Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Browser Popups, Redirecting Pages


  • This topic is locked This topic is locked
40 replies to this topic

#1 gash

gash

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:47 AM

Posted 11 June 2008 - 03:11 AM

Hi
been getting popups for antivirus program adverts and sometimes the IE hangs with some chinese stuff overlaying the whole page, first I tried using Smitfraudfix to fix this, it seemed to work then it just strted all over again, then moved to Malwarebytes' anti-malware quikscan, it seemed to do the trick but when i ran it again for the fullscan, the blue page came up and the system rebooted and it found one more trojan, i ran it immediately again in safe mode, it removed the trojan, and just for good measure i ran the Deckard's system scanner and Combofix and Ad-adware(which still found Tracking cookies and removed MRUs), I have the logs for the Malwarebytes' logs 1st and 2nd and the Dss log down below, am sure am missing something so please help me out...

Malwarebytes' Anti-Malware 1.16
Database version: 845

22:02:55 10/06/2008
mbam-log-6-10-2008 (22-02-55).txt

Scan type: Quick Scan
Objects scanned: 36614
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{487c9905-26a8-42c8-8033-c58ad3d2aec3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{487c9905-26a8-42c8-8033-c58ad3d2aec3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\127eb1f0 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM114d826c (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Goblar\AppData\Local\Temp\cbXRhEWq.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\mlJDVPGx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Goblar\AppData\Local\Temp\byXPFwVL.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Goblar\AppData\Local\Temp\qoMCUMDV.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Goblar\AppData\Local\Temp\qoMgfEUK.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Goblar\AppData\Local\Temp\tmp000343a4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Goblar\AppData\Local\Temp\tmp001719f6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Goblar\AppData\Local\Temp\tmp001bfcd5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Goblar\AppData\Local\Temp\wvUlijiJ.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\Goblar\AppData\Local\Temp\wneofcnj.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\Goblar\AppData\Local\Temp\hhjabmdd.dll (Trojan.Agent) -> Delete on reboot.




2nd scan

Malwarebytes' Anti-Malware 1.16
Database version: 845

22:54:06 10/06/2008
mbam-log-6-10-2008 (22-54-06).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 165408
Time elapsed: 23 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM114d826c (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Deckard\System Scanner\20080610180000\backup\Users\Goblar\AppData\Local\Temp\nNETMGab.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.


DSS\Hijack this log

Deckard's System Scanner v20071014.68
Run by Goblar on 2008-06-10 23:11:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as Goblar.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:12:12, on 10/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\Novatel Wireless\Mobilink\Lite.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Novatel Wireless\Mobilink\Phoenix.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Users\Goblar\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Goblar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - HKCU\..\Run: [MobiLink Lite] C:\Program Files\Novatel Wireless\MobiLink\Lite.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10166 bytes

