Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.vundo Variant/rel Infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 XiahWolf

XiahWolf

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:47 PM

Posted 06 June 2008 - 01:52 AM

I've scanned with NOD32 and Kaspersky, but they got nothing. When I scanned with SuperAntiSpyware, it came up with Adware.Vundo Variant/Rel and Adware.Tracking Cookies. The number of cookies varies each time. Everytime I try to remove it, it keeps coming back. I've tried various antispyware programs eg VundoFix and VirtumundoBeGone, but they are never able to detect anything. Very rarely, I get pop ups about WinFix and the like. I don't know if this problem is related, but when I search up a webpage and click on it, sometimes, it redirects me to another page. The contact server is hxxp://xsearchz.com/

Deckard's System Scanner v20071014.68
Run by Nikki on 2008-06-06 15:53:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
22: 2008-06-05 23:43:04 UTC - RP115 - Windows Update
21: 2008-06-05 08:40:46 UTC - RP114 - Scheduled Checkpoint
20: 2008-06-04 05:59:29 UTC - RP113 - Windows Update
19: 2008-06-03 11:30:20 UTC - RP112 - Scheduled Checkpoint
18: 2008-06-02 08:29:08 UTC - RP111 - Scheduled Checkpoint


-- First Restore Point --
1: 2008-05-24 06:30:06 UTC - RP93 - Installed KalOnlineEng


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 1022 MiB (1024 MiB recommended).


-- HijackThis (run as Nikki.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:37 PM, on 6/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Vpskeys\VPSKEYS.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Webshots\Webshots.scr
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\hp\kbd\kbd.exe
C:\Users\Nikki\Desktop\dss.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Nikki.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "c:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [VPSKEYS] C:\Program Files\Vpskeys\vpskeys.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [34364199] rundll32.exe "C:\Users\Nikki\AppData\Local\Temp\iqcemsyj.dll",b
O4 - HKCU\..\Run: [__c00D4148] rundll32.exe "C:\Users\Nikki\AppData\Roaming\__c00D4148.dat",B
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BM37057205] Rundll32.exe "C:\Users\Nikki\AppData\Local\Temp\alqjjnhh.dll",s
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 12402 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 npkcrypt - \??\c:\nexon\maplestory\npkcrypt.sys
R3 npkcusb - \??\c:\nexon\maplestory\npkcusb.sys
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DTSRVC (Portrait Displays Display Tune Service) - c:\program files\common files\portrait displays\shared\dtsrvc.exe
R3 ServiceLayer - "c:\program files\common files\pcsuite\services\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-06 16:00:00 420 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{493AF5F5-6486-441D-BA94-9DA1C4417550}.job
2008-06-06 09:55:26 418 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{B00AC38F-D723-42B8-BF3F-F199818F0956}.job


-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-06 00:35:00 0 d-------- C:\Users\Nikki\Destop
2008-06-04 22:16:41 0 d-------- C:\Users\All Users\Azureus
2008-06-04 22:16:22 0 d-------- C:\Program Files\AskSBar
2008-06-03 19:44:57 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-06-03 19:00:22 0 d-------- C:\Downloads
2008-06-03 16:06:37 0 d-------- C:\Users\All Users\FreeDownloadManager.ORG
2008-06-03 16:06:35 0 d-------- C:\Program Files\Free Download Manager
2008-05-29 22:50:27 0 d-------- C:\Program Files\Panda Security
2008-05-29 16:55:18 0 d-------- C:\Users\Rachel\Phone Browser
2008-05-29 07:01:21 0 d-------- C:\Program Files\RogueRemover FREE
2008-05-28 20:51:21 0 d-------- C:\VundoFix Backups
2008-05-28 20:49:11 0 d-------- C:\Program Files\Trend Micro
2008-05-27 16:58:46 298104 --a------ C:\Windows\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2008-05-27 16:30:05 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-27 16:28:54 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-27 16:28:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 23:08:43 0 d-------- C:\Program Files\Janes Hotel
2008-05-26 22:57:47 0 d-------- C:\Windows\Pastry Passion
2008-05-26 22:57:46 0 d-------- C:\Program Files\Pastry Passion
2008-05-26 22:40:47 0 d-------- C:\Program Files\Plant Tycoon
2008-05-26 22:18:59 0 d-------- C:\Program Files\Janes Hotel Family Hero
2008-05-26 21:39:56 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-26 21:21:26 0 d-------- C:\Users\All Users\n7-89-o9-3r-4t-r9
2008-05-26 21:12:09 0 d-------- C:\Program Files\ReflexiveArcade
2008-05-26 21:00:43 0 d-------- C:\Program Files\Lemonade Tycoon 2
2008-05-26 17:15:45 0 d-------- C:\Users\All Users\WLInstaller
2008-05-26 10:36:03 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-26 10:21:58 0 d-------- C:\Program Files\MSXML 4.0
2008-05-25 13:03:09 2560 --a------ C:\Windows\_MSRSTRT.EXE
2008-05-25 12:21:14 0 d-------- C:\Nexon
2008-05-25 11:52:44 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-05-25 11:52:39 4682 --a------ C:\Windows\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2008-05-25 10:34:11 0 d-------- C:\Users\All Users\Emotum
2008-05-23 20:09:19 0 d-------- C:\Program Files\DIFX
2008-05-23 20:01:52 0 d-------- C:\Emotum
2008-05-13 11:53:16 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-05-13 11:50:16 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-13 11:50:16 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-13 11:50:08 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-13 11:50:08 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-13 11:50:08 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-05-13 11:50:08 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-13 11:50:06 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-13 11:49:02 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-05-10 19:23:12 0 d-------- C:\Users\Nikki\Nokia Backup


