Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By W32.ircbot And Trojan.lowzones


  • This topic is locked This topic is locked
4 replies to this topic

#1 Chitrank

Chitrank

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 06 June 2008 - 11:16 PM

I actually downloaded a track from Lime wire and it .also downladed W32.Ircbot and no after some time my PC has also got Trojan.Lowzones.

I read all the instructions and here are the Log files:

MAIN

Deckard's System Scanner v20071014.68
Run by laptop on 2008-06-07 09:32:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
5: 2008-06-06 07:51:05 UTC - RP78 - Windows Update
4: 2008-06-05 16:41:03 UTC - RP77 - Windows Update
3: 2008-06-04 15:20:06 UTC - RP76 - Windows Update
2: 2008-06-01 09:57:32 UTC - RP75 - Scheduled Checkpoint
1: 2008-05-30 16:56:48 UTC - RP74 - Windows Update


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 1022 MiB (1024 MiB recommended).


-- HijackThis (run as laptop.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:52 AM, on 6/7/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Users\laptop\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\laptop.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PluginCamera] C:\Program Files\Intel\Createshare\program\starter.exe -regargs "\\Commands\RegPlug"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [wben] "C:\Program Files\Starfield\Desktop Notifier\wben.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\laptop\AppData\Local\Temp\vtUomkjh.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\laptop\AppData\Local\Temp\mlJDSmNF.dll,c
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [1e59a1ea] rundll32.exe "C:\Users\laptop\AppData\Local\Temp\faunpfpo.dll",b
O4 - HKCU\..\Run: [BM1d6a9276] Rundll32.exe "C:\Users\laptop\AppData\Local\Temp\trxxbrnh.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = ?
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10153 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\program files\hp\quickplay\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
R2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\program files\hp\quickplay\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-07 08:51:34 420 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{00F764EC-53E8-403D-8A68-7D8BB944555A}.job
2008-05-23 21:08:35 490 --a------ C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - laptop.job