-- Files created between 2008-05-10 and 2008-06-10 -----------------------------

2008-06-10 21:45:14 0 d-------- C:\Users\All Users\LightScribe
2008-06-10 20:22:06 0 d-------- C:\Users\Goblar\.SunDownloadManager
2008-06-10 19:21:00 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-06-10 19:12:52 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-10 19:12:51 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-10 10:59:01 6198 --a------ C:\Windows\system32\tmp.reg
2008-06-10 08:15:45 0 d-------- C:\Program Files\Trend Micro
2008-06-09 17:03:27 2560 --a------ C:\Windows\_MSRSTRT.EXE
2008-06-09 14:35:12 0 d-------- C:\Program Files\Novatel Wireless
2008-06-08 15:49:23 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-08 15:24:38 0 d-------- C:\Program Files\uTorrent
2008-06-08 13:51:39 0 d-------- C:\Program Files\MSXML 4.0
2008-06-08 13:41:13 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-08 09:45:13 0 d-------- C:\Program Files\iPod
2008-06-08 09:45:03 0 d-------- C:\Program Files\iTunes
2008-06-08 09:44:12 0 d-------- C:\Program Files\Bonjour
2008-06-08 09:43:35 0 d-------- C:\Program Files\QuickTime
2008-06-08 09:43:34 0 d-------- C:\Users\All Users\Apple Computer
2008-06-08 09:42:53 0 d-------- C:\Program Files\Apple Software Update
2008-06-08 09:42:03 0 d-------- C:\Program Files\Common Files\Apple
2008-06-08 09:42:02 0 d-------- C:\Users\All Users\Apple
2008-06-08 09:40:53 0 d-------- C:\Users\All Users\Yahoo! Companion
2008-06-08 09:40:15 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-08 09:40:07 0 d-------- C:\Program Files\DivX
2008-06-08 09:40:02 0 d-------- C:\Program Files\Yahoo!
2008-06-08 09:38:59 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-08 09:29:22 0 d-------- C:\Program Files\NeroInstall.bak
2008-06-08 09:07:50 0 d-------- C:\Users\All Users\Nero
2008-06-08 09:07:50 0 d-------- C:\Program Files\Nero
2008-06-08 09:07:50 0 d-------- C:\Program Files\Common Files\Nero
2008-06-08 08:46:10 0 d--hs---- C:\System Volume Information
2008-06-08 08:40:14 0 d-------- C:\Program Files\Intuwave
2008-06-08 08:40:08 0 d-------- C:\Program Files\Symbian
2008-06-08 08:39:41 0 d-------- C:\Users\All Users\Sony Ericsson
2008-06-08 08:39:41 0 d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2008-06-08 08:39:34 0 d-------- C:\Program Files\Common Files\Teleca Shared
2008-06-08 08:39:33 0 d-------- C:\Users\All Users\Teleca
2008-06-08 08:39:33 0 d-------- C:\Program Files\Sony Ericsson
2008-06-08 02:01:27 0 d-------- C:\Program Files\Lavasoft
2008-06-08 02:01:26 0 d-------- C:\Users\All Users\Lavasoft
2008-06-08 01:55:02 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-06-08 01:55:01 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-06-08 01:55:01 0 d-------- C:\Program Files\Xvid
2008-06-08 01:50:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-08 01:34:36 0 d-------- C:\Users\All Users\Novatel Wireless
2008-06-08 01:28:29 0 d-------- C:\Users\Goblar\Bluetooth Software
2008-06-08 01:27:47 0 dr------- C:\Users\Goblar\Searches
2008-06-08 01:27:34 0 dr------- C:\Users\Goblar\Contacts
2008-06-08 01:23:06 229376 --a------ C:\Windows\system32\BtwRSupport.dll <Not Verified; Broadcom Corporation.; Bluetooth Software 6.0.1.3700>
2008-06-08 01:22:48 0 d-------- C:\Windows\system32\es-MX
2008-06-08 01:22:48 0 d-------- C:\Windows\system32\es-AR
2008-06-08 01:22:46 0 d-------- C:\Program Files\WIDCOMM
2008-06-08 01:21:12 44 --a------ C:\Windows\system\hpsysdrv.dat
2008-06-08 01:14:45 81 --a------ C:\Windows\system32\LOG
2008-06-08 01:14:11 0 dr------- C:\Users\Goblar\Videos
2008-06-08 01:14:11 0 d--hs---- C:\Users\Goblar\Templates
2008-06-08 01:14:11 0 d--hs---- C:\Users\Goblar\Start Menu
2008-06-08 01:14:11 0 d--hs---- C:\Users\Goblar\SendTo
2008-06-08 01:14:11 0 dr------- C:\Users\Goblar\Saved Games
2008-06-08 01:14:11 0 d--hs---- C:\Users\Goblar\Recent
2008-06-08 01:14:11 0 d--hs---- C:\Users\Goblar\PrintHood
2008-06-08 01:14:11 0 dr------- C:\Users\Goblar\Pictures
2008-06-08 01:14:11 1048576 --ahs---- C:\Users\Goblar\NTUSER.DAT
2008-06-08 01:14:11 0 d--hs---- C:\Users\Goblar\NetHood
2008-06-08 01:14:11 0 d--hs---- C:\Users\Goblar\My Documents
2008-06-08 01:14:11 0 dr------- C:\Users\Goblar\Music
2008-06-08 01:14:11 0 d--hs---- C:\Users\Goblar\Local Settings
2008-06-08 01:14:11 0 dr------- C:\Users\Goblar\Links
2008-06-08 01:14:11 0 dr------- C:\Users\Goblar\Favorites
2008-06-08 01:14:11 0 dr------- C:\Users\Goblar\Downloads
2008-06-08 01:14:11 0 dr------- C:\Users\Goblar\Documents
2008-06-08 01:14:11 0 dr------- C:\Users\Goblar\Desktop
2008-06-08 01:14:11 0 d--hs---- C:\Users\Goblar\Cookies
2008-06-08 01:14:11 0 d--hs---- C:\Users\Goblar\Application Data
2008-06-08 01:14:11 0 d--h----- C:\Users\Goblar\AppData
2008-06-08 00:46:46 0 d--hs---- C:\Users\Default\Templates
2008-06-08 00:46:46 0 d--hs---- C:\Users\Default\Start Menu
2008-06-08 00:46:46 0 d--hs---- C:\Users\Default\SendTo
2008-06-08 00:46:46 0 d--hs---- C:\Users\Default\Recent
2008-06-08 00:46:46 0 d--hs---- C:\Users\Default\PrintHood
2008-06-08 00:46:46 0 d--hs---- C:\Users\Default\NetHood
2008-06-08 00:46:46 0 d--hs---- C:\Users\Default\My Documents
2008-06-08 00:46:46 0 d--hs---- C:\Users\Default\Local Settings
2008-06-08 00:46:46 0 d--hs---- C:\Users\Default\Cookies
2008-06-08 00:46:46 0 d--hs---- C:\Users\Default\Application Data
2008-06-08 00:46:46 0 d--hs---- C:\Users\All Users\Templates
2008-06-08 00:46:46 0 d--hs---- C:\Users\All Users\Start Menu
2008-06-08 00:46:46 0 d--hs---- C:\Users\All Users\Favorites
2008-06-08 00:46:46 0 d--hs---- C:\Users\All Users\Documents
2008-06-08 00:46:46 0 d--hs---- C:\Users\All Users\Desktop
2008-06-08 00:46:46 0 d--hs---- C:\Users\All Users\Application Data
2008-06-08 00:46:46 0 d--hs---- C:\Documents and Settings