-- Find3M Report ---------------------------------------------------------------

2008-06-05 00:59:43 0 d-------- C:\Users\Nikki\AppData\Roaming\Azureus
2008-06-04 22:16:06 0 d-------- C:\Program Files\Azureus
2008-06-03 19:07:30 0 d-------- C:\Users\Nikki\AppData\Roaming\Free Download Manager
2008-06-02 23:16:07 0 d-------- C:\Program Files\DivX
2008-05-31 21:21:18 0 d-------- C:\Program Files\Messenger Plus! Live
2008-05-31 21:07:39 0 d-------- C:\Program Files\MSN Messenger
2008-05-27 19:01:53 0 d-------- C:\Program Files\LimeWire
2008-05-27 16:28:54 0 d-------- C:\Users\Nikki\AppData\Roaming\SUPERAntiSpyware.com
2008-05-27 16:28:15 0 d-------- C:\Program Files\Common Files
2008-05-26 23:09:37 0 d-------- C:\Users\Nikki\AppData\Roaming\Jane s Hotel
2008-05-26 22:38:18 0 d-------- C:\Users\Nikki\AppData\Roaming\LimeWire
2008-05-26 22:20:50 0 d-------- C:\Users\Nikki\AppData\Roaming\Jane s Hotel Family Hero
2008-05-26 22:11:07 0 d-------- C:\Users\Nikki\AppData\Roaming\GameHouse
2008-05-26 21:39:51 0 d-------- C:\Program Files\Windows Live
2008-05-26 21:10:08 0 d-------- C:\Users\Nikki\AppData\Roaming\Jamdat
2008-05-26 10:47:50 0 d-------- C:\Program Files\Windows Mail
2008-05-26 10:47:47 0 d-------- C:\Program Files\Windows Sidebar
2008-05-25 13:31:28 0 d-------- C:\Users\Nikki\AppData\Roaming\Adobe
2008-05-25 13:29:23 0 d-------- C:\Program Files\DAP
2008-05-25 13:29:22 0 d-------- C:\Program Files\Google
2008-05-25 12:25:47 0 d-------- C:\Users\Nikki\AppData\Roaming\Nexon
2008-05-25 11:53:06 0 d-------- C:\Program Files\MapleStory
2008-05-24 16:30:39 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-19 21:22:06 335919 --a------ C:\Users\Nikki\AppData\Roaming\NMM-MetaData.db
2008-04-28 19:39:36 0 d-------- C:\Program Files\coverXP
2008-04-09 15:38:54 0 d-------- C:\Program Files\Counter-Strike 1.6


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/06/2008 10:16 PM 262144 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [04/06/2008 10:16 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [28/06/2007 06:38 AM]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [28/09/2006 11:42 PM]
"KBD"="C:\HP\KBD\KbdStub.EXE" [09/12/2006 02:16 AM]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [15/02/2007 08:59 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [20/04/2007 11:11 AM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [13/03/2007 06:37 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [13/03/2007 06:37 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [13/03/2007 06:37 AM]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [17/02/2005 04:11 PM]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2007 07:59 AM]
"IS CfgWiz"="c:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [13/01/2007 04:28 AM]
"@"="" []
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [25/04/2007 11:36 AM]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [15/06/2006 11:36 AM]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [24/11/2006 07:20 PM]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [19/07/2006 01:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 12:11 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [26/10/2006 11:47 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [27/05/2008 04:57 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [26/05/2008 10:27 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02/11/2006 10:35 PM]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [27/06/2006 03:21 PM]
"VPSKEYS"="C:\Program Files\Vpskeys\vpskeys.exe" [29/03/2003 10:52 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"34364199"="C:\Users\Nikki\AppData\Local\Temp\iqcemsyj.dll,b" []
"__c00D4148"="C:\Users\Nikki\AppData\Roaming\__c00D4148.dat,B" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/06/2008 05:06 PM]
"BM37057205"="C:\Users\Nikki\AppData\Local\Temp\alqjjnhh.dll,s" []
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [20/05/2008 05:27 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02/11/2006 10:36 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"=2 (0x2)
"DontDisplayLogonHoursWarnings"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{680cc04c-b507-11dc-a356-001bfc6995ad}]
AutoRun\command- .\MigWiz\migsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7597ff1-ccc3-11dc-bd1c-001bfc6995ad}]
AutoRun\command- M:\LaunchU3.exe -a

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-06 16:02:38 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vistaâ„¢ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU 2160 @ 1.80GHz
Percentage of Memory in Use: 85%
Physical Memory (total/avail): 1021.87 MiB / 147.76 MiB
Pagefile Memory (total/avail): 2293.61 MiB / 993.87 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1883.84 MiB

C: is Fixed (NTFS) - 289.56 GiB total, 200.66 GiB free.
D: is Fixed (NTFS) - 8.53 GiB total, 1.01 GiB free.
E: is CDROM (No Media)
G: is Removable (FAT)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)
L: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3320820AS - 298.09 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 289.56 GiB - C:
\PARTITION1 - Installable File System - 8.53 GiB - D:

\\.\PHYSICALDRIVE6 - Brother MFC-440CN USB Device

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE1 - USBDisk RunDisk USB Device - 1953.22 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 1955.23 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Norton Internet Security v2007 (Symantec Corporation) Disabled
AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)
AV: Norton Internet Security v2007 (Symantec Corporation) Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: SUPERAntiSpyware v4, 15, 0, 1000 (SUPERAntiSpyware.com)
AS: Norton Internet Security v2007 (Symantec Corporation) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Nikki\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HPMICROSOFT
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Nikki
LOCALAPPDATA=C:\Users\Nikki\AppData\Local
LOGONSERVER=\\HPMICROSOFT
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\hp\bin\Python;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND=Pavilion
PLATFORM=HPD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
RoxioCentral=c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Nikki\AppData\Local\Temp
TMP=C:\Users\Nikki\AppData\Local\Temp
USERDOMAIN=HPMicrosoft
USERNAME=Nikki
USERPROFILE=C:\Users\Nikki
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Nikki
Rachel
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Free Download Manager 2.5 --> "C:\Program Files\Free Download Manager\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type13258 / Error
Event Submitted/Written: 06/06/2008 03:57:08 PM
Event ID/Source: 5007 / WerSvc
Event Description:
The target file for the Windows Feedback Platform (a DLL file containing the list of problems on this computer that require additional data collection for diagnosis) could not be parsed. The error code was 8014FFF9.

Event Record #/Type13250 / Success
Event Submitted/Written: 06/06/2008 03:52:33 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type13242 / Success
Event Submitted/Written: 06/06/2008 03:49:44 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type13241 / Success
Event Submitted/Written: 06/06/2008 03:49:43 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type13235 / Success
Event Submitted/Written: 06/06/2008 03:49:35 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type28581 / Warning
Event Submitted/Written: 06/06/2008 04:00:56 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HPMicrosoft27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HPMicrosoft27 can't undo changes that you allow.

For more information please see the following:
%HPMicrosoft275

Scan ID: {EC82AB44-7431-4060-BA7A-9C669024C6B4}

User: HPMicrosoft\Nikki

Name: %HPMicrosoft271

ID: %HPMicrosoft272

Severity ID: %HPMicrosoft273

Category ID: %HPMicrosoft274

Path Found: %HPMicrosoft276

Alert Type: %HPMicrosoft278

Detection Type: 1.1.1505.02

Event Record #/Type28580 / Warning
Event Submitted/Written: 06/06/2008 04:00:56 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HPMicrosoft27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HPMicrosoft27 can't undo changes that you allow.

For more information please see the following:
%HPMicrosoft275

Scan ID: {EFC4BBA2-24AF-4902-9932-890883C727C3}

User: HPMicrosoft\Nikki

Name: %HPMicrosoft271

ID: %HPMicrosoft272

Severity ID: %HPMicrosoft273

Category ID: %HPMicrosoft274

Path Found: %HPMicrosoft276

Alert Type: %HPMicrosoft278

Detection Type: 1.1.1505.02

Event Record #/Type28579 / Warning
Event Submitted/Written: 06/06/2008 04:00:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HPMicrosoft27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HPMicrosoft27 can't undo changes that you allow.

For more information please see the following:
%HPMicrosoft275

Scan ID: {0FA4FACD-2AB5-402E-949E-46854AC9B992}

User: HPMicrosoft\Nikki

Name: %HPMicrosoft271

ID: %HPMicrosoft272

Severity ID: %HPMicrosoft273

Category ID: %HPMicrosoft274

Path Found: %HPMicrosoft276

Alert Type: %HPMicrosoft278

Detection Type: 1.1.1505.02

Event Record #/Type28578 / Warning
Event Submitted/Written: 06/06/2008 04:00:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HPMicrosoft27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HPMicrosoft27 can't undo changes that you allow.

For more information please see the following:
%HPMicrosoft275

Scan ID: {6922562D-5850-484A-8B70-D1CDDDB83052}

User: HPMicrosoft\Nikki

Name: %HPMicrosoft271

ID: %HPMicrosoft272

Severity ID: %HPMicrosoft273

Category ID: %HPMicrosoft274

Path Found: %HPMicrosoft276

Alert Type: %HPMicrosoft278

Detection Type: 1.1.1505.02

Event Record #/Type28576 / Warning
Event Submitted/Written: 06/06/2008 03:55:02 PM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.