-- Files created between 2008-05-07 and 2008-06-07 -----------------------------

2008-06-07 09:12:25 0 d-------- C:\Program Files\Trend Micro
2008-06-07 09:12:12 0 d-------- C:\New Folder
2008-05-25 19:21:40 56832 --a------ C:\Windows\system32\Iyvu9_32.dll
2008-05-25 19:21:39 27648 --a------ C:\Windows\system32\ir50_lcs.dll <Not Verified; Intel Corporation.; Intel Indeo® video 5.0 LC>
2008-05-25 19:21:39 143872 --a------ C:\Windows\system32\iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2008-05-25 19:21:31 263440 --a------ C:\Windows\system32\OLEMSG32.DLL <Not Verified; Microsoft Corporation; Microsoft Exchange>
2008-05-25 19:21:31 82704 --a------ C:\Windows\system32\GAPI32.DLL <Not Verified; Microsoft Corporation; Microsoft Exchange>
2008-05-25 19:21:25 0 d-------- C:\Galleries
2008-05-25 19:21:22 34304 --a------ C:\Windows\system32\LTTWN80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:22 429056 --a------ C:\Windows\system32\LTKRN80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:22 95744 --a------ C:\Windows\system32\LTIMG80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:22 74752 --a------ C:\Windows\system32\LTFIL80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:22 146432 --a------ C:\Windows\system32\LTEFX80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:22 114688 --a------ C:\Windows\system32\LFTIF80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:22 26112 --a------ C:\Windows\system32\LFMSP80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:22 31232 --a------ C:\Windows\system32\LFLMB80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:22 35840 --a------ C:\Windows\system32\LFLMA80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:22 118784 --a------ C:\Windows\system32\LFKODAK.DLL <Not Verified; ; Reference Implementation>
2008-05-25 19:21:22 91648 --a------ C:\Windows\system32\LFFPX80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:21 338944 --a------ C:\Windows\system32\LFFPX7.DLL <Not Verified; ; Reference Implementation>
2008-05-25 19:21:21 64512 --a------ C:\Windows\system32\LFFAX80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:21 235008 --a------ C:\Windows\system32\LFCMP80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:21 26624 --a------ C:\Windows\system32\LFCAL80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:21:21 33280 --a------ C:\Windows\system32\LFBMP80N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-05-25 19:18:48 147456 --a------ C:\Windows\system32\SmtpX.DLL <Not Verified; Mabry Software, Inc.; Internet SMTP/X COM Object>
2008-05-25 19:18:48 147456 --a------ C:\Windows\system32\MimeX.dll <Not Verified; Mabry Software, Inc.; Mabry MIME/X COM Object>
2008-05-25 19:18:48 77824 --a------ C:\Windows\system32\MabryObj.dll <Not Verified; Mabry Software, Inc.; Mabry StreamObjects Module>
2008-05-25 19:18:48 139264 --a------ C:\Windows\system32\EncodeX.dll <Not Verified; Mabry Software, Inc.; EncX COM Module>
2008-05-25 19:18:14 0 d-------- C:\Program Files\Common Files\Intel Shared
2008-05-25 19:18:11 48640 --a------ C:\Windows\system32\inetwh32.dll <Not Verified; Blue Sky Software; Blue Sky Software - INETWH32>
2008-05-25 19:18:08 54428 --a------ C:\Windows\system32\drivers\ikstream.sys <Not Verified; Intel Corporation; Intel IP Telephony SDK>
2008-05-25 19:17:14 503808 --a------ C:\Windows\system32\InetIPLPX.dll
2008-05-25 19:17:14 512000 --a------ C:\Windows\system32\InetIPLP6.dll
2008-05-25 19:17:14 491520 --a------ C:\Windows\system32\InetIPLP5.dll
2008-05-25 19:17:14 516096 --a------ C:\Windows\system32\InetIPLM6.dll
2008-05-25 19:17:14 495616 --a------ C:\Windows\system32\InetIPLM5.dll
2008-05-25 19:17:14 524288 --a------ C:\Windows\system32\InetIPLA6.dll
2008-05-25 19:17:14 20480 --a------ C:\Windows\system32\InetIPL.dll
2008-05-25 19:17:14 19968 --a------ C:\Windows\system32\Cpuinf32.dll
2008-05-25 19:17:13 372736 --a------ C:\Windows\system32\ijl15.dll <Not Verified; Intel Corporation; Intel® JPEG Library>
2008-05-25 19:16:53 0 d-------- C:\Program Files\Intel
2008-05-23 17:28:48 0 d-------- C:\Users\All Users\Nero
2008-05-23 17:28:48 0 d-------- C:\Program Files\Nero
2008-05-23 17:28:48 0 d-------- C:\Program Files\Common Files\Nero
2008-05-20 21:02:48 0 --a------ C:\Windows\nsreg.dat
2008-05-20 20:08:05 0 d-------- C:\Program Files\Starfield
2008-05-19 20:55:31 0 d-------- C:\Program Files\LimeWire
2008-05-08 16:19:51 0 d-------- C:\Program Files\GNU
2008-05-08 16:16:20 0 d-------- C:\Users\All Users\Real
2008-05-08 16:16:19 0 d-------- C:\Program Files\Real Alternative


