard's System Scanner: finished at 2008-04-24 16:17:58 ------------
Further link deactivation ~ OB

Edited by Orange Blossom, 24 April 2008 - 04:16 PM.


BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:12 PM

Posted 25 April 2008 - 02:58 AM

Hello Cloud_D and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 25 April 2008 - 08:49 AM

Thanks for the reply. =)

I'l now proceed according to the instrutions and will post here when I'm done.

#4 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 25 April 2008 - 10:01 AM

Malware scan log:

Malwarebytes' Anti-Malware 1.11
Database version: 681

Scan type: Quick Scan
Objects scanned: 29907
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM0733733a (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
rundll32.exe (Trojan.Agent) -> No action taken.
C:\Users\Daniel\AppData\Local\Temp\ptjhffcl.dll (Trojan.Agent) -> No action taken.

Combofix:

ComboFix 08-04-22.5 - Daniel 2008-04-25 22:44:32.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.346 [GMT 8:00]
Running from: E:\Users\Daniel\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-25 22:44 . 2008-04-25 22:44 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{e1fd1c72-12d3-11dd-be59-0019212c5eb4}.TMContainer00000000000000000002.regtrans-ms
2008-04-25 22:44 . 2008-04-25 22:44 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{e1fd1c72-12d3-11dd-be59-0019212c5eb4}.TMContainer00000000000000000001.regtrans-ms
2008-04-25 22:44 . 2008-04-25 22:44 65,536 --ahs---- C:\Users\Public\NTUSER.DAT{e1fd1c72-12d3-11dd-be59-0019212c5eb4}.TM.blf
2008-04-25 22:42 . 2008-04-25 22:42 <DIR> d-------- C:\327882R2FWJFW
2008-04-25 22:12 . 2008-04-25 22:12 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2008-04-25 22:12 . 2008-04-25 22:12 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-04-25 22:12 . 2008-04-25 22:12 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-04-24 16:09 . 2008-04-24 16:09 <DIR> d-------- C:\Deckard
2008-04-23 18:18 . 2008-04-23 18:18 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-04-21 20:55 . 2008-04-21 20:55 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-04-21 20:40 . 2008-04-21 20:40 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\vlc
2008-04-21 18:57 . 2008-04-21 18:59 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\CopyTrans
2008-04-21 18:07 . 2008-04-21 18:08 <DIR> d-------- C:\Program Files\Java
2008-04-21 18:06 . 2008-04-21 18:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-20 23:30 . 2008-04-20 23:30 <DIR> d--h----- C:\Users\All Users\CanonBJ
2008-04-20 23:30 . 2008-04-20 23:30 <DIR> d--h----- C:\ProgramData\CanonBJ
2008-04-19 22:26 . 2008-04-19 22:26 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-19 22:05 . 2008-04-19 22:05 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-04-19 12:15 . 2008-04-19 12:15 <DIR> d-------- C:\Users\All Users\BVRP Software
2008-04-19 12:15 . 2008-04-19 12:15 <DIR> d-------- C:\ProgramData\BVRP Software
2008-04-19 12:13 . 2008-04-19 12:13 <DIR> dr-hs---- C:\_Backup.RC
2008-04-19 12:13 . 2008-04-19 12:13 <DIR> d--h----- C:\_Backup
2008-04-19 12:11 . 2008-04-19 12:11 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Avanquest