-- End of Deckard's System Scanner: finished at 2008-06-06 16:02:38 ------------

Edited by Orange Blossom, 11 February 2013 - 03:26 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:47 AM

Posted 07 June 2008 - 05:35 AM

Hello XiahWolf and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 XiahWolf

XiahWolf
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:47 PM

Posted 27 June 2008 - 08:43 AM

ComboFix 08-06-20.4 - Nikki 2008-06-27 23:23:28.1 - NTFSx86
Running from: C:\Users\Nikki\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-27 22:34 . 2008-06-27 22:34 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-06-27 22:00 . 2008-06-27 22:50 <DIR> d-------- C:\Users\Nikki\AppData\Roaming\Roxio
2008-06-25 23:29 . 2008-06-25 23:30 <DIR> d-------- C:\Program Files\A4Proxy
2008-06-21 10:25 . 2008-06-27 10:24 <DIR> d-------- C:\Users\Rachel\Incomplete
2008-06-21 10:24 . 2008-06-27 10:23 <DIR> d-------- C:\Users\Rachel\AppData\Roaming\LimeWire
2008-06-20 22:30 . 2008-06-21 18:18 <DIR> d-------- C:\MartialHeroes
2008-06-19 19:42 . 2008-06-19 19:49 <DIR> d-------- C:\Users\Nikki\Shared
2008-06-19 19:41 . 2008-06-27 21:04 <DIR> d-------- C:\Users\Nikki\Incomplete
2008-06-19 17:41 . 2008-06-19 17:41 <DIR> d-------- C:\Users\Nikki\AppData\Roaming\Flock
2008-06-19 17:40 . 2008-06-19 17:41 <DIR> d-------- C:\Program Files\Flock
2008-06-18 23:06 . 2008-06-18 23:06 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-06-18 17:19 . 2008-06-20 20:33 <DIR> d-------- C:\my flashes
2008-06-17 22:51 . 2008-06-17 22:51 <DIR> d-------- C:\Users\Phu\AppData\Roaming\PC Suite
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> dr------- C:\Users\Dad\Videos
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> dr------- C:\Users\Dad\Searches
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> dr------- C:\Users\Dad\Saved Games
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> dr------- C:\Users\Dad\Pictures
2008-06-17 22:49 . 2008-06-18 16:03 <DIR> dr------- C:\Users\Dad\Music
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> dr------- C:\Users\Dad\Links
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> dr------- C:\Users\Dad\Downloads
2008-06-17 22:49 . 2008-06-21 09:11 <DIR> dr------- C:\Users\Dad\Documents
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> dr------- C:\Users\Dad\Contacts
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> d-------- C:\Users\Dad\AppData\Roaming\PC Suite
2008-06-17 22:49 . 2006-11-02 22:37 <DIR> d-------- C:\Users\Dad\AppData\Roaming\Media Center Programs
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> d--h----- C:\Users\Dad\AppData
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> d-------- C:\Users\Dad
2008-06-17 22:49 . 2008-06-17 22:49 <DIR> d-------- C:\Dad
2008-06-17 22:48 . 2008-06-17 22:48 <DIR> d-------- C:\Phu
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> dr------- C:\Users\Phu\Videos
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> dr------- C:\Users\Phu\Searches
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> dr------- C:\Users\Phu\Saved Games
2008-06-17 22:47 . 2008-06-27 12:22 <DIR> dr------- C:\Users\Phu\Pictures
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> dr------- C:\Users\Phu\Music
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> dr------- C:\Users\Phu\Links
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> dr------- C:\Users\Phu\Downloads
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> dr------- C:\Users\Phu\Documents
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> dr------- C:\Users\Phu\Contacts
2008-06-17 22:47 . 2006-11-02 22:37 <DIR> d-------- C:\Users\Phu\AppData\Roaming\Media Center Programs
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> d--h----- C:\Users\Phu\AppData
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> d-------- C:\Users\Phu
2008-06-16 07:06 . 2008-06-16 07:06 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-16 06:38 . 2008-06-16 06:38 717,296 --a------ C:\Windows\System32\drivers\sptd.sys
2008-06-16 06:37 . 2008-06-16 06:37 <DIR> d-------- C:\Users\Nikki\AppData\Roaming\DAEMON Tools
2008-06-13 21:32 . 2008-06-22 00:35 <DIR> d-------- C:\Users\Nikki\AppData\Roaming\Hamachi
2008-06-13 21:30 . 2008-06-13 21:32 <DIR> d-------- C:\Program Files\Hamachi
2008-06-13 21:30 . 2008-06-13 21:30 25,280 --a------ C:\Windows\System32\drivers\hamachi.sys
2008-06-13 21:23 . 2008-06-13 21:30 139,264 --a------ C:\Windows\War3Unin.exe
2008-06-13 21:23 . 2008-06-13 21:31 55,812 --a------ C:\Windows\War3Unin.dat
2008-06-13 21:23 . 2008-06-13 21:30 2,829 --a------ C:\Windows\War3Unin.pif
2008-06-13 21:22 . 2008-06-13 21:22 <DIR> d-------- C:\Users\Nikki\.eclipse
2008-06-13 21:19 . 2008-06-21 23:36 <DIR> d-------- C:\Program Files\Warcraft III
2008-06-13 20:35 . 2008-06-13 20:35 <DIR> d-------- C:\Users\All Users\InstallShield
2008-06-13 20:35 . 2008-06-13 20:35 <DIR> d-------- C:\ProgramData\InstallShield
2008-06-13 19:58 . 2008-06-13 19:58 <DIR> d-------- C:\Users\Nikki\AppData\Roaming\FlashGet
2008-06-13 19:55 . 2008-06-13 19:58 <DIR> d-------- C:\Program Files\FlashGet
2008-06-12 19:35 . 2008-06-12 19:35 <DIR> d-------- C:\Program Files\CakeMania 2
2008-06-12 16:51 . 2008-06-12 16:51 <DIR> d-------- C:\Program Files\CloneDVD
