Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan-downloader.win32.agent.bq


  • This topic is locked This topic is locked
13 replies to this topic

#1 blue97

blue97

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 28 August 2008 - 01:39 PM

Symptoms:

Background replaced with spyware notification.
"Windows Security Alert" pops up periodically saying that a windows firewall has detected activity of harmful software
"Enable protection link" to spyware removal program.
Bit Defender (housecall had problems with download)
McAfee Stinger

Also known as Trojan-Spy.HTML.Bankfraud.dq

I have run:

Adaware
Spybot
Cleaned temp files

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:06 AM, on 8/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\ProgramData\WebCmd\hutqnups.exe
C:\ProgramData\tofixwjs\rivalkbk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Vongo\Tray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\ProgramData\MntWebSys\fyjcjafw.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WebCmd] C:\ProgramData\WebCmd\hutqnups.exe
O4 - HKCU\..\Run: [lphca5tj0etst] C:\Windows\system32\lphca5tj0etst.exe
O4 - HKCU\..\Run: [GurV0KPIm7] C:\ProgramData\tofixwjs\rivalkbk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProcHlpApl] C:\ProgramData\ProcHlpApl\psxepmvu.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.cnn.com
O15 - Trusted Zone: http://www.ringfactory.net
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9733 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:47 PM

Posted 30 August 2008 - 02:58 AM

Hello Blue97 and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, and you're notified a more current version is available, please download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 blue97

blue97
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 30 August 2008 - 08:21 AM

Thank you, Thunder.

Here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:06 AM, on 8/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\ProgramData\WebCmd\hutqnups.exe
C:\ProgramData\tofixwjs\rivalkbk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Vongo\Tray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\ProgramData\MntWebSys\fyjcjafw.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WebCmd] C:\ProgramData\WebCmd\hutqnups.exe
O4 - HKCU\..\Run: [lphca5tj0etst] C:\Windows\system32\lphca5tj0etst.exe
O4 - HKCU\..\Run: [GurV0KPIm7] C:\ProgramData\tofixwjs\rivalkbk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProcHlpApl] C:\ProgramData\ProcHlpApl\psxepmvu.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.cnn.com
O15 - Trusted Zone: http://www.ringfactory.net
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9733 bytes