-- Find3M Report ---------------------------------------------------------------

2008-06-07 08:51:16 13072 --a------ C:\Users\laptop\AppData\Roaming\nvModes.dat
2008-06-07 08:51:16 13072 --a------ C:\Users\laptop\AppData\Roaming\nvModes.001
2008-06-07 02:04:18 836 --a------ C:\Windows\bthservsdp.dat
2008-06-06 23:09:00 0 d-------- C:\Program Files\Yahoo!
2008-06-06 12:24:34 0 d-------- C:\Users\laptop\AppData\Roaming\LimeWire
2008-05-25 19:21:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-25 19:18:14 0 d-------- C:\Program Files\Common Files
2008-05-25 11:32:47 0 d-------- C:\Users\laptop\AppData\Roaming\Beep Industries
2008-05-23 17:32:47 0 d-------- C:\Users\laptop\AppData\Roaming\Nero
2008-05-20 21:02:45 0 d-------- C:\Users\laptop\AppData\Roaming\Mozilla
2008-05-15 07:59:14 0 d-------- C:\Program Files\Windows Mail
2008-05-08 16:16:20 0 d-------- C:\Users\laptop\AppData\Roaming\Real
2008-05-08 09:00:14 0 d-------- C:\Users\laptop\AppData\Roaming\CyberLink
2008-05-06 20:05:50 0 d-------- C:\Users\laptop\AppData\Roaming\GRETECH
2008-05-06 20:05:29 0 d-------- C:\Program Files\GRETECH
2008-05-04 00:33:18 0 d-------- C:\Program Files\QuickTime
2008-05-03 15:43:26 174 --ahs---- C:\Program Files\desktop.ini
2008-05-03 11:21:00 0 d-------- C:\Program Files\Windows Calendar
2008-05-03 11:20:54 0 d-------- C:\Program Files\Windows Defender
2008-05-03 11:20:48 0 d-------- C:\Program Files\Windows Sidebar
2008-05-03 10:34:00 0 d-------- C:\Program Files\MSXML 4.0
2008-05-03 00:17:04 0 d-------- C:\Users\laptop\AppData\Roaming\Adobe
2008-05-03 00:14:25 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-02 19:57:28 0 d-------- C:\Program Files\Windows Live
2008-05-02 19:56:59 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-02 01:46:05 0 d-------- C:\Users\laptop\AppData\Roaming\muvee Technologies
2008-05-02 01:43:27 0 d-------- C:\Users\laptop\AppData\Roaming\Macromedia
2008-05-02 01:38:51 0 d-------- C:\Program Files\CONEXANT
2008-05-02 01:28:59 0 d-------- C:\Program Files\Hp
2008-05-02 01:20:26 0 d-------- C:\Program Files\HPQ
2008-05-02 01:20:22 0 d-------- C:\Program Files\Common Files\LightScribe
2008-05-02 01:19:13 0 d-------- C:\Program Files\Microsoft Works
2008-05-02 01:14:40 74 --a------ C:\autoexec.bat
2008-05-02 01:14:29 0 d-------- C:\Program Files\DivX
2008-05-02 01:14:06 0 d-------- C:\Program Files\Common Files\muvee Technologies
2008-05-02 01:13:34 0 d-------- C:\Program Files\muvee Technologies
2008-05-02 01:12:25 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-05-02 01:12:05 0 d-------- C:\Program Files\Roxio
2008-05-02 01:08:22 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-05-02 01:06:50 0 d-------- C:\Users\laptop\AppData\Roaming\HP
2008-05-02 01:06:02 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-05-02 00:57:54 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-02 00:57:03 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-02 00:55:39 0 d-------- C:\Users\laptop\AppData\Roaming\Hewlett-Packard