2008-06-11 19:09 . 2008-06-12 16:46 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-06-11 15:43 . 2008-06-11 15:43 <DIR> d-------- C:\Users\All Users\SlySoft
2008-06-11 15:43 . 2008-06-11 15:43 <DIR> d-------- C:\ProgramData\SlySoft
2008-06-10 22:26 . 2008-06-11 15:43 0 --ahs---- C:\Windows\SBEC71AF0.tmp
2008-06-10 22:17 . 2008-06-10 22:17 <DIR> d-------- C:\Program Files\SlySoft
2008-06-10 13:05 . 2006-08-05 11:45 51,019,372 --a------ C:\Users\Nikki\FIRST!!! - War3tft_120e_english.exe
2008-06-10 13:05 . 2007-08-15 16:46 2,660,341 --a------ C:\Users\Nikki\SECOND!!! - War3TFT_120e_121a_English.exe
2008-06-10 13:05 . 2008-02-06 22:26 809,769 --a------ C:\Users\Nikki\THIRD!!! - War3TFT_121a_121b_English.exe
2008-06-09 23:03 . 2008-06-09 23:03 <DIR> d-------- C:\Users\Nikki\AppData\Roaming\Malwarebytes
2008-06-09 23:02 . 2008-06-09 23:02 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-06-09 23:02 . 2008-06-09 23:02 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-06-09 23:02 . 2008-06-09 23:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-09 23:02 . 2008-06-05 16:04 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-06-09 23:02 . 2008-06-05 16:04 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-09 14:43 . 2008-06-09 14:43 <DIR> d-------- C:\Users\Rachel\AppData\Roaming\Yahoo!
2008-06-08 18:48 . 2008-06-08 18:48 <DIR> d-------- C:\Users\Guest\AppData\Roaming\Yahoo!
2008-06-08 18:48 . 2008-06-08 18:48 <DIR> d-------- C:\Users\All Users\Yahoo! Companion
2008-06-08 18:48 . 2008-06-08 18:48 <DIR> d-------- C:\ProgramData\Yahoo! Companion
2008-06-07 18:18 . 2008-06-07 18:18 <DIR> d-------- C:\Users\All Users\Yahoo!
2008-06-07 18:18 . 2008-06-07 18:18 <DIR> d-------- C:\ProgramData\Yahoo!
2008-06-07 18:17 . 2008-06-07 18:17 <DIR> d-------- C:\Users\Nikki\AppData\Roaming\Yahoo!
2008-06-07 18:16 . 2008-06-07 18:17 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-07 17:44 . 2008-06-20 21:50 <DIR> d-------- C:\Program Files\KalOnlineEng
2008-06-07 17:44 . 2003-03-19 07:20 1,060,864 --a------ C:\Windows\System32\MFC71.dll
2008-06-07 17:44 . 2003-03-19 06:14 499,712 --a------ C:\Windows\System32\msvcp71.dll
2008-06-07 17:44 . 2003-02-21 14:42 348,160 --a------ C:\Windows\System32\msvcr71.dll
2008-06-06 20:20 . 2008-06-06 20:24 <DIR> d-------- C:\Program Files\Teddy Factory
2008-06-04 22:16 . 2008-06-04 22:16 <DIR> d-------- C:\Users\All Users\Azureus
2008-06-04 22:16 . 2008-06-04 22:16 <DIR> d-------- C:\ProgramData\Azureus
2008-06-03 23:40 . 2008-06-03 23:40 <DIR> d-------- C:\Deckard
2008-06-03 19:44 . 2008-06-03 19:44 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-06-03 19:00 . 2008-06-14 19:39 <DIR> d-------- C:\Downloads
2008-05-31 13:07 . 2008-05-31 13:07 <DIR> d-------- C:\Users\Rachel\AppData\Roaming\NCH Software
2008-05-29 22:50 . 2008-06-09 00:04 <DIR> d-------- C:\Program Files\Panda Security
2008-05-29 16:55 . 2008-05-29 16:55 <DIR> d-------- C:\Users\Rachel\Phone Browser
2008-05-29 07:01 . 2008-05-29 07:01 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-05-28 20:51 . 2008-05-28 20:51 <DIR> d-------- C:\VundoFix Backups
2008-05-28 20:49 . 2008-05-28 20:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 16:58 . 2008-05-27 16:57 512,096 --a------ C:\Windows\System32\drivers\amon.sys
2008-05-27 16:58 . 2008-05-27 16:57 298,104 --a------ C:\Windows\System32\imon.dll
2008-05-27 16:58 . 2008-05-27 16:57 15,424 --a------ C:\Windows\System32\drivers\nod32drv.sys
2008-05-27 16:57 . 2008-06-27 20:33 <DIR> d-------- C:\Program Files\ESET
2008-05-27 16:30 . 2008-05-27 16:30 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-27 16:30 . 2008-05-27 16:30 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-05-27 16:28 . 2008-05-27 16:28 <DIR> d-------- C:\Users\Nikki\AppData\Roaming\SUPERAntiSpyware.com
2008-05-27 16:28 . 2008-06-05 17:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-27 16:28 . 2008-05-27 16:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 13:29 --------- d-----w C:\Users\Nikki\AppData\Roaming\Azureus
2008-06-27 12:53 --------- d-----w C:\ProgramData\Roxio
2008-06-27 11:04 --------- d-----w C:\Users\Nikki\AppData\Roaming\LimeWire
2008-06-22 07:24 --------- d-----w C:\Users\Rachel\AppData\Roaming\Nokia
2008-06-22 02:35 --------- d---a-w C:\ProgramData\TEMP
2008-06-19 09:40 --------- d-----w C:\Program Files\LimeWire
2008-06-18 12:30 --------- d-----w C:\Program Files\Azureus
2008-06-18 07:12 --------- d-----w C:\Program Files\Flash Saver
2008-06-16 08:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-16 08:27 --------- d-----w C:\Program Files\Infogrames Interactive
2008-06-13 11:09 --------- d-----w C:\Program Files\Nokia
2008-06-13 10:31 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-12 09:34 --------- d-----w C:\ProgramData\Sandlot Games
2008-06-12 09:03 --------- d-----w C:\Program Files\Old Drive 2
2008-06-11 02:22 --------- d-----w C:\ProgramData\Microsoft Help
2008-06-06 12:35 --------- d-----w C:\Program Files\DivX
2008-06-06 10:30 --------- d-----w C:\Program Files\Oberon Media
2008-06-06 10:20 --------- d-----w C:\Users\Nikki\AppData\Roaming\GameHouse
2008-05-31 11:21 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-31 11:07 --------- d-----w C:\Program Files\MSN Messenger