Here is the Combofix log

ComboFix 08-08-29.02 - mwilk 2008-08-30 7:50:39.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.340 [GMT -5:00]
Running from: C:\Users\mwilk\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3RXBHV6N\bin.clearspring.com
C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3RXBHV6N\bin.clearspring.com\clearspring.sol
C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3RXBHV6N\interclick.com
C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3RXBHV6N\interclick.com\ud.sol
C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Users\mwilk\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-30 07:43 . 2008-08-30 07:43 <DIR> d-------- C:\Users\All Users\webenmsg
2008-08-30 07:43 . 2008-08-30 07:43 <DIR> d-------- C:\Users\All Users\GenInfo
2008-08-30 07:43 . 2008-08-30 07:43 <DIR> d-------- C:\ProgramData\webenmsg
2008-08-30 07:43 . 2008-08-30 07:43 <DIR> d-------- C:\ProgramData\GenInfo
2008-08-28 23:51 . 2008-08-28 23:51 <DIR> d-------- C:\Users\All Users\smartdb
2008-08-28 23:51 . 2008-08-28 23:51 <DIR> d-------- C:\Users\All Users\ProcAplUtil
2008-08-28 23:51 . 2008-08-28 23:51 <DIR> d-------- C:\ProgramData\smartdb
2008-08-28 23:51 . 2008-08-28 23:51 <DIR> d-------- C:\ProgramData\ProcAplUtil
2008-08-28 12:21 . 2008-08-28 12:21 <DIR> d-------- C:\Windows\BDOSCAN8
2008-08-28 11:50 . 2008-08-28 11:50 <DIR> d-------- C:\Users\All Users\enchk
2008-08-28 11:50 . 2008-08-28 11:50 <DIR> d-------- C:\Users\All Users\apien
2008-08-28 11:50 . 2008-08-28 11:50 <DIR> d-------- C:\ProgramData\enchk
2008-08-28 11:50 . 2008-08-28 11:50 <DIR> d-------- C:\ProgramData\apien
2008-08-28 07:46 . 2008-08-28 07:48 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-08-28 07:46 . 2008-08-28 07:48 <DIR> d-------- C:\ProgramData\Lavasoft
2008-08-28 07:46 . 2008-08-28 07:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-28 07:45 . 2008-08-28 07:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 20:49 . 2008-08-26 20:49 <DIR> d-------- C:\Users\All Users\ShStr
2008-08-26 20:49 . 2008-08-26 20:49 <DIR> d-------- C:\Users\All Users\apiact
2008-08-26 20:49 . 2008-08-26 20:49 <DIR> d-------- C:\ProgramData\ShStr
2008-08-26 20:49 . 2008-08-26 20:49 <DIR> d-------- C:\ProgramData\apiact
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\Malwarebytes
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-26 19:20 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-26 19:20 . 2008-08-17 15:01 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-26 19:20 . 2008-08-17 15:01 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-25 06:53 . 2008-08-25 06:53 <DIR> d-------- C:\Users\All Users\MonProcCom
2008-08-25 06:53 . 2008-08-25 06:53 <DIR> d-------- C:\Users\All Users\HlpProc
2008-08-25 06:53 . 2008-08-25 06:53 <DIR> d-------- C:\ProgramData\MonProcCom
2008-08-25 06:53 . 2008-08-25 06:53 <DIR> d-------- C:\ProgramData\HlpProc
2008-08-24 18:37 . 2008-08-24 18:37 <DIR> d-------- C:\Users\All Users\hlpgenchk
2008-08-24 18:37 . 2008-08-24 18:37 <DIR> d-------- C:\Users\All Users\HlpCmdSet
2008-08-24 18:37 . 2008-08-24 18:37 <DIR> d-------- C:\ProgramData\hlpgenchk
2008-08-24 18:37 . 2008-08-24 18:37 <DIR> d-------- C:\ProgramData\HlpCmdSet
2008-08-24 17:20 . 2008-08-24 17:20 <DIR> d-------- C:\Users\All Users\Grisoft
2008-08-24 17:20 . 2008-08-24 17:20 <DIR> d-------- C:\ProgramData\Grisoft
2008-08-24 13:41 . 2008-08-24 05:08 <DIR> d-------- C:\SDFix
2008-08-24 11:46 . 2008-08-24 11:46 <DIR> d-------- C:\Users\All Users\ProcSetMsg
2008-08-24 11:46 . 2008-08-24 11:46 <DIR> d-------- C:\Users\All Users\ActMntCfg
2008-08-24 11:46 . 2008-08-24 11:46 <DIR> d-------- C:\ProgramData\ProcSetMsg
2008-08-24 11:46 . 2008-08-24 11:46 <DIR> d-------- C:\ProgramData\ActMntCfg
2008-08-24 11:12 . 2008-08-24 13:23 <DIR> d-a------ C:\Users\All Users\TEMP
2008-08-24 11:12 . 2008-08-24 13:23 <DIR> d-a------ C:\ProgramData\TEMP
2008-08-24 08:03 . 2008-08-24 08:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-24 07:47 . 2008-08-24 07:47 <DIR> d-------- C:\Users\All Users\ProcHlpApl
2008-08-24 07:47 . 2008-08-24 07:47 <DIR> d-------- C:\Users\All Users\MntWebSys
2008-08-24 07:47 . 2008-08-24 07:47 <DIR> d-------- C:\ProgramData\ProcHlpApl
2008-08-24 07:47 . 2008-08-24 07:47 <DIR> d-------- C:\ProgramData\MntWebSys
2008-08-24 07:17 . 2008-08-24 11:46 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-24 07:17 . 2008-08-24 11:46 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-24 07:17 . 2008-08-24 10:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\Users\All Users\WebCmd
2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\Users\All Users\tofixwjs
2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\Users\All Users\SmartUtil
2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\ProgramData\WebCmd
2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\ProgramData\tofixwjs
2008-08-24 07:04 . 2008-08-24 07:04 <DIR> d-------- C:\ProgramData\SmartUtil
2008-08-18 14:18 . 2008-08-18 14:18 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\Template