-- Find3M Report ---------------------------------------------------------------

2008-06-10 22:56:30 710 --a------ C:\Users\Goblar\AppData\Roaming\wklnhst.dat
2008-06-10 22:04:10 12 --a------ C:\Windows\bthservsdp.dat
2008-06-10 20:54:27 0 d-------- C:\Program Files\Windows Mail
2008-06-10 20:50:08 0 d-------- C:\Program Files\Java
2008-06-10 19:13:01 0 d-------- C:\Users\Goblar\AppData\Roaming\Malwarebytes
2008-06-10 15:51:32 35 --a------ C:\Users\Goblar\AppData\Roaming\SetValue.bat
2008-06-10 15:51:32 691 --a------ C:\Users\Goblar\AppData\Roaming\GetValue.vbs
2008-06-10 13:18:20 0 d-------- C:\Users\Goblar\AppData\Roaming\uTorrent
2008-06-09 19:31:29 0 d-------- C:\Users\Goblar\AppData\Roaming\Template
2008-06-09 08:22:16 0 d-------- C:\Users\Goblar\AppData\Roaming\Teleca
2008-06-08 23:56:34 0 d-------- C:\Users\Goblar\AppData\Roaming\DivX
2008-06-08 15:05:09 174 --ahs---- C:\Program Files\desktop.ini
2008-06-08 15:01:05 0 d-------- C:\Program Files\Windows Calendar
2008-06-08 15:01:03 0 d-------- C:\Program Files\Windows Defender
2008-06-08 14:36:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-08 14:09:16 0 d-------- C:\Program Files\Windows Sidebar
2008-06-08 11:31:43 0 d-------- C:\Program Files\Norton Internet Security
2008-06-08 10:27:33 0 d-------- C:\Program Files\Symantec
2008-06-08 10:26:56 0 d-------- C:\Program Files\Common Files
2008-06-08 09:45:40 0 d-------- C:\Users\Goblar\AppData\Roaming\Apple Computer
2008-06-08 09:40:04 0 d-------- C:\Users\Goblar\AppData\Roaming\Yahoo!
2008-06-08 09:11:56 0 d-------- C:\Users\Goblar\AppData\Roaming\Nero
2008-06-08 08:40:16 0 d-------- C:\Users\Goblar\AppData\Roaming\Sony Ericsson
2008-06-08 08:40:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-08 01:57:11 0 d-------- C:\Users\Goblar\AppData\Roaming\WinRAR
2008-06-08 01:30:16 0 d-------- C:\Users\Goblar\AppData\Roaming\Adobe
2008-06-08 01:27:38 0 d-------- C:\Users\Goblar\AppData\Roaming\Identities
2008-06-08 01:16:51 0 d-------- C:\Users\Goblar\AppData\Roaming\Macromedia
2008-06-08 01:16:20 0 d-------- C:\Users\Goblar\AppData\Roaming\Hewlett-Packard


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
10/06/2008 20:50 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
10/06/2008 20:50 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [08/06/2008 14:32]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [09/10/2006 21:43]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [18/01/2008 19:31]
"RtHDVCpl"="RtHDVCpl.exe" [09/03/2007 18:50 C:\WINDOWS\RtHDVCpl.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [12/02/2007 15:37]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2007 12:59]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [24/04/2007 02:11]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [13/02/2007 19:38]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [12/03/2007 19:54]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [01/03/2007 21:18]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [11/01/2007 00:12]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [17/02/2005 07:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [10/06/2008 20:50]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/03/2008 00:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 11:36]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [29/01/2008 17:38]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11/02/2008 20:13]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11/02/2008 20:13]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11/02/2008 20:13]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [09/06/2008 20:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [08/06/2008 13:56]
"mRouterConfig"="C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [02/03/2006 12:54]
"MobiLink Lite"="C:\Program Files\Novatel Wireless\MobiLink\Lite.exe" [11/01/2008 16:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [23/10/2006 09:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [23/10/2006 08:01:50]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [20/12/2006 12:27:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88abd10b-352e-11dd-9430-001e3760c51e}]
AutoRun\command- F:\LiteAuto.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-10 23:12:47 ------------



Thanks a lot

BC AdBot (Login to Remove)

 


#2 gash

gash
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:47 AM

Posted 16 June 2008 - 10:47 AM

I know it is a queue system being employed here but i have things to add to my problem, my system does not show popups anymore now i get the Blue screen sometimes with a system reboot and my Norton internet security 2008 does not respond when i want to start it, not to mention my Quickplay screen coming on for no reason while am typing on the system and there is a blue screen that lasts forever whenever i restart my system and my desktop Background has been changed to a blue screen, guess the same one that i see when i strt the system. Obviously there is still a problem with my system someone pls help me out.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:47 AM

Posted 04 July 2008 - 03:41 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new HijackThis log. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:47 AM

Posted 13 July 2008 - 09:55 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 gash

gash
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:47 AM

Posted 22 July 2008 - 07:00 AM

Title was: Trojandropper:win32/delfdru.gen!a, Windows one care keeps finding nthis and fails to remove it ~ OB

My 'windows one care' keeps coming up with this popup that says it has found this malware and it cant remove it, i have tried running malwarebytes' anti-malware but it doesnt find it and i still have issues from my last topic that are yet to be rsolved, would appreciate any help or suggestions i get. Thanks.

Edited by Orange Blossom, 22 July 2008 - 04:25 PM.
Merged topics. ~ OB


#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:47 AM

Posted 22 July 2008 - 04:29 PM

I still have issues from my last topic that are yet to be resolved.


Hello gash,

Given the above statement, I have merged your latest topic with your previously existing topic. Please keep all posts regarding this issue to this topic by using the Add Reply button at the bottom of the topic. Starting new topics confuses things and delays the assistance you receive.

As suebaby requested in her initial response, please post a brand-new HiJack This log so she can begin assisting you. Please be sure that you are subscribed to this topic so you get notifications when you receive replies. If you know you will be unable to reply for a few days, please inform your helper.

Back to you suebaby,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:47 AM

Posted 22 July 2008 - 06:42 PM

Thanks, Orange Blossom
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#8 gash

gash
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:47 AM

Posted 24 July 2008 - 01:52 AM

thanks Orange Blossom and suebaby, will get back to you with the log asap. quite sorry about the new post must have missed the email notification amongst all the spams and deleted it by mistake. BRB.

Edited by gash, 24 July 2008 - 12:37 PM.