2008-05-02 00:45:20 0 d-------- C:\Program Files\Norton Internet Security
2008-05-02 00:45:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-02 00:13:14 0 d-------- C:\Program Files\Symantec
2008-05-02 00:10:17 0 d-------- C:\Program Files\Oberon Media
2008-05-02 00:09:53 0 d-------- C:\Program Files\Common Files\Oberon Media
2008-05-02 00:03:10 0 d-------- C:\Program Files\Common Files\snp2uvc
2008-05-01 23:51:58 0 d-------- C:\Program Files\Java
2008-05-01 23:51:58 0 d-------- C:\Program Files\Common Files\Java
2008-05-01 23:31:10 0 d-------- C:\Program Files\Broadcom
2008-05-01 23:30:29 0 d-------- C:\Program Files\Synaptics
2008-05-01 23:26:44 0 d-------- C:\Program Files\WIDCOMM
2008-05-01 23:20:00 0 d-------- C:\Program Files\PowerISO
2008-05-01 23:17:01 0 d-------- C:\Users\laptop\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [05/03/2008 11:09 AM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [03/15/2008 05:20 AM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [11/06/2006 10:58 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/15/2006 03:32 AM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [11/17/2006 06:37 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [11/17/2006 06:37 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [11/17/2006 06:37 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [05/01/2008 11:52 PM]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [12/04/2006 12:39 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/25/2006 08:38 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [10/27/2006 10:48 AM]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [12/02/2006 04:32 PM]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [10/18/2006 09:56 AM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [10/18/2006 09:32 AM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/04/2008 12:31 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 02:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [09/20/2007 08:51 AM]
"PluginCamera"="C:\Program Files\Intel\Createshare\program\starter.exe" [08/14/2001 11:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [05/03/2008 10:44 AM]
"wben"="C:\Program Files\Starfield\Desktop Notifier\wben.exe" [11/06/2007 02:12 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [10/23/2007 02:18 PM]
"MSServer"="C:\Users\laptop\AppData\Local\Temp\vtUomkjh.dll,#1" []
"cmds"="C:\Users\laptop\AppData\Local\Temp\mlJDSmNF.dll,c" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"1e59a1ea"="C:\Users\laptop\AppData\Local\Temp\faunpfpo.dll,b" []
"BM1d6a9276"="C:\Users\laptop\AppData\Local\Temp\trxxbrnh.dll,s" []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [11/3/2006 5:55:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\HPUpgrade.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caa8d6fc-2811-11dd-833a-001641c61b2e}]
AutoRun\command- H:\setupSNK.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-07 09:36:48 ------------