2008-04-19 12:11 . 2008-04-19 12:11 <DIR> d-------- C:\Users\All Users\Avanquest
2008-04-19 12:11 . 2008-04-19 12:11 <DIR> d-------- C:\ProgramData\Avanquest
2008-04-19 12:06 . 2008-04-19 12:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 11:51 . 2008-04-19 11:51 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Media Player Classic
2008-04-19 11:17 . 2008-04-19 11:17 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Auslogics
2008-04-19 10:53 . 2008-04-19 10:53 <DIR> d-------- C:\Users\All Users\Adobe Systems
2008-04-19 10:53 . 2008-04-19 10:53 <DIR> d-------- C:\ProgramData\Adobe Systems
2008-04-19 10:39 . 2008-04-19 10:39 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-19 10:36 . 2008-04-19 15:21 <DIR> d-------- C:\Users\All Users\Adobe
2008-04-19 10:36 . 2008-04-19 15:21 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-19 04:01 . 2008-04-18 12:10 <DIR> d-------- C:\Windows\Panther
2008-04-19 03:07 . 2008-04-21 22:03 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\BSplayer Pro
2008-04-19 03:04 . 2008-04-18 12:46 <DIR> d-------- C:\Windows\Debug
2008-04-19 03:02 . 2008-04-19 03:02 524,288 --ahs---- C:\Windows\System32\config\systemprofile\ntuser.dat{f9817944-0d79-11dd-b61f-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms
2008-04-19 03:02 . 2008-04-25 22:44 524,288 --ahs---- C:\Windows\System32\config\systemprofile\ntuser.dat{f9817944-0d79-11dd-b61f-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
2008-04-19 03:02 . 2008-04-25 22:44 65,536 --ahs---- C:\Windows\System32\config\systemprofile\ntuser.dat{f9817944-0d79-11dd-b61f-806e6f6e6963}.TM.blf
2008-04-19 02:00 . 2008-04-19 14:38 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\SiteAdvisor
2008-04-19 02:00 . 2008-04-25 18:27 <DIR> d-------- C:\Users\All Users\SiteAdvisor
2008-04-19 02:00 . 2008-04-25 18:27 <DIR> d-------- C:\ProgramData\SiteAdvisor
2008-04-19 02:00 . 2008-04-21 19:22 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-19 02:00 . 2008-04-25 22:42 13,747 --a------ C:\Windows\System32\Config.MPF
2008-04-19 01:58 . 2008-04-19 01:58 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-19 01:58 . 2008-04-19 11:43 <DIR> d-------- C:\Program Files\McAfee
2008-04-19 01:58 . 2008-04-19 01:58 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-19 01:58 . 2007-11-22 06:44 201,320 --a------ C:\Windows\System32\drivers\mfehidk.sys
2008-04-19 01:58 . 2007-07-13 06:21 125,728 --a------ C:\Windows\System32\drivers\Mpfp.sys
2008-04-19 01:58 . 2007-11-22 06:44 79,304 --a------ C:\Windows\System32\drivers\mfeavfk.sys
2008-04-19 01:58 . 2007-12-02 12:51 40,488 --a------ C:\Windows\System32\drivers\mfesmfk.sys
2008-04-19 01:58 . 2007-11-22 06:44 35,240 --a------ C:\Windows\System32\drivers\mfebopk.sys
2008-04-19 01:58 . 2007-11-22 06:44 33,832 --a------ C:\Windows\System32\drivers\mferkdk.sys
2008-04-19 01:52 . 2008-04-19 02:00 <DIR> d-------- C:\Users\All Users\McAfee
2008-04-19 01:52 . 2008-04-19 02:00 <DIR> d-------- C:\ProgramData\McAfee
2008-04-19 01:39 . 2008-04-19 01:39 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{db662672-0d62-11dd-9cee-0019212c5eb4}.TMContainer00000000000000000002.regtrans-ms