#9 gash

gash
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:47 AM

Posted 24 July 2008 - 05:00 AM

Here is the HijackThis file you requested:

Deckard's System Scanner v20071014.68
Run by Goblar on 2008-07-24 10:43:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as Goblar.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:43, on 24/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Novatel Wireless\Mobilink\Lite.exe
C:\Program Files\Vista Start Menu\VistaStartMenu.exe
C:\Program Files\Novatel Wireless\Mobilink\Phoenix.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Users\Goblar\AppData\Local\Yahoo!\Messenger for Vista\Yahoo.Messenger.YmApp.exe
C:\Users\Goblar\Downloads\dss.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Goblar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MobiLink Lite] C:\Program Files\Novatel Wireless\MobiLink\Lite.exe
O4 - HKCU\..\Run: [Yahoo!MessengerForVista] "C:\Users\Goblar\AppData\Local\Yahoo!\Messenger for Vista\Yahoo.Messenger.YmApp.exe" -startup
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Vista Start Menu\VistaStartMenu.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E08A7D2-F516-41EE-BEE0-E0C53D8F55D1}: NameServer = 212.100.67.195 212.100.67.196
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7918 bytes

-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-18 00:12:17 0 d-------- C:\Program Files\Mobile Partner
2008-07-17 04:00:16 0 d-------- C:\Program Files\Apple Software Update
2008-07-12 06:39:54 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-07-12 06:38:37 0 d-------- C:\Program Files\Microsoft.NET
2008-07-12 06:36:38 0 d-------- C:\Users\All Users\Microsoft Help
2008-07-12 06:35:41 0 dr-h----- C:\MSOCache
2008-07-09 15:52:58 0 d-------- C:\Program Files\Vista Start Menu
2008-06-30 14:34:34 0 d------c- C:\Windows\system32\DRVSTORE
2008-06-30 13:18:30 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-06-28 03:36:13 0 d-------- C:\Windows\TweakVI
2008-06-27 11:08:23 0 d-------- C:\Users\All Users\VistaCodecs
2008-06-24 01:23:34 0 d-a------ C:\Users\All Users\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-07-24 10:45:09 0 d-------- C:\Users\Goblar\AppData\Roaming\uTorrent
2008-07-24 10:42:56 0 d-------- C:\Users\Goblar\AppData\Roaming\Vista Start Menu
2008-07-23 10:32:08 836 --a------ C:\Windows\bthservsdp.dat
2008-07-22 13:55:35 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 06:39:58 0 d-------- C:\Program Files\Microsoft Works
2008-07-12 06:39:19 0 d-------- C:\Program Files\Common Files
2008-07-10 13:27:00 1048 --a------ C:\Users\Goblar\AppData\Roaming\wklnhst.dat
2008-07-09 13:04:38 0 d-------- C:\Users\Goblar\AppData\Roaming\Adobe
2008-07-09 12:28:45 0 d-------- C:\Program Files\Windows Mail
2008-07-01 00:05:05 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-30 14:48:08 0 d-------- C:\Program Files\Symantec
2008-06-30 14:35:01 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-16 16:28:34 0 --a------ C:\wsljmpsv
2008-06-15 17:52:39 35 --a------ C:\Users\Goblar\AppData\Roaming\SetValue.bat
2008-06-15 17:52:39 691 --a------ C:\Users\Goblar\AppData\Roaming\GetValue.vbs
2008-06-15 17:52:38 4904 --a------ C:\Windows\system32\tmp.reg
2008-06-15 14:43:36 0 d-------- C:\Users\Goblar\AppData\Roaming\CyberLink
2008-06-15 10:42:27 0 d-------- C:\Users\Goblar\AppData\Roaming\Symantec
2008-06-15 07:49:46 0 d-------- C:\Users\Goblar\AppData\Roaming\Google
2008-06-14 20:53:44 0 d-------- C:\Program Files\Matroska Pack
2008-06-14 18:45:00 0 d-------- C:\Users\Goblar\AppData\Roaming\Real
2008-06-14 18:37:07 0 d-------- C:\Program Files\Common Files\xing shared
2008-06-14 18:37:00 0 d-------- C:\Program Files\Common Files\Real
2008-06-14 18:36:41 0 d-------- C:\Program Files\Real
2008-06-14 18:34:55 0 d-------- C:\Program Files\Google
2008-06-14 03:49:42 0 d-------- C:\Users\Goblar\AppData\Roaming\Apple Computer
2008-06-13 16:44:33 283136 --a------ C:\Windows\Voyager.scr
2008-06-13 12:36:41 0 -rahs---- C:\MSDOS.SYS
2008-06-13 12:36:41 0 -rahs---- C:\IO.SYS
2008-06-11 16:10:06 0 d-------- C:\Users\Goblar\AppData\Roaming\HP
2008-06-11 10:56:05 174 --ahs---- C:\Program Files\desktop.ini
2008-06-11 10:43:41 0 d-------- C:\Program Files\Windows Calendar
2008-06-11 10:43:40 0 d-------- C:\Program Files\Windows Sidebar
2008-06-11 10:43:40 0 d-------- C:\Program Files\Movie Maker
2008-06-11 10:43:37 0 d-------- C:\Program Files\Windows Collaboration
2008-06-11 10:43:36 0 d-------- C:\Program Files\Windows Journal
2008-06-11 10:43:35 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-11 10:43:29 0 d-------- C:\Program Files\Windows Defender
2008-06-10 20:50:08 0 d-------- C:\Program Files\Java
2008-06-10 19:21:03 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-06-10 19:13:01 0 d-------- C:\Users\Goblar\AppData\Roaming\Malwarebytes
2008-06-10 18:27:35 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-10 08:15:45 0 d-------- C:\Program Files\Trend Micro
2008-06-09 19:31:29 0 d-------- C:\Users\Goblar\AppData\Roaming\Template
2008-06-09 17:03:28 2560 --a------ C:\Windows\_MSRSTRT.EXE
2008-06-09 14:35:13 0 d-------- C:\Program Files\Novatel Wireless
2008-06-09 08:22:16 0 d-------- C:\Users\Goblar\AppData\Roaming\Teleca
2008-06-08 23:56:34 0 d-------- C:\Users\Goblar\AppData\Roaming\DivX
2008-06-08 15:49:28 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-08 15:24:38 0 d-------- C:\Program Files\uTorrent
2008-06-08 13:51:39 0 d-------- C:\Program Files\MSXML 4.0
2008-06-08 09:45:21 0 d-------- C:\Program Files\iTunes
2008-06-08 09:45:13 0 d-------- C:\Program Files\iPod
2008-06-08 09:44:12 0 d-------- C:\Program Files\Bonjour
2008-06-08 09:44:01 0 d-------- C:\Program Files\QuickTime
2008-06-08 09:42:03 0 d-------- C:\Program Files\Common Files\Apple
2008-06-08 09:40:29 0 d-------- C:\Program Files\DivX
2008-06-08 09:40:06 0 d-------- C:\Program Files\Yahoo!
2008-06-08 09:40:04 0 d-------- C:\Users\Goblar\AppData\Roaming\Yahoo!
2008-06-08 09:29:22 0 d-------- C:\Program Files\NeroInstall.bak
2008-06-08 09:11:56 0 d-------- C:\Users\Goblar\AppData\Roaming\Nero
2008-06-08 09:10:20 0 d-------- C:\Program Files\Common Files\Nero
2008-06-08 09:07:50 0 d-------- C:\Program Files\Nero
2008-06-08 08:40:51 0 d-------- C:\Program Files\Sony Ericsson
2008-06-08 08:40:16 0 d-------- C:\Users\Goblar\AppData\Roaming\Sony Ericsson
2008-06-08 08:40:14 0 d-------- C:\Program Files\Intuwave
2008-06-08 08:40:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-08 08:40:08 0 d-------- C:\Program Files\Symbian
2008-06-08 08:39:49 0 d-------- C:\Program Files\Common Files\Teleca Shared
2008-06-08 08:39:47 0 d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2008-06-08 01:57:11 0 d-------- C:\Users\Goblar\AppData\Roaming\WinRAR
2008-06-08 01:55:02 0 d-------- C:\Program Files\Xvid
2008-06-08 01:27:38 0 d-------- C:\Users\Goblar\AppData\Roaming\Identities
2008-06-08 01:22:46 0 d-------- C:\Program Files\WIDCOMM
2008-06-08 01:16:51 0 d-------- C:\Users\Goblar\AppData\Roaming\Macromedia
2008-06-08 01:16:20 0 d-------- C:\Users\Goblar\AppData\Roaming\Hewlett-Packard
2008-06-08 01:14:45 81 --a------ C:\Windows\system32\LOG
2008-05-29 09:35:36 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-27 10:35:28 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-04-27 10:33:36 765952 --a------ C:\Windows\system32\xvidcore.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
10/06/2008 20:50 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
10/06/2008 20:50 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [28/03/2008 02:05]
"RtHDVCpl"="RtHDVCpl.exe" [09/03/2007 18:50 C:\WINDOWS\RtHDVCpl.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [12/02/2007 15:37]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [13/02/2007 19:38]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [12/03/2007 19:54]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [01/03/2007 21:18]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [11/01/2007 00:12]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [17/02/2005 07:11]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11/02/2008 20:13]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11/02/2008 20:13]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11/02/2008 20:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [10/06/2008 20:50]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [25/06/2008 06:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 08:33]
"MobiLink Lite"="C:\Program Files\Novatel Wireless\MobiLink\Lite.exe" [11/01/2008 16:05]
"Yahoo!MessengerForVista"="C:\Users\Goblar\AppData\Local\Yahoo!\Messenger for Vista\Yahoo.Messenger.YmApp.exe" [29/04/2008 20:39]
"VistaStartMenu"="C:\Program Files\Vista Start Menu\VistaStartMenu.exe" [09/07/2008 12:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a1e0c70-3ac9-11dd-89f7-001b24d52067}]
AutoRun\command- I:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74daf182-52c4-11dd-b1cc-001b24d52067}]
AutoRun\command- H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88abd10b-352e-11dd-9430-001e3760c51e}]
AutoRun\command- F:\LiteAuto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4964c11-5515-11dd-b322-001b24d52067}]
AutoRun\command- H:\AutoRun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-24 10:48:04 ------------