2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\Windows\System32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-05-29 07:01 --------- d-----w C:\ProgramData\Messenger Plus!
2008-05-26 13:09 --------- d-----w C:\Users\Nikki\AppData\Roaming\Jane s Hotel
2008-05-26 13:09 --------- d-----w C:\Program Files\Janes Hotel
2008-05-26 12:58 --------- d-----w C:\Program Files\Pastry Passion
2008-05-26 12:41 --------- d-----w C:\Program Files\Plant Tycoon
2008-05-26 12:26 --------- d-----w C:\ProgramData\WLInstaller
2008-05-26 12:20 --------- d-----w C:\Users\Nikki\AppData\Roaming\Jane s Hotel Family Hero
2008-05-26 12:20 --------- d-----w C:\Program Files\Janes Hotel Family Hero
2008-05-26 11:41 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-26 11:39 --------- d-----w C:\Program Files\Windows Live
2008-05-26 11:21 --------- d-----w C:\ProgramData\n7-89-o9-3r-4t-r9
2008-05-26 11:10 --------- d-----w C:\Users\Nikki\AppData\Roaming\Jamdat
2008-05-26 11:09 --------- d-----w C:\Program Files\Lemonade Tycoon 2
2008-05-26 00:47 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-26 00:47 --------- d-----w C:\Program Files\Windows Mail
2008-05-26 00:40 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-05-26 00:40 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-05-26 00:40 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-05-26 00:39 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-05-26 00:39 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-05-26 00:38 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-05-26 00:36 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-05-26 00:36 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-05-26 00:36 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-05-26 00:36 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-05-26 00:36 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-05-26 00:36 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-05-26 00:36 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-05-26 00:36 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-05-26 00:36 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-05-26 00:36 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-26 00:35 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-05-26 00:35 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-05-26 00:35 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-05-26 00:34 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-05-26 00:34 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-05-26 00:33 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-05-26 00:33 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-05-26 00:33 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-05-26 00:33 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-05-26 00:33 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-05-26 00:32 1,585,664 ----a-w C:\Windows\System32\setupapi.dll
2008-05-26 00:28 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-05-26 00:28 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-05-26 00:28 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-05-26 00:28 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-05-26 00:28 2,028,544 ----a-w C:\Windows\System32\win32k.sys
2008-05-26 00:27 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-05-26 00:27 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-05-26 00:27 2,048 ----a-w C:\Windows\System32\msxml6r.dll
2008-05-26 00:27 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-05-26 00:27 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-05-26 00:26 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-05-26 00:26 84,480 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-05-26 00:26 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-05-26 00:26 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-05-26 00:26 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-05-26 00:26 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-05-26 00:25 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-05-26 00:22 5,120 ----a-w C:\Windows\System32\wmi.dll
2008-05-26 00:22 152,576 ----a-w C:\Windows\System32\imagehlp.dll
2008-05-26 00:22 12,800 ----a-w C:\Windows\system32\drivers\fs_rec.sys
2008-05-26 00:21 3,505,848 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-05-26 00:21 3,472,056 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-05-26 00:21 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-05-26 00:21 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-26 00:20 750,080 ----a-w C:\Windows\System32\qmgr.dll
2008-05-25 05:02 80,896 ----a-w C:\Windows\System32\wudriver.dll
2008-05-25 05:02 549,720 ----a-w C:\Windows\System32\wuapi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-05-26 10:27 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 22:35 125440]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 15:21 1449984]