2008-04-19 01:39 . 2008-04-19 01:39 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{db662672-0d62-11dd-9cee-0019212c5eb4}.TMContainer00000000000000000001.regtrans-ms
2008-04-19 01:39 . 2008-04-19 01:39 65,536 --ahs---- C:\Users\Public\NTUSER.DAT{db662672-0d62-11dd-9cee-0019212c5eb4}.TM.blf
2008-04-19 01:39 . 2008-04-25 22:44 5,120 --ah----- C:\Users\Public\NTUSER.DAT.LOG1
2008-04-19 01:39 . 2008-04-19 01:39 0 --ah----- C:\Users\Public\NTUSER.DAT.LOG2
2008-04-19 00:55 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-04-19 00:55 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-04-19 00:55 . 2007-12-10 14:53 41,864 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-04-19 00:55 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-04-19 00:54 . 2008-04-19 00:54 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\PC Tools
2008-04-19 00:18 . 2008-04-19 00:18 <DIR> d-------- C:\Users\All Users\Messenger Plus!
2008-04-19 00:18 . 2008-04-19 00:18 <DIR> d-------- C:\ProgramData\Messenger Plus!
2008-04-18 16:27 . 2008-04-18 16:27 <DIR> d-------- C:\Windows\System32\Macromed
2008-04-18 16:18 . 2008-04-25 22:39 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\uTorrent
2008-04-18 16:18 . 2008-04-18 16:18 <DIR> d-------- C:\Program Files\uTorrent
2008-04-18 15:59 . 2008-04-21 19:11 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Apple Computer
2008-04-18 15:59 . 2008-04-18 15:59 <DIR> d-------- C:\Program Files\iPod
2008-04-18 15:57 . 2008-04-18 15:57 <DIR> d-------- C:\Program Files\Bonjour
2008-04-18 15:56 . 2008-04-18 15:59 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-04-18 15:56 . 2008-04-18 15:59 <DIR> d-------- C:\ProgramData\Apple Computer
2008-04-18 15:56 . 2008-04-18 15:57 <DIR> d-------- C:\Program Files\QuickTime
2008-04-18 15:56 . 2008-04-18 15:56 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-18 15:55 . 2008-04-18 15:55 <DIR> d-------- C:\Users\All Users\Apple
2008-04-18 15:55 . 2008-04-18 15:55 <DIR> d-------- C:\ProgramData\Apple
2008-04-18 15:55 . 2008-04-18 15:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-18 15:46 . 2006-10-26 19:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-04-18 15:45 . 2008-04-18 15:45 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-18 15:45 . 2008-04-18 15:45 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-18 15:42 . 2008-04-19 22:51 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-04-18 15:42 . 2008-04-19 22:51 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-04-18 15:42 . 2008-04-18 15:42 <DIR> dr-h----- C:\MSOCache
2008-04-18 15:37 . 2008-04-18 15:37 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-04-18 15:31 . 2008-04-18 15:35 <DIR> d-------- C:\Program Files\Windows Live
2008-04-18 15:31 . 2008-04-18 15:35 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:30 . 2008-04-18 15:30 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-04-18 15:30 . 2008-04-18 15:30 <DIR> d-------- C:\ProgramData\WLInstaller
2008-04-18 15:14 . 2008-04-18 15:14 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:10 . 2008-04-18 15:10 <DIR> d-------- C:\Windows\PCHEALTH
2008-04-18 15:10 . 2008-04-18 15:10 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 14:49 . 2008-04-21 18:08 <DIR> d--hs---- C:\Windows\Installer