EXTRA

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2050 @ 1.60GHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 1021.5 MiB / 274.97 MiB
Pagefile Memory (total/avail): 2295.38 MiB / 1207.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.63 MiB

C: is Fixed (NTFS) - 34.18 GiB total, 16.59 GiB free.
D: is Fixed (NTFS) - 24.41 GiB total, 15.12 GiB free.
E: is Fixed (NTFS) - 34.56 GiB total, 14.98 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST9100824AS ATA Device - 93.16 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 34.18 GiB - C:
\PARTITION1 - Installable File System - 24.41 GiB - D:
\PARTITION2 - Installable File System - 34.56 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: Norton Internet Security v2007 (Symantec Corporation) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\laptop\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHITRANK
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\laptop
LOCALAPPDATA=C:\Users\laptop\AppData\Local
LOGONSERVER=\\CHITRANK
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND=Pavilion
PLATFORM=MCD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\laptop\AppData\Local\Temp
TMP=C:\Users\laptop\AppData\Local\Temp
USERDOMAIN=chitrank
USERNAME=laptop
USERPROFILE=C:\Users\laptop
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

laptop


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Common Files\Intel Shared\IP Video Telephony\Setup.exe" uninstall webclient clientid="CS5" clientpath="C:\Program Files\Intel\Createshare\VideoPhone\" inf="VSDKWSetup.inf"
--> "C:\Program Files\Intel\Createshare\Inetcam\uninstall.exe" /s
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25B20E43-4CE3-11D4-AF89-00A0C9E05BC5}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C9DDCE0-66CF-11D4-9100-0090274FBE9A}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{68DC5968-0278-11D5-8EAA-00062973342B}\setup.exe" maintflag
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll<UNINSTALL_CMD>
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
ASL_HS_Installer32 --> MsiExec.exe /I{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Broadcom 802.11 Wireless LAN Adapter --> "C:\Program Files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Broadcom\Broadcom 802.11\Driver"
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\UIU32a.exe -U -Iwis30B2a.inf
Desktop Notifier --> MsiExec.exe /I{51592ABE-532F-4E96-8AE3-97A5AA0FB5D2}
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
FLV SPLITTER --> "C:\Program Files\GNU\FLVSPLITTER\Uninstall.exe"
Four Houses --> "C:\Program Files\Oberon Media\Four Houses\Uninstall.exe" "C:\Program Files\Oberon Media\Four Houses\install.log"
GOM Player --> "C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
Hewlett-Packard Active Check --> MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Hewlett-Packard Asset Agent --> MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Active Support Library --> C:\Program Files\InstallShield Installation Information\{21E62565-8639-457C-B64C-A3FF0A8B4D80}\setup.exe -runfromtemp -l0x0409
HP Customer Experience Enhancements --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9 -removeonly
HP Easy Setup - Core --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}\setup.exe" -l0x9
HP Easy Setup - Frontend --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40F7AED3-0C7D-4582-99F6-484A515C73F2}\setup.exe" -l0x9 -removeonly
HP Help and Support --> MsiExec.exe /I{E4DDBA93-769B-49D8-BA33-8814E45ED0C1}
HP Integrated Module with Bluetooth wireless technology 6.0.1.3100 --> MsiExec.exe /X{A13E07E1-A423-44FB-9DEE-B24C75C1BAF2}
HP Pavilion Webcam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\setup.exe" -l0x9 -removeonly -u
HP Quick Launch Buttons 6.10 B9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe" -l0x9 uninst
HP QuickPlay 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe" -uninstall
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
HP Wireless Assistant --> MsiExec.exe /I{355FADAF-55C4-4E08-88D4-A86C4CA6930C}
Intel® Create & Share® Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9496E9E4-F20A-11D4-8EAA-00062973342B}\setup.exe" -l0009 maintflag
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
LimeWire PRO 4.17.3 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Mahjong Match --> "C:\Program Files\Oberon Media\Mahjong Match\Uninstall.exe" "C:\Program Files\Oberon Media\Mahjong Match\install.log"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
muvee autoProducer 5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99C5770C-1C90-42E7-9B74-D47CFAF14621}\setup.exe" -l0x9
Nero 8 --> MsiExec.exe /X{9EDBB857-8028-49CD-B9C9-0B4D10CD1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{3672B097-EA69-4bfe-B92F-29AE6D9D2B34}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_1_0_26\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> C:\Windows\unvise32qt.exe C:\Windows\system32\QuickTime\Uninstall.log
Real Alternative 1.7.5 Lite --> "C:\Program Files\Real Alternative\unins000.exe"
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator Basic v9 --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator EasyArchive --> MsiExec.exe /I{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler 3 --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD Basic v9 --> MsiExec.exe /I{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}
Scrubbles --> "C:\Program Files\Oberon Media\Scrubbles\Uninstall.exe" "C:\Program Files\Oberon Media\Scrubbles\install.log"
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec Real Time Storage Protection Component --> MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Treasures of the Deep --> "C:\Program Files\Oberon Media\Treasures of the Deep\Uninstall.exe" "C:\Program Files\Oberon Media\Treasures of the Deep\install.log"
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type7125 / Error
Event Submitted/Written: 06/07/2008 09:07:50 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.6000.16549, time stamp 0x46d230c5, faulting module faunpfpo.dll, version 0.0.0.0, time stamp 0x4847fdbe, exception code 0xc0000005, fault offset 0x00010d6b,
process id 0x14dc, application start time 0xexplorer.exe0.

Event Record #/Type7111 / Success
Event Submitted/Written: 06/07/2008 08:50:29 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type7108 / Success
Event Submitted/Written: 06/07/2008 08:50:27 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type7101 / Success
Event Submitted/Written: 06/07/2008 08:50:03 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type7080 / Warning
Event Submitted/Written: 06/07/2008 02:03:59 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3538397710-3839424303-610890729-1000_Classes:
Process 968 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3538397710-3839424303-610890729-1000_CLASSES



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type27288 / Warning
Event Submitted/Written: 06/07/2008 09:35:14 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%chitrank27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %chitrank27 can't undo changes that you allow.