#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:47 AM

Posted 26 July 2008 - 09:08 PM

Step 1

An antivirus program is an essential part of computer security and you do not appear to have one running on your system. There are a few available for free that have excellent reputations.

AVG 8 Anti-Virus Free Edition

Avast! 4 Home Edition
If needed, see How to Install, Configure, and Use Avast Antivirus

AntiVir Personal

Step 2

A Firewall is an essential part of computer security and you do not appear to have one running on your system. If you have one, and I missed it, please ignore this. If you are relying on the firewall that comes with Vista, then you need to install a third party software firewall. Although Microsoft has improved the Windows Firewall, the Vista Firewall is not much different from Windows Firewall included with Microsoft Windows XP Service Pack 2 except the ability to block outgoing traffic which does not exist in Windows XP. Most of the new features are not available through the firewall's user interface; they are only accessible through the Group Policy Editor. Follow these steps to turn off/disable the Windows Firewall before installing a new firewall.
  • Download the new firewall to your desktop.
  • Disconnect from the Internet.
  • Click Start > Control Panel.
  • Switch to Classic View if you have not already done so.
  • Double click on the Windows Firewall icon.
  • Click Off (Not recommended).
  • Install the new Firewall.
Do not attempt to run two software firewalls since like running two antivirus programs, they will possibly cause problems and conflict with each other.
There are a few firewalls available for free that appear to be good and easy to use:For more information about firewalls, and why a two-way firewall is better than the Windows XP one-way firewall, please read Understanding and Using Firewalls.