2008-04-18 14:49 . 2008-04-18 14:49 <DIR> d-------- C:\Users\All Users\PC Tools
2008-04-18 14:49 . 2008-04-18 14:49 <DIR> d-------- C:\ProgramData\PC Tools
2008-04-18 14:49 . 2008-02-15 10:20 51,520 --a------ C:\Windows\System32\drivers\TfFsMon.sys
2008-04-18 14:49 . 2008-02-15 10:21 41,280 --a------ C:\Windows\System32\drivers\TfSysMon.sys
2008-04-18 14:49 . 2008-02-15 10:21 33,088 --a------ C:\Windows\System32\drivers\TfNetMon.sys
2008-04-18 14:49 . 2008-02-15 10:21 12,608 --a------ C:\Windows\System32\drivers\TfKbMon.sys
2008-04-18 14:48 . 2008-04-25 22:48 <DIR> d-a------ C:\Users\All Users\TEMP
2008-04-18 14:48 . 2008-04-25 22:48 <DIR> d-a------ C:\ProgramData\TEMP
2008-04-18 14:31 . 2008-04-18 14:31 <DIR> d-------- C:\PerfLogs
2008-04-18 14:15 . 2008-04-18 14:01 152,576 --a------ C:\Windows\System32\SPWizUI.dll
2008-04-18 14:15 . 2008-04-18 14:01 47,560 --a------ C:\Windows\System32\SPReview.exe
2008-04-18 14:06 . 2008-01-18 23:33 193,024 --a------ C:\Windows\System32\recdisc.exe
2008-04-18 14:06 . 2008-01-18 23:36 6,656 --a------ C:\Windows\System32\sdspres.dll
2008-04-18 14:02 . 2008-04-18 14:16 49,152 --a------ C:\Windows\SPInstall.etl
2008-04-18 14:02 . 2008-01-18 23:33 44,032 --a------ C:\Windows\System32\cbsra.exe
2008-04-18 14:01 . 2008-04-18 14:01 <DIR> d-------- C:\bc4df1d51d879d6c5c156d0475
2008-04-18 13:31 . 2008-04-18 14:39 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-04-18 13:31 . 2008-04-18 14:39 <DIR> d-------- C:\ProgramData\NVIDIA
2008-04-18 13:29 . 2007-08-28 01:59 1,073,152 --a------ C:\Windows\System32\nvcpluir.dll
2008-04-18 13:29 . 2007-08-28 01:59 753,664 --a------ C:\Windows\System32\nvcplui.exe
2008-04-18 13:29 . 2007-08-28 01:59 413,696 --a------ C:\Windows\System32\nvcpl.cpl
2008-04-18 13:29 . 2007-08-28 01:59 307,200 --a------ C:\Windows\System32\nvexpbar.dll
2008-04-18 13:29 . 2007-08-28 01:59 124,376 --a------ C:\Windows\System32\nvapps.xml
2008-04-18 13:29 . 2007-08-28 01:59 17,254 --a------ C:\Windows\System32\nvwsapps.xml
2008-04-18 13:28 . 2008-04-18 14:24 <DIR> d-------- C:\Windows\System32\RTCOM
2008-04-18 13:28 . 2008-04-18 13:28 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-04-18 13:27 . 2008-04-18 13:27 <DIR> d-------- C:\Program Files\CONEXANT
2008-04-18 13:07 . 2008-04-18 13:07 1,820 --a------ C:\Windows\System32\rasctrnm.h
2008-04-18 13:01 . 2008-04-18 13:01 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-04-18 12:56 . 2008-01-18 23:34 15,872 --a------ C:\Windows\System32\hcrstco.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 06:38 174 --sha-w C:\Program Files\desktop.ini
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Mail
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Journal
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Defender
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Collaboration
2008-04-18 06:32 --------- d-----w C:\Program Files\Windows Calendar
2008-04-18 06:20 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-04-18 06:20 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-01-29 04:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-04-19 10:18 219952]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]