"VPSKEYS"="C:\Program Files\Vpskeys\vpskeys.exe" [2003-03-29 10:52 102400]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-05 17:06 1506544]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 19:39 486856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:36 201728]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-21 02:46 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 23:42 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-09 02:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 20:59 118784]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-04-20 11:11 151552]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-03-13 06:37 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-03-13 06:37 7770112]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-03-13 06:37 81920]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 16:11 49152]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816]
"IS CfgWiz"="c:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-13 04:28 431752]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 11:36 280064]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 11:36 229376]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-11-24 19:20 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 13:51 65536]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-05-27 16:57 949376]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [2006-11-02 22:35 176128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2007-03-08 04:09 44168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.IV41"= ir41_32.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F3916E2B-E851-4663-8786-FD8427B34645}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4C79715A-2102-4DC1-AFB9-76CDF7CCDE88}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5A41B53A-7160-4200-AA9D-EED9782126CF}"= UDP:C:\Program Files\DAP\DAP.exe:Download Accelerator Plus (DAP)
"{72CAD6AA-F4C8-4A84-B357-9217F2BAFEA9}"= TCP:C:\Program Files\DAP\DAP.exe:Download Accelerator Plus (DAP)
"{8795AC90-7962-4C55-B6D1-3ADA939F7C08}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{A4ECF843-4D57-4850-838F-F27C5ABFCDCE}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{0F17BF9B-DD5C-4B8A-8F23-E7DEA0BAA054}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"TCP Query User{4AD4C97F-8AC6-4257-B9F6-5C5A96725A5E}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{A08F0011-0332-4E69-9B28-B8AFBB9EC3FC}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{02EBE0BB-1FC1-49E3-B77B-F34FBE220DAB}C:\\program files\\counter-strike 1.6\\hl.exe"= UDP:C:\program files\counter-strike 1.6\hl.exe:Half-Life Launcher
"UDP Query User{FBA6066C-F897-43FB-A8C5-9B4DD3961E4D}C:\\program files\\counter-strike 1.6\\hl.exe"= TCP:C:\program files\counter-strike 1.6\hl.exe:Half-Life Launcher
"TCP Query User{1ADD5A0E-F294-4865-BF34-F6C23597C51D}C:\\program files\\msn messenger\\msnmsgr.exe"= UDP:C:\program files\msn messenger\msnmsgr.exe:Messenger
"UDP Query User{B1F6F928-CE81-4D3F-8B9E-0C49DCF2E033}C:\\program files\\msn messenger\\msnmsgr.exe"= TCP:C:\program files\msn messenger\msnmsgr.exe:Messenger
"{CF595D8A-1771-4AC6-BEE8-1388F6019A02}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{9B15480E-CBB6-43CC-BD3F-A9DEEAC977B3}C:\\config.msi\\3ed22a.rbf"= UDP:C:\config.msi\3ed22a.rbf:Messenger
"UDP Query User{D939C4A7-1EEA-4F0E-9E13-EA88217FF042}C:\\config.msi\\3ed22a.rbf"= TCP:C:\config.msi\3ed22a.rbf:Messenger
"{BC2A409E-2EF8-493B-9E81-72E3C410414C}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{C7CEE6AD-C740-4057-9029-A964FD232876}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{14AD6CC5-2983-4E11-AEE3-E5118AE66282}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{56122B06-ED52-4684-8FE2-A80343B4ECBB}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7A8D0FAC-C499-49AF-B7CF-0EA0E993DC84}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{B375358C-BC91-4E6F-96C0-2ADA0761466F}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{2216B950-303A-4922-90A5-B1E2113CAC8B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A3942EEF-DF53-426E-848A-3B4BE6082E0A}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{CE967FC9-B3CC-40B0-9742-06DB7D9ECDC8}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{EEFB178C-B78F-4149-9115-BFE058B7A003}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{06352B0C-A54C-4739-8E12-9B94770F12BA}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E314447B-16D6-4B6A-8E2D-27E669E293C1}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{766B8B3F-0AC6-461E-9277-A44D44E0FCF7}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{9E38B75B-3609-48C7-9990-E6C22BD5581F}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{FE3D2256-CFEE-4B4E-96D9-E81A98556A91}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{7EBD1610-3618-4115-BF22-F82131F5FEFE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{7669DF43-9DA5-42E4-A100-77C3EDE8EA95}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{CBA19B3C-8415-48CC-9DBF-937B15F556B3}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"{6EEAE655-F01E-4C6B-A3CE-14DB4A896746}"= UDP:C:\Program Files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{E3A91FC5-AD55-40F8-B7FB-0956D3C2112D}"= TCP:C:\Program Files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{97827C33-DDE8-4021-8096-163793EA62AE}"= UDP:C:\Program Files\Warcraft III\Warcraft III.exe:Warcraft III
"{DFF592DF-7131-49FE-9E3A-BE4786E2E7A4}"= TCP:C:\Program Files\Warcraft III\Warcraft III.exe:Warcraft III