Step 3

A word of caution: I noticed that you have the P2P program, utorrent.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Here are some links for you to take a look at to see some of the ramifications of P2P's:

http://www.pcworld.com/article/id,126230-p...le.html?RSS=RSS

http://www.eweek.com/article2/0,1895,1980963,00.asp

http://www.techpowerup.com/index.php?41354

Step 4

Please post a new HijackThs log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 gash

gash
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:47 AM

Posted 27 July 2008 - 04:05 AM

In other words the 'Windows Live OneCare' security package is not sufficient, cause i was under the impression it provides live protection against viruses, spywares and malwares with the windows firewall and windows defender. On installing it(Windows Live Onecare), it requested that i uninstall the NIS2008 and Ad-ware2007 i had running on the system. Will install a third party firewall and get a new anti-virus program, to see what happens.

Edited by gash, 27 July 2008 - 04:30 AM.


#12 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:47 AM

Posted 27 July 2008 - 02:50 PM

Please post a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#13 gash

gash
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:47 AM

Posted 28 July 2008 - 04:10 AM

here is the new log
Windows Live OneCare has its own firewall different from Windows firewall and an antivirus program as well.

Deckard's System Scanner v20071014.68
Run by Goblar on 2008-07-28 09:30:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as Goblar.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:32:13, on 28/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Novatel Wireless\Mobilink\Lite.exe
C:\Users\Goblar\AppData\Local\Yahoo!\Messenger for Vista\Yahoo.Messenger.YmApp.exe
C:\Program Files\Vista Start Menu\VistaStartMenu.exe
C:\Program Files\Novatel Wireless\Mobilink\Phoenix.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSNotifyE.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\system32\rundll32.exe
C:\Users\Goblar\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Goblar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MobiLink Lite] C:\Program Files\Novatel Wireless\MobiLink\Lite.exe
O4 - HKCU\..\Run: [Yahoo!MessengerForVista] "C:\Users\Goblar\AppData\Local\Yahoo!\Messenger for Vista\Yahoo.Messenger.YmApp.exe" -startup
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Vista Start Menu\VistaStartMenu.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E08A7D2-F516-41EE-BEE0-E0C53D8F55D1}: NameServer = 212.100.67.195 212.100.67.196
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll C:\Windows\system32\cssdll32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9519 bytes

-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-28 03:47:11 0 d-------- C:\Program Files\Alwil Software
2008-07-28 02:54:13 0 d-------- C:\Program Files\AskSBar
2008-07-28 02:53:35 0 d-------- C:\Windows\LastGood.Tmp
2008-07-28 02:50:59 0 d-------- C:\Users\All Users\comodo
2008-07-28 02:50:55 0 d-------- C:\Program Files\COMODO
2008-07-25 04:23:39 0 d-------- C:\Program Files\iPod
2008-07-25 04:23:30 0 d-------- C:\Program Files\iTunes
2008-07-25 04:21:48 0 d-------- C:\Program Files\QuickTime
2008-07-25 02:24:05 0 d-------- C:\Program Files\Safari
2008-07-24 22:49:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 18:51:19 0 d-------- C:\Program Files\Any Video Converter
2008-07-18 00:12:17 0 d-------- C:\Program Files\Mobile Partner
2008-07-17 04:00:16 0 d-------- C:\Program Files\Apple Software Update
2008-07-12 06:39:54 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-07-12 06:38:37 0 d-------- C:\Program Files\Microsoft.NET
2008-07-12 06:36:38 0 d-------- C:\Users\All Users\Microsoft Help
2008-07-12 06:35:41 0 dr-h----- C:\MSOCache
2008-07-09 15:52:58 0 d-------- C:\Program Files\Vista Start Menu
2008-06-30 14:34:34 0 d------c- C:\Windows\system32\DRVSTORE
2008-06-30 13:18:30 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-06-28 03:36:13 0 d-------- C:\Windows\TweakVI