For more information please see the following:
%chitrank275

Scan ID: {EDFC900C-035C-42DD-9757-900B4CE7EF3C}

User: chitrank\laptop

Name: %chitrank271

ID: %chitrank272

Severity ID: %chitrank273

Category ID: %chitrank274

Path Found: %chitrank276

Alert Type: %chitrank278

Detection Type: 1.1.1505.02

Event Record #/Type27287 / Warning
Event Submitted/Written: 06/07/2008 09:35:15 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%chitrank27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %chitrank27 can't undo changes that you allow.

For more information please see the following:
%chitrank275

Scan ID: {4FA9B672-9C61-4D2C-BE73-0DDADA8ACF6A}

User: chitrank\laptop

Name: %chitrank271

ID: %chitrank272

Severity ID: %chitrank273

Category ID: %chitrank274

Path Found: %chitrank276

Alert Type: %chitrank278

Detection Type: 1.1.1505.02

Event Record #/Type27274 / Warning
Event Submitted/Written: 06/07/2008 08:51:47 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%chitrank27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %chitrank27 can't undo changes that you allow.

For more information please see the following:
%chitrank275

Scan ID: {C404FCD9-823B-4098-A664-E71BF31581F0}

User: chitrank\laptop

Name: %chitrank271

ID: %chitrank272

Severity ID: %chitrank273

Category ID: %chitrank274

Path Found: %chitrank276

Alert Type: %chitrank278

Detection Type: 1.1.1505.02

Event Record #/Type27272 / Warning
Event Submitted/Written: 06/07/2008 08:51:39 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%chitrank27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %chitrank27 can't undo changes that you allow.

For more information please see the following:
%chitrank275

Scan ID: {EBB3706F-FEB8-4DF9-8130-9BCA5EC637FF}

User: chitrank\laptop

Name: %chitrank271

ID: %chitrank272

Severity ID: %chitrank273

Category ID: %chitrank274

Path Found: %chitrank276

Alert Type: %chitrank278

Detection Type: 1.1.1505.02

Event Record #/Type27257 / Warning
Event Submitted/Written: 06/07/2008 08:49:17 AM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 VE Network Connection: Adapter Link Down



-- End of Deckard's System Scanner: finished at 2008-06-07 09:36:48 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:35 AM

Posted 09 June 2008 - 09:54 AM

Hello Chitrank and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Chitrank

Chitrank
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 10 June 2008 - 02:11 AM

i followed every step u told and here is the ComboFix log. There is just oen problem i am having that the Phishing Filter of Norton has been damaged but no probs it was 60 day trial, would u suggest a antivirus for me??