"cmds"="C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll" [2008-04-21 19:27 271872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-18 23:38 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 05:52 4702208 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-08-28 01:59 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-08-28 01:59 8473120]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-08-28 01:59 81920]
"ThreatFire"="E:\Program Files\ThreatFire\TFTray.exe" [2008-02-16 01:20 1152320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 05:48 479232]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-25 05:57 36640]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Malwarebytes Anti-Malware Reboot"="E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"040040a6"="C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll" [ ]
"BM0733733a"="C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= E:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E599BC19-3B42-44E6-BE01-6FB40ED1C2EE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9154AB29-380C-47D4-B530-77AF56BC7EA5}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CD44DEE8-66FF-4364-BC13-630737E0146C}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A8F5827A-6218-4D55-8DDA-ACE8A124BC3A}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{B6A42924-FF49-4688-AD5C-1A7DF131D684}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{1CE32E32-80C5-4CB5-8074-5413C7ABE3FA}"= UDP:E:\Program Files\iTunes\iTunes.exe:iTunes
"{7E94B0C2-412B-4531-B0AA-2168C6E94A07}"= TCP:E:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{65A3C2D5-19C8-4387-A239-EBA9E7910421}E:\\program files\\mirc\\mirc.exe"= UDP:E:\program files\mirc\mirc.exe:mIRC
"UDP Query User{18B52C2C-4516-4434-9F6A-3D194B5F97A7}E:\\program files\\mirc\\mirc.exe"= TCP:E:\program files\mirc\mirc.exe:mIRC
"{F409F231-4356-4152-97F0-B495D23FB826}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 TfFsMon;TfFsMon;C:\Windows\system32\drivers\TfFsMon.sys [2008-02-15 10:20]
R0 TfSysMon;TfSysMon;C:\Windows\system32\drivers\TfSysMon.sys [2008-02-15 10:21]
R2 ThreatFire;ThreatFire;E:\Program Files\ThreatFire\TFService.exe service []
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 07:36]
R3 TfNetMon;TfNetMon;C:\Windows\system32\drivers\TfNetMon.sys [2008-02-15 10:21]
S3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 15:41]
S3 VSTHWBS2;VSTHWBS2;C:\Windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 15:41]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 02:12:11 C:\Windows\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-19 02:12:12 C:\Windows\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-25 14:28:59 C:\Windows\Tasks\RegCure Program Check.job"
- E:\Program Files\RegCure\RegCure.exe
"2008-04-19 03:43:33 C:\Windows\Tasks\RegCure.job"
- E:\Program Files\RegCure\RegCure.exe
"2008-04-25 11:37:31 C:\Windows\Tasks\User_Feed_Synchronization-{54C04306-396D-428A-A04D-8B1A362526F2}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 22:48:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
-> C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll
.
Completion time: 2008-04-25 22:49:36
ComboFix-quarantined-files.txt 2008-04-25 14:49:28