2008-08-18 14:18 . 2008-08-18 14:18 0 --a------ C:\Users\mwilk\AppData\Roaming\wklnhst.dat
2008-08-14 09:52 . 2008-08-14 09:56 <DIR> d-------- C:\Program Files\Windows Live
2008-08-14 09:52 . 2008-08-14 09:56 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-14 09:48 . 2008-08-14 09:52 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-08-14 09:48 . 2008-08-14 09:52 <DIR> d-------- C:\ProgramData\WLInstaller
2008-08-14 07:02 . 2008-07-15 20:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 06:57 . 2008-08-14 06:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-13 18:23 . 2008-06-26 20:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 18:23 . 2008-06-26 23:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 18:23 . 2008-04-10 00:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-13 18:23 . 2008-06-18 22:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 18:23 . 2008-04-18 00:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-02 22:31 . 2008-08-02 22:31 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-02 03:11 . 2008-08-02 03:11 <DIR> d-------- C:\PerfLogs
2008-08-01 13:52 . 2008-01-19 02:38 4,595,712 --a------ C:\Windows\System32\AuthFWSnapin.dll
2008-08-01 13:51 . 2008-01-19 02:33 8,139,264 --a------ C:\Windows\System32\ssBranded.scr
2008-08-01 13:50 . 2008-01-19 02:32 5,714,432 --a------ C:\Windows\System32\logon.scr
2008-08-01 13:49 . 2008-01-19 01:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-08-01 13:48 . 2008-01-19 02:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-08-01 13:48 . 2008-01-19 02:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-08-01 13:48 . 2008-01-19 02:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-08-01 13:48 . 2008-01-19 02:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-08-01 13:48 . 2008-01-19 02:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-08-01 13:48 . 2008-01-19 02:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-08-01 13:48 . 2008-01-19 02:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-08-01 13:48 . 2008-01-19 02:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-07-31 22:01 . 2008-07-31 22:01 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-07-31 19:24 . 2008-08-02 09:19 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-07-31 19:24 . 2008-08-02 09:19 <DIR> d-------- C:\ProgramData\NVIDIA
2008-07-31 19:11 . 2007-01-03 11:20 1,732 --a------ C:\Windows\System32\drivers\nvphy.bin
2008-07-31 19:08 . 2008-07-31 19:08 838,094 --a------ C:\Windows\System32\oem24.inf
2008-07-31 19:07 . 2008-08-20 03:00 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-07-31 17:59 . 2008-07-31 17:59 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\InstallShield
2008-07-28 12:49 . 2008-07-28 12:49 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-23 09:11 . 2008-06-25 20:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-14 12:11 . 2008-07-14 12:11 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 12:46 --------- d-----w C:\Users\mwilk\AppData\Roaming\Orbit
2008-08-24 06:20 --------- d-----w C:\Users\mwilk\AppData\Roaming\LimeWire
2008-08-18 14:58 --------- d-----w C:\Program Files\Orbitdownloader
2008-08-15 12:02 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-14 15:02 41,662 ----a-w C:\Users\mwilk\AppData\Roaming\nvModes.dat
2008-08-14 14:59 --------- d-----w C:\Program Files\Windows Mail
2008-08-05 22:56 --------- d-----w C:\Users\mwilk\AppData\Roaming\Move Networks
2008-08-02 08:22 174 --sha-w C:\Program Files\desktop.ini
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Sidebar
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Journal
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Collaboration
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Calendar
2008-08-02 08:12 --------- d-----w C:\Program Files\Windows Defender
2008-08-01 19:13 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-08-01 19:13 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-08-01 04:26 --------- d-----w C:\Users\mwilk\AppData\Roaming\Hewlett-Packard
2008-08-01 03:34 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-01 03:33 --------- d-----w C:\ProgramData\CyberLink
2008-08-01 03:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 03:31 --------- d-----w C:\Program Files\Hp
2008-08-01 02:54 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-01 02:46 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-08-01 00:06 --------- d-----w C:\Program Files\CONEXANT
2008-06-29 21:07 --------- d-----w C:\Program Files\LimeWire
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-11 20:41 21,248 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-05-16 16:58 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll
2008-05-08 21:59 90,112 ----a-w C:\Windows\System32\wshext.dll
2008-05-08 21:59 430,080 ----a-w C:\Windows\System32\vbscript.dll
2008-05-08 21:59 180,224 ----a-w C:\Windows\System32\scrobj.dll
2008-05-08 21:59 172,032 ----a-w C:\Windows\System32\scrrun.dll
2008-05-08 21:59 155,648 ----a-w C:\Windows\System32\wscript.exe