ComboFix 08-06-09.7 - laptop 2008-06-10 11:43:33.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.752 [GMT 5.5:30]
Running from: C:\COMMAND\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\MabryObj.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 06:10 13,072 ----a-w C:\Users\laptop\AppData\Roaming\nvModes.dat
2008-06-10 05:16 --------- d-----w C:\Users\laptop\AppData\Roaming\Malwarebytes
2008-06-10 05:16 --------- d-----w C:\PROGRA~2\Malwarebytes
2008-06-10 05:16 --------- d-----w C:\PROGRA~1\Malwarebytes' Anti-Malware
2008-06-09 14:43 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-06-09 14:43 15,864 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-06-07 16:34 --------- d-----w C:\PROGRA~2\Symantec
2008-06-07 16:34 --------- d-----w C:\PROGRA~1\COMMON~1\Symantec Shared
2008-06-07 06:59 --------- d-----w C:\PROGRA~1\Norton Internet Security
2008-06-07 06:56 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-06-07 06:56 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-06-07 06:56 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-06-07 06:56 --------- d-----w C:\PROGRA~1\Symantec
2008-06-07 06:54 --------- d-----w C:\PROGRA~1\Common Files
2008-06-07 03:42 --------- d-----w C:\PROGRA~1\Trend Micro
2008-06-06 17:39 --------- d-----w C:\PROGRA~1\Yahoo!
2008-06-06 06:54 --------- d-----w C:\Users\laptop\AppData\Roaming\LimeWire
2008-05-25 13:51 --------- d--h--w C:\PROGRA~1\InstallShield Installation Information
2008-05-25 13:51 --------- d-----w C:\PROGRA~1\Intel
2008-05-25 13:48 --------- d-----w C:\PROGRA~1\COMMON~1\Intel Shared
2008-05-25 06:02 --------- d-----w C:\Users\laptop\AppData\Roaming\Beep Industries
2008-05-23 12:02 --------- d-----w C:\Users\laptop\AppData\Roaming\Nero
2008-05-23 12:01 --------- d-----w C:\PROGRA~1\COMMON~1\Nero
2008-05-23 11:58 --------- d-----w C:\PROGRA~2\Nero
2008-05-23 11:58 --------- d-----w C:\PROGRA~1\Nero
2008-05-20 14:38 --------- d-----w C:\PROGRA~1\Starfield
2008-05-19 15:25 --------- d-----w C:\PROGRA~1\LimeWire
2008-05-15 02:29 --------- d-----w C:\PROGRA~1\Windows Mail
2008-05-08 10:49 --------- d-----w C:\PROGRA~1\GNU
2008-05-08 10:46 --------- d-----w C:\PROGRA~1\Real Alternative
2008-05-08 03:30 --------- d-----w C:\Users\laptop\AppData\Roaming\CyberLink
2008-05-06 14:36 --------- d-----w C:\PROGRA~2\GRETECH
2008-05-06 14:35 --------- d-----w C:\Users\laptop\AppData\Roaming\GRETECH
2008-05-06 14:35 --------- d-----w C:\PROGRA~1\GRETECH
2008-05-03 19:03 --------- d-----w C:\PROGRA~1\QuickTime
2008-05-03 19:01 --------- d-----w C:\PROGRA~2\QuickTime
2008-05-03 10:13 174 --sha-w C:\PROGRA~1\desktop.ini
2008-05-03 05:51 --------- d-----w C:\PROGRA~1\Windows Calendar
2008-05-03 05:50 --------- d-----w C:\PROGRA~1\Windows Sidebar
2008-05-03 05:50 --------- d-----w C:\PROGRA~1\Windows Defender
2008-05-03 05:45 8,192 ----a-w C:\Windows\System32\riched32.dll
2008-05-03 05:43 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-05-03 05:42 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-05-03 05:42 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-05-03 05:40 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-05-03 05:40 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-05-03 05:38 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-05-03 05:38 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-05-03 05:37 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-05-03 05:37 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-05-03 05:36 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-05-03 05:36 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-05-03 05:36 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-05-03 05:36 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-05-03 05:35 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-05-03 05:35 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-05-03 05:35 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-05-03 05:35 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-05-03 05:35 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-05-03 05:35 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-05-03 05:35 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-05-03 05:35 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-05-03 05:35 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-05-03 05:34 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-05-03 05:34 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-05-03 05:34 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-05-03 05:34 25,656 ----a-w C:\Windows\system32\drivers\msahci.sys
2008-05-03 05:34 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-05-03 05:34 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-05-03 05:34 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-05-03 05:34 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-05-03 05:34 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-05-03 05:33 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-05-03 05:33 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-05-03 05:33 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-05-03 05:32 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2008-05-03 05:32 8,704 ----a-w C:\Windows\System32\hccoin.dll
2008-05-03 05:32 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2008-05-03 05:32 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2008-05-03 05:32 23,040 ----a-w C:\Windows\system32\drivers\usbuhci.sys