Pre-Run: 27,676,045,312 bytes free
Post-Run: 27,556,278,272 bytes free

240 --- E O F --- 2008-04-19 14:51:27


Main:

Deckard's System Scanner v20071014.68
Run by Daniel on 2008-04-25 22:54:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-25 22:54:55
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
E:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Windows\System32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Windows\System32\svchost.exe
E:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\microsoft shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\System32\SearchProtocolHost.exe
C:\Windows\System32\SearchFilterHost.exe
E:\Users\Daniel\Desktop\dss.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Windows\System32\wbem\WmiPrvSE.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll",b (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll",b (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - E:\Program Files\Avanquest\Fix-It\mxtask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 10923 bytes

-- Files created between 2008-03-25 and 2008-04-25 -----------------------------

2008-04-25 22:43:10 68096 --a------ C:\Windows\zip.exe
2008-04-25 22:43:10 49152 --a------ C:\Windows\VFind.exe
2008-04-25 22:43:10 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-25 22:43:10 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-25 22:43:10 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-25 22:43:10 98816 --a------ C:\Windows\sed.exe
2008-04-25 22:43:10 80412 --a------ C:\Windows\grep.exe
2008-04-25 22:43:10 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-25 22:42:27 0 d-------- C:\327882R2FWJFW
2008-04-25 22:12:08 0 d-------- C:\Users\All Users\Malwarebytes
2008-04-23 18:18:56 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-04-21 20:55:27 0 d-------- C:\Program Files\AviSynth 2.5
2008-04-21 18:07:07 0 d-------- C:\Program Files\Java
2008-04-21 18:06:26 0 d-------- C:\Program Files\Common Files\Java
2008-04-20 23:30:18 0 d--h----- C:\Users\All Users\CanonBJ
2008-04-19 22:26:20 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-19 12:15:12 0 d-------- C:\Users\All Users\BVRP Software
2008-04-19 12:13:40 0 dr-hs---- C:\_Backup.RC
2008-04-19 12:13:35 0 d--h----- C:\_Backup
2008-04-19 12:11:23 0 d-------- C:\Users\All Users\Avanquest
2008-04-19 12:06:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 10:53:50 0 d-------- C:\Users\All Users\Adobe Systems
2008-04-19 10:39:34 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-19 10:36:43 0 d-------- C:\Users\All Users\Adobe
2008-04-19 10:36:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-19 04:01:28 0 d-------- C:\Windows\Panther
2008-04-19 03:06:48 0 d-------- C:\Windows\SoftwareDistribution
2008-04-19 03:04:41 0 d-------- C:\Windows\Debug
2008-04-19 03:02:37 0 d-------- C:\Windows\Prefetch
2008-04-19 02:00:11 0 d-------- C:\Users\All Users\SiteAdvisor
2008-04-19 02:00:11 0 d-------- C:\Program Files\SiteAdvisor
2008-04-19 01:58:25 0 d-------- C:\Program Files\McAfee.com
2008-04-19 01:58:21 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-19 01:58:20 0 d-------- C:\Program Files\McAfee
2008-04-19 01:52:15 0 d-------- C:\Users\All Users\McAfee
2008-04-19 00:18:39 0 d-------- C:\Users\All Users\Messenger Plus!
2008-04-18 16:27:56 0 d-------- C:\Windows\system32\Macromed
2008-04-18 16:18:54 0 d-------- C:\Program Files\uTorrent
2008-04-18 15:59:27 0 d-------- C:\Program Files\iPod
2008-04-18 15:57:45 0 d-------- C:\Program Files\Bonjour
2008-04-18 15:56:59 0 d-------- C:\Program Files\QuickTime
2008-04-18 15:56:58 0 d-------- C:\Users\All Users\Apple Computer
2008-04-18 15:56:26 0 d-------- C:\Program Files\Apple Software Update
2008-04-18 15:55:36 0 d-------- C:\Program Files\Common Files\Apple
2008-04-18 15:55:35 0 d-------- C:\Users\All Users\Apple
2008-04-18 15:45:52 0 d-------- C:\Program Files\Microsoft Works
2008-04-18 15:45:12 0 d-------- C:\Program Files\Microsoft.NET
2008-04-18 15:42:52 0 d-------- C:\Users\All Users\Microsoft Help
2008-04-18 15:42:28 0 dr-h----- C:\MSOCache
2008-04-18 15:37:49 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-18 15:31:45 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:31:40 0 d-------- C:\Program Files\Windows Live
2008-04-18 15:30:37 0 d-------- C:\Users\All Users\WLInstaller
2008-04-18 15:14:40 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:10:12 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 15:10:00 0 d-------- C:\Windows\PCHEALTH
2008-04-18 14:49:33 0 d--hs---- C:\Windows\Installer
2008-04-18 14:49:25 0 d-------- C:\Users\All Users\PC Tools
2008-04-18 14:48:00 0 d-a------ C:\Users\All Users\TEMP
2008-04-18 14:31:53 0 d-------- C:\PerfLogs
2008-04-18 14:15:41 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 14:01:58 0 d-------- C:\bc4df1d51d879d6c5c156d0475
2008-04-18 13:31:53 0 d-------- C:\Users\All Users\NVIDIA
2008-04-18 13:28:20 0 d-------- C:\Windows\system32\RTCOM
2008-04-18 13:27:11 0 d-------- C:\Program Files\CONEXANT
2008-04-18 12:19:23 0 d-------- C:\Users\Daniel\Contacts
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Templates
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Start Menu
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\SendTo