-- Find3M Report ---------------------------------------------------------------

2008-07-28 03:48:40 836 --a------ C:\Windows\bthservsdp.dat
2008-07-28 02:51:00 0 d-------- C:\Users\Goblar\AppData\Roaming\Comodo
2008-07-28 00:25:24 0 d-------- C:\Users\Goblar\AppData\Roaming\Vista Start Menu
2008-07-27 17:48:46 0 d-------- C:\Users\Goblar\AppData\Roaming\uTorrent
2008-07-25 08:37:41 0 d-------- C:\Users\Goblar\AppData\Roaming\Apple Computer
2008-07-24 22:49:30 0 d-------- C:\Program Files\Common Files
2008-07-24 18:53:17 0 d-------- C:\Users\Goblar\AppData\Roaming\Any Video Converter
2008-07-24 17:43:45 0 d-------- C:\Users\Goblar\AppData\Roaming\NeroDigital™
2008-07-22 13:55:35 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 06:39:58 0 d-------- C:\Program Files\Microsoft Works
2008-07-10 13:27:00 1048 --a------ C:\Users\Goblar\AppData\Roaming\wklnhst.dat
2008-07-09 13:04:38 0 d-------- C:\Users\Goblar\AppData\Roaming\Adobe
2008-07-09 12:28:45 0 d-------- C:\Program Files\Windows Mail
2008-07-01 00:05:05 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-30 14:48:08 0 d-------- C:\Program Files\Symantec
2008-06-30 14:35:01 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-16 16:28:34 0 --a------ C:\wsljmpsv
2008-06-15 17:52:39 35 --a------ C:\Users\Goblar\AppData\Roaming\SetValue.bat
2008-06-15 17:52:39 691 --a------ C:\Users\Goblar\AppData\Roaming\GetValue.vbs
2008-06-15 17:52:38 4904 --a------ C:\Windows\system32\tmp.reg
2008-06-15 14:43:36 0 d-------- C:\Users\Goblar\AppData\Roaming\CyberLink
2008-06-15 10:42:27 0 d-------- C:\Users\Goblar\AppData\Roaming\Symantec
2008-06-15 07:49:46 0 d-------- C:\Users\Goblar\AppData\Roaming\Google
2008-06-14 20:53:44 0 d-------- C:\Program Files\Matroska Pack
2008-06-14 18:45:00 0 d-------- C:\Users\Goblar\AppData\Roaming\Real
2008-06-14 18:37:07 0 d-------- C:\Program Files\Common Files\xing shared
2008-06-14 18:37:00 0 d-------- C:\Program Files\Common Files\Real
2008-06-14 18:36:41 0 d-------- C:\Program Files\Real
2008-06-14 18:34:55 0 d-------- C:\Program Files\Google
2008-06-13 16:44:33 283136 --a------ C:\Windows\Voyager.scr
2008-06-13 12:36:41 0 -rahs---- C:\MSDOS.SYS
2008-06-13 12:36:41 0 -rahs---- C:\IO.SYS
2008-06-11 16:10:06 0 d-------- C:\Users\Goblar\AppData\Roaming\HP
2008-06-11 10:56:05 174 --ahs---- C:\Program Files\desktop.ini
2008-06-11 10:43:41 0 d-------- C:\Program Files\Windows Calendar
2008-06-11 10:43:40 0 d-------- C:\Program Files\Windows Sidebar
2008-06-11 10:43:40 0 d-------- C:\Program Files\Movie Maker
2008-06-11 10:43:37 0 d-------- C:\Program Files\Windows Collaboration
2008-06-11 10:43:36 0 d-------- C:\Program Files\Windows Journal
2008-06-11 10:43:35 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-11 10:43:29 0 d-------- C:\Program Files\Windows Defender
2008-06-10 20:50:08 0 d-------- C:\Program Files\Java
2008-06-10 19:21:03 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-06-10 19:13:01 0 d-------- C:\Users\Goblar\AppData\Roaming\Malwarebytes
2008-06-10 18:27:35 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-10 08:15:45 0 d-------- C:\Program Files\Trend Micro
2008-06-09 19:31:29 0 d-------- C:\Users\Goblar\AppData\Roaming\Template
2008-06-09 17:03:28 2560 --a------ C:\Windows\_MSRSTRT.EXE
2008-06-09 14:35:13 0 d-------- C:\Program Files\Novatel Wireless
2008-06-09 08:22:16 0 d-------- C:\Users\Goblar\AppData\Roaming\Teleca
2008-06-08 23:56:34 0 d-------- C:\Users\Goblar\AppData\Roaming\DivX
2008-06-08 15:49:28 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-08 15:24:38 0 d-------- C:\Program Files\uTorrent
2008-06-08 13:51:39 0 d-------- C:\Program Files\MSXML 4.0
2008-06-08 09:44:12 0 d-------- C:\Program Files\Bonjour
2008-06-08 09:42:03 0 d-------- C:\Program Files\Common Files\Apple
2008-06-08 09:40:29 0 d-------- C:\Program Files\DivX
2008-06-08 09:40:06 0 d-------- C:\Program Files\Yahoo!
2008-06-08 09:40:04 0 d-------- C:\Users\Goblar\AppData\Roaming\Yahoo!
2008-06-08 09:29:22 0 d-------- C:\Program Files\NeroInstall.bak
2008-06-08 09:11:56 0 d-------- C:\Users\Goblar\AppData\Roaming\Nero
2008-06-08 09:10:20 0 d-------- C:\Program Files\Common Files\Nero
2008-06-08 09:07:50 0 d-------- C:\Program Files\Nero
2008-06-08 08:40:51 0 d-------- C:\Program Files\Sony Ericsson
2008-06-08 08:40:16 0 d-------- C:\Users\Goblar\AppData\Roaming\Sony Ericsson
2008-06-08 08:40:14 0 d-------- C:\Program Files\Intuwave
2008-06-08 08:40:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-08 08:40:08 0 d-------- C:\Program Files\Symbian
2008-06-08 08:39:49 0 d-------- C:\Program Files\Common Files\Teleca Shared
2008-06-08 08:39:47 0 d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2008-06-08 01:57:11 0 d-------- C:\Users\Goblar\AppData\Roaming\WinRAR
2008-06-08 01:55:02 0 d-------- C:\Program Files\Xvid
2008-06-08 01:27:38 0 d-------- C:\Users\Goblar\AppData\Roaming\Identities
2008-06-08 01:22:46 0 d-------- C:\Program Files\WIDCOMM
2008-06-08 01:16:51 0 d-------- C:\Users\Goblar\AppData\Roaming\Macromedia
2008-06-08 01:16:20 0 d-------- C:\Users\Goblar\AppData\Roaming\Hewlett-Packard
2008-06-08 01:14:45 81 --a------ C:\Windows\system32\LOG
2008-05-29 09:35:36 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [28/03/2008 02:05]
"RtHDVCpl"="RtHDVCpl.exe" [09/03/2007 18:50 C:\WINDOWS\RtHDVCpl.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [12/02/2007 15:37]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [13/02/2007 19:38]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [12/03/2007 19:54]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [01/03/2007 21:18]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [11/01/2007 00:12]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [17/02/2005 07:11]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11/02/2008 20:13]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11/02/2008 20:13]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11/02/2008 20:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [10/06/2008 20:50]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [25/06/2008 06:48]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [10/07/2008 09:47]
"COMODO SafeSurf"="C:\Program Files\COMODO\SafeSurf\cssurf.exe" [28/07/2008 02:54]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [28/07/2008 02:50]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19/07/2008 15:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 08:33]
"MobiLink Lite"="C:\Program Files\Novatel Wireless\MobiLink\Lite.exe" [11/01/2008 16:05]
"Yahoo!MessengerForVista"="C:\Users\Goblar\AppData\Local\Yahoo!\Messenger for Vista\Yahoo.Messenger.YmApp.exe" [29/04/2008 20:39]
"VistaStartMenu"="C:\Program Files\Vista Start Menu\VistaStartMenu.exe" [09/07/2008 12:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\Windows\system32\guard32.dll C:\Windows\system32\cssdll32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a1e0c70-3ac9-11dd-89f7-001b24d52067}]
AutoRun\command- I:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74daf182-52c4-11dd-b1cc-001b24d52067}]
AutoRun\command- H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88abd10b-352e-11dd-9430-001e3760c51e}]
AutoRun\command- F:\LiteAuto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4964c11-5515-11dd-b322-001b24d52067}]
AutoRun\command- H:\AutoRun.exe