2008-05-03 05:32 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2008-05-03 05:32 192,000 ----a-w C:\Windows\system32\drivers\usbhub.sys
2008-05-03 05:31 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-05-03 05:31 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-05-03 05:31 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-05-03 05:31 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-05-03 05:31 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-05-03 05:31 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-05-03 05:29 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys
2008-05-03 05:29 13,312 ----a-w C:\Windows\system32\drivers\sffdisk.sys
2008-05-03 05:29 12,800 ----a-w C:\Windows\system32\drivers\sffp_sd.sys
2008-05-03 05:28 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-05-03 05:28 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-05-03 05:28 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-05-03 05:28 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-05-03 05:27 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2008-05-03 05:27 351,232 ----a-w C:\Windows\System32\SLUI.exe
2008-05-03 05:27 33,280 ----a-w C:\Windows\System32\slwmi.dll
2008-05-03 05:27 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-05-03 05:27 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
.
<pre>
----a-w		   325,204 2006-12-21 15:26:28  C:\swsetup\Camera\WCAMC\FW_210_Silence Install .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-05-03 10:44 1232896]
"wben"="C:\Program Files\Starfield\Desktop Notifier\wben.exe" [2007-11-06 14:12 312024]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 14:18 202024]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-15 05:20 233472]
"QlbCtrl"="C:\PROGRA~1\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 10:58 159744]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 03:32 815104]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-11-17 18:37 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-11-17 18:37 7753728]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-11-17 18:37 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2008-05-01 23:52 77824]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 12:39 46704]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-25 08:38 107112]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-10-27 10:48 22696]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-12-02 16:32 167936]
"WAWifiMessage"="C:\PROGRA~1\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 09:56 317152]
"hpWirelessAssistant"="C:\PROGRA~1\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 09:32 472800]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-04 00:31 77824]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51 1836328]
"PluginCamera"="C:\Program Files\Intel\Createshare\program\starter.exe" [2001-08-14 23:56 49152]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i263_32.drv
"msacm.divxa32"= msaud32_divx.acm
"MSACM.G723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\option]
UseAlternateShell REG_DWORD 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"= cmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CB5391C2-12FA-4388-81EB-EDFAFEB62145}"= UDP:C:\Program Files\Hp\QuickPlay\QP.exe:QP
"{07DDF064-2528-4C26-BA89-D9C958014413}"= TCP:C:\Program Files\Hp\QuickPlay\QP.exe:QP
"{5A349DAD-FD00-4B86-BE68-CCD4FC32B13B}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4246B31F-5C4F-4878-8E44-C52009491196}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{86E9F522-B4D4-403A-A29F-20D236CEEF2C}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{30520BC3-2650-4A3E-ADA9-F1799E5DD10D}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6C3088BB-4761-4774-B2D0-F3925ACFC521}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A03A8E3D-C682-4C89-8D4A-942BD36709A2}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{986F4FD5-7522-4324-82CF-78E9BC81C1CF}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{BAD8C6D4-928F-4B79-96E0-181C9D042553}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

S1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080606.003\IDSvix86.sys [2008-04-04 17:47]
S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-21 10:24]
S3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2006-11-21 10:24]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-21 10:24]
S3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2006-10-25 00:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\HPUpgrade.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caa8d6fc-2811-11dd-833a-001641c61b2e}]
\shell\AutoRun\command - H:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - ECACHE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 11:46:08
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-10 11:46:37
ComboFix-quarantined-files.txt 2008-06-10 06:16:35

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

218 --- E O F --- 2008-06-05 16:42:11

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:35 AM

Posted 10 June 2008 - 03:16 AM

Hello Chitrank,

Aah, Limewire, one of the major infestation sources.
Looks like you got off easy, this time... :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Any problems left ?

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:35 AM

Posted 09 July 2008 - 04:46 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users