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Recent
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\PrintHood
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\NetHood
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\My Documents
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Local Settings
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Cookies
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Application Data
2008-04-18 12:19:15 1310720 --ahs---- C:\Users\Daniel\NTUSER.DAT
2008-04-18 12:19:15 0 d--h----- C:\Users\Daniel\AppData
2008-04-18 11:51:30 0 d--hs---- C:\Boot
2008-04-18 11:22:43 0 d-------- C:\$WIN_NT$.~BT
2008-04-18 09:04:39 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-04-25 22:50:43 0 d-------- C:\Users\Daniel\AppData\Roaming\uTorrent
2008-04-25 22:12:16 0 d-------- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2008-04-21 22:03:00 0 d-------- C:\Users\Daniel\AppData\Roaming\BSplayer Pro
2008-04-21 20:40:53 0 d-------- C:\Users\Daniel\AppData\Roaming\vlc
2008-04-21 19:11:16 0 d-------- C:\Users\Daniel\AppData\Roaming\Apple Computer
2008-04-21 18:59:59 0 d-------- C:\Users\Daniel\AppData\Roaming\CopyTrans
2008-04-21 18:06:26 0 d-------- C:\Program Files\Common Files
2008-04-19 15:22:44 0 d-------- C:\Users\Daniel\AppData\Roaming\Adobe
2008-04-19 14:38:33 0 d-------- C:\Users\Daniel\AppData\Roaming\SiteAdvisor
2008-04-19 12:19:22 0 d-------- C:\Users\Daniel\AppData\Roaming\Mozilla
2008-04-19 12:11:23 0 d-------- C:\Users\Daniel\AppData\Roaming\Avanquest
2008-04-19 11:51:14 0 d-------- C:\Users\Daniel\AppData\Roaming\Media Player Classic
2008-04-19 11:17:30 0 d-------- C:\Users\Daniel\AppData\Roaming\Auslogics
2008-04-19 00:54:54 0 d-------- C:\Users\Daniel\AppData\Roaming\PC Tools
2008-04-18 16:27:59 0 d-------- C:\Users\Daniel\AppData\Roaming\Macromedia
2008-04-18 14:38:34 174 --ahs---- C:\Program Files\desktop.ini
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Sidebar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Mail
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Calendar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Movie Maker
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Journal
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Collaboration
2008-04-18 14:32:36 0 d-------- C:\Program Files\Windows Defender
2008-04-18 12:19:26 0 d-------- C:\Users\Daniel\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 11:38 PM]
"RtHDVCpl"="RtHDVCpl.exe" [10/25/2007 05:52 AM C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [08/28/2007 01:59 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/28/2007 01:59 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/28/2007 01:59 AM]
"ThreatFire"="E:\Program Files\ThreatFire\TFTray.exe" [02/16/2008 01:20 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 05:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/16/2005 05:48 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/25/2007 05:57 AM]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Malwarebytes Anti-Malware Reboot"="E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [04/07/2008 08:17 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [04/19/2008 10:18 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 11:33 PM]
"cmds"="C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll,c" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"040040a6"=rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll",b
"BM0733733a"=Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s

C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-25 22:57:36 ------------


Thanks again! =)

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:12 PM

Posted 26 April 2008 - 05:35 AM

Hello Cloud_D,

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Daniel\AppData\Local\Temp\jkkKcYQG.dll,c
O4 - HKUS\S-1-5-18\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll",b (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\fxhevckf.dll",b (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'Default user')

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 27 April 2008 - 05:01 AM

There seems to be no more problems. Thanks for the help! Really appreciate it. =)

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:12 PM

Posted 27 April 2008 - 05:35 AM

Good to hear, Cloud_D :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Can you post a fresh HijackThis log for final check please ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 28 April 2008 - 05:56 AM

Hi, here it is. Thanks again for the help. =)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:42 PM, on 4/28/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
E:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\rundll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
E:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
E:\Users\Daniel\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - E:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7834 bytes

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:12 PM

Posted 28 April 2008 - 02:43 PM

Glad we could help, Cloud_D

Looks like you're all set to go again. :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users