*Newly Created Service* - ASWFSBLK
*Newly Created Service* - ASWMONFLT
*Newly Created Service* - ASWRDR
*Newly Created Service* - ASWSP
*Newly Created Service* - ASWTDI
*Newly Created Service* - CMDGUARD
*Newly Created Service* - CMDHLP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-28 09:41:41 ------------

#14 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:47 AM

Posted 28 July 2008 - 12:06 PM

I goofed. Please uninstall either Avast4 and Comodo Firewall Pro or Windows Live Care. Windows Live Care has an antivirus and a firewall program. Did you purchase Windows Live Care or are you using an evaluation copy? If you are using an evaluation copy, uninstalling Windows Live Care would be your best option.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:47 AM

Posted 28 July 2008 - 02:02 PM

I did not see any obvious signs of malware in your HijackThis log. I do have some suggestions.

At some time when you were doing your own cleaning, you must have removed the Trojandropper:win32/delfdru.gen!.a. If you want to be sure, you may run the A-Squared Free program which targets trojans.

Please download a-squared Free 3.5.
  • Follow all the instructions given by the installer.
  • Once installed, the a-squared Updater will automatically start. Downloading updates will take some time.
  • Please go to Start > Programs > a-squared Free and click a-squared StartCenter.
  • Click Scan your computer for malware infections.
  • Make sure all three setting options are checked. Click Scan selected folders. The scan will start.
  • Click Save HTML-Report. Save the report to somewhere convenient for you to remember the location such as your desktop.
  • If malware is found, click the button Remove Selected Malware.
  • Please post the log from a-squared Free 3.5 in your next reply.
To continue to use a-squared Free 3.5, you will need to use the a-squared Updator to manually update the program. Click Security Status > Update Now. The a-squared Free 3.5 program contains only the basic scanner. Background Guard, Automatic Updates, Scheduled Scans and HiJackFree are only available with the a-squared Anti-Malware 3.5 ("pay for use") software.

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

I noticed that you have some programs that need to be updated.

Step 2

The latest version is Java Runtime Environment (JRE) 6 Update 7

Your Java Runtime Environment is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove the older versions of Java Runtime Environment..
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer after all Java components are removed.
Please download the latest Java Runtime Environment.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 7. The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right. When a new window opens, you will see
    NOTE: This page offers files for different platforms - please be sure to download the proper file(s) for your platform.
    Required: You must accept the license agreement to download the product.
  • Click to place a check mark by Accept License Agreement.
  • Make the selection corresponding to your computer platform. For Windows, click on Windows Offline Installation, Multi-languagelink to download. Save it to your desktop.
  • On your desktop, double-click on jre-6u7-windows-i586-p.exe to install the newest version.
After you have installed the Java software on your computer, you must restart your browser. You can verify that Java Runtime Environment (RTE) has been installed correctly by clicking on the Verify Installation button on the Welcome To Java and Verify Installation page.

Step 3

Make sure you have the latest version of "Adobe Reader".
You may want to download the latest version, Adobe® Reader® 8.

Step 4

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
  • Detects and removes malware ( viruses, worms, trojans, etc. )
  • Detects and removes grayware and spyware
  • Restores damage caused by malware to your system.
  • Notifies about vulnerabilities in installed programs and connected network services.
  • Multi-platform support for: Windows, Linux, Solaris.
  • Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 5

Please download Spybot-S&D.
Please check this link, Using Spybot- Search and Destroy To Remove Spyware From Your Computer, for instructions on how to download, install and use Spybot-S&D. Run this program as soon as possible.

Step 6

I recommend using Spyware Blaster.
Please download SpywareBlaster. SpywareBlaster helps to:
  • Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
Please see Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware for instructions on how to download, install, and use SpywareBlaster.

Step 7

CCleaner is a tool for cleaning temporary files stored on your computer which may help improve performance.
  • Please download CCleaner
  • Starting with v1.27.260, "CCleaner" installs the "Yahoo Toolbar" as an option which IS checked by default during the installation. IF you do NOT want it, REMOVE the check when provided with the option OR download the toolbar free Basic version instead of the Standard Build.
  • Unzip the file to install.
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours.
  • Select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies.
      • Clean all the entries in the Windows Explorer section.
      • Clean all entries in the System section.
      • Clean all entries in the Advanced section.
      • Clean any others that you choose.
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it.
      • Clean all in the Opera section if you use it.
      • Clean Sun Java in the Internet Section.
      • Clean any others that you choose.
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK. CCleaner will scan and clean your system.
  • Click Exit when done.
Do not run it yet.
CAUTION: Please use the "Issues" button ONLY if you know how to use it. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

Step 8

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 9

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow! ]Help! My computer is slow![/url]
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 10

Let’s run CCleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 11

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the list of file names and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.

Edited by suebaby41, 28 July 2008 - 02:06 PM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users