"{8E7112E8-4432-427B-9E1D-60FDA443C3D2}"= UDP:C:\Program Files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{DC5073E2-E530-4549-8F51-035B9F43223C}"= TCP:C:\Program Files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{5544FAA4-5A8A-4907-9BE8-0AA4FADD87BF}"= UDP:C:\Program Files\Hamachi\hamachi.exe:Hamachi
"{A5F98DDE-91C5-414F-84BA-6B1413B4E755}"= TCP:C:\Program Files\Hamachi\hamachi.exe:Hamachi
"{47CCA388-381B-4356-A5C3-17F7532DCF00}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{CE9F7CAA-72BB-41B0-A872-2322C0C6EEC4}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{04A83B3E-23C2-42F6-9768-9CA26ACF7748}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"{FD3AF5CB-2187-4442-89E1-B276B6051907}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{BCC5A517-7D03-4FFC-BFC2-532164CC9E22}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{7D070CE6-C265-4EE0-AA3F-756819C46E4F}C:\\program files\\warcraft iii\\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{734A53F2-4451-48FE-9055-4B5E76E0066F}C:\\program files\\warcraft iii\\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{4AAD2750-3229-4418-AFDB-5CE23B170544}C:\\users\\nikki\\appdata\\local\\temp\\rar$ex00.939\\lancraft.exe"= UDP:C:\users\nikki\appdata\local\temp\rar$ex00.939\lancraft.exe:lancraft.exe
"UDP Query User{C7549CA3-4BAF-4E53-88A0-FDFFB2671D47}C:\\users\\nikki\\appdata\\local\\temp\\rar$ex00.939\\lancraft.exe"= TCP:C:\users\nikki\appdata\local\temp\rar$ex00.939\lancraft.exe:lancraft.exe
"TCP Query User{0C89C8AA-6CC9-43C2-8BB1-B183C97E51E6}C:\\users\\nikki\\appdata\\local\\temp\\rar$ex00.779\\lancraft.exe"= UDP:C:\users\nikki\appdata\local\temp\rar$ex00.779\lancraft.exe:lancraft.exe
"UDP Query User{0A9715D1-369E-41BB-AB5E-7A06B0BE2398}C:\\users\\nikki\\appdata\\local\\temp\\rar$ex00.779\\lancraft.exe"= TCP:C:\users\nikki\appdata\local\temp\rar$ex00.779\lancraft.exe:lancraft.exe
"TCP Query User{DB22B9C5-3917-4C88-AC24-CEFC5369E482}C:\\users\\nikki\\appdata\\local\\temp\\rarsfx1\\hl.exe"= UDP:C:\users\nikki\appdata\local\temp\rarsfx1\hl.exe:hl.exe
"UDP Query User{D6860F7E-E8D1-4B8B-91B0-1E65012CB94E}C:\\users\\nikki\\appdata\\local\\temp\\rarsfx1\\hl.exe"= TCP:C:\users\nikki\appdata\local\temp\rarsfx1\hl.exe:hl.exe
"TCP Query User{0400C5BC-7C0B-4A20-B2DA-5D7283D05F61}C:\\users\\nikki\\appdata\\local\\temp\\rarsfx2\\hl.exe"= UDP:C:\users\nikki\appdata\local\temp\rarsfx2\hl.exe:hl.exe
"UDP Query User{B7E84577-D0B0-4D48-894F-6DAFE01A1044}C:\\users\\nikki\\appdata\\local\\temp\\rarsfx2\\hl.exe"= TCP:C:\users\nikki\appdata\local\temp\rarsfx2\hl.exe:hl.exe
"TCP Query User{26E93973-2199-4124-B9DB-F9901ECB03DE}C:\\users\\nikki\\desktop\\lancraft.exe"= UDP:C:\users\nikki\desktop\lancraft.exe:lancraft.exe
"UDP Query User{943A97A4-2977-4BC8-844D-B72497550526}C:\\users\\nikki\\desktop\\lancraft.exe"= TCP:C:\users\nikki\desktop\lancraft.exe:lancraft.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{680cc04c-b507-11dc-a356-001bfc6995ad}]
\shell\AutoRun\command - .\MigWiz\migsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a264852e-3b1e-11dd-88b2-001bfc6995ad}]
\shell\AutoRun\command - F:\AUTOMENU.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7597ff1-ccc3-11dc-bd1c-001bfc6995ad}]
\shell\AutoRun\command - M:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-27 00:40:33 C:\Windows\Tasks\User_Feed_Synchronization-{493AF5F5-6486-441D-BA94-9DA1C4417550}.job"
- C:\Windows\system32\msfeedssync.exe
"2008-06-27 13:07:15 C:\Windows\Tasks\User_Feed_Synchronization-{B00AC38F-D723-42B8-BF3F-F199818F0956}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 23:31:21
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\Vpskeys\VPSKM32.dll
.
Completion time: 2008-06-27 23:35:45
ComboFix-quarantined-files.txt 2008-06-27 13:35:34

Pre-Run: 185,587,826,688 bytes free
Post-Run: 185,605,058,560 bytes free

363 --- E O F --- 2008-06-26 06:39:21

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:47 AM

Posted 27 June 2008 - 09:35 AM

Hello XiahWolf

Your ComboFix log looks quite good :thumbsup:

Did you run MBAM as well ?

Can I see a fresh HijackThis log please ?

Besides those cookies, which are not that worrying, exactly what other problems are you still having ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 XiahWolf

XiahWolf
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:47 PM

Posted 29 June 2008 - 12:05 AM

Ah, sorry, I forgot to post the other two logs. My bad.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:52 PM, on 29/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Vpskeys\VPSKEYS.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Webshots\Webshots.scr
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "c:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [VPSKEYS] C:\Program Files\Vpskeys\vpskeys.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 12067 bytes




Malwarebytes' Anti-Malware 1.15
Database version: 842

2:44:57 PM 29/06/2008
mbam-log-6-29-2008 (14-44-57).txt

Scan type: Quick Scan
Objects scanned: 46209
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Aside from the fact that SuperAntiSpyware keeps finding tracking cookies, I'm not having anymore trouble.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:47 AM

Posted 29 June 2008 - 05:21 AM

Splendid XiahWolf :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users