2008-05-08 21:58 135,168 ----a-w C:\Windows\System32\cscript.exe
2008-05-07 14:37 21,760 ----a-w C:\Windows\Help\OEM\scripts\HPHS_Launcher.exe
2008-04-23 14:56 56,912 ----a-w C:\Users\mwilk\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((( snapshot@2008-08-26_18.46.29.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-09 20:01:48 118,784 ----a-w C:\Windows\BDOSCAN8\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w C:\Windows\BDOSCAN8\ipsupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w C:\Windows\bdoscandel.exe
+ 2008-01-09 20:01:48 118,784 ----a-w C:\Windows\Downloaded Program Files\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w C:\Windows\Downloaded Program Files\ipsupd.dll
- 2008-08-26 13:41:33 602,680 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-08-30 12:40:49 602,680 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-08-26 13:47:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-30 12:41:56 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-26 13:47:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-08-30 12:41:56 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-26 13:48:16 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-30 12:42:55 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-02 08:22:41 2,641,057 -c--a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
+ 2008-08-27 12:15:43 2,641,057 -c--a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
- 2008-08-26 13:48:41 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-30 12:42:57 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-08-26 13:47:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-30 12:40:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-26 13:47:49 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-30 12:40:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-26 13:47:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-30 12:40:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-26 23:40:36 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-08-30 12:50:32 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-04-29 16:19:50 12,960 ----a-w C:\Windows\System32\drivers\Awrtpd.sys
+ 2008-04-29 16:19:54 15,648 ----a-w C:\Windows\System32\drivers\Awrtrd.sys
+ 2008-04-29 16:20:00 15,648 ----a-w C:\Windows\System32\drivers\NSDriver.sys
- 2008-01-19 07:34:49 35,328 ----a-w C:\Windows\System32\mimefilt.dll
+ 2008-05-27 05:18:32 40,448 ----a-w C:\Windows\System32\mimefilt.dll
- 2008-01-19 07:35:13 248,832 ----a-w C:\Windows\System32\msshsq.dll
+ 2008-05-27 05:18:32 231,936 ----a-w C:\Windows\System32\msshsq.dll
- 2008-01-19 07:35:13 333,824 ----a-w C:\Windows\System32\mssph.dll
+ 2008-05-27 05:18:25 350,208 ----a-w C:\Windows\System32\mssph.dll
- 2008-01-19 07:35:13 167,936 ----a-w C:\Windows\System32\mssphtb.dll
+ 2008-05-27 05:18:55 203,776 ----a-w C:\Windows\System32\mssphtb.dll
- 2008-01-19 07:35:13 52,224 ----a-w C:\Windows\System32\msstrc.dll
+ 2008-05-27 05:18:40 44,032 ----a-w C:\Windows\System32\msstrc.dll
- 2008-01-19 07:35:13 1,696,768 ----a-w C:\Windows\System32\mssvp.dll
+ 2008-05-27 05:18:56 670,208 ----a-w C:\Windows\System32\mssvp.dll
- 2008-01-19 07:35:38 122,368 ----a-w C:\Windows\System32\nlhtml.dll
+ 2008-05-27 05:18:30 136,704 ----a-w C:\Windows\System32\nlhtml.dll
- 2008-08-26 13:52:26 101,350 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-30 12:46:33 101,350 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-26 13:52:26 595,684 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-30 12:46:33 595,684 ----a-w C:\Windows\System32\perfh009.dat
- 2008-01-19 07:36:11 65,536 ----a-w C:\Windows\System32\propdefs.dll
+ 2008-05-27 05:18:06 71,680 ----a-w C:\Windows\System32\propdefs.dll
- 2008-01-19 07:36:17 26,624 ----a-w C:\Windows\System32\rtffilt.dll
+ 2008-05-27 05:18:30 38,400 ----a-w C:\Windows\System32\rtffilt.dll
- 2008-01-19 07:33:28 302,080 ----a-w C:\Windows\System32\SearchIndexer.exe
+ 2008-05-27 05:18:43 439,808 ----a-w C:\Windows\System32\SearchIndexer.exe
- 2008-01-19 07:33:28 179,200 ----a-w C:\Windows\System32\SearchProtocolHost.exe
+ 2008-05-27 05:18:16 184,832 ----a-w C:\Windows\System32\SearchProtocolHost.exe
- 2008-08-15 07:22:32 6,553,600 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-08-30 02:31:32 6,553,600 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-08-26 13:49:33 10,192 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2115636563-2388709207-2260462170-1000_UserData.bin
+ 2008-08-30 12:44:25 10,578 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2115636563-2388709207-2260462170-1000_UserData.bin
- 2008-08-26 13:49:32 53,012 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-30 12:44:25 53,356 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-26 13:49:30 40,502 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-30 12:44:24 41,836 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-08-26 16:09:29 179,628 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-08-28 21:58:06 181,518 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2008-01-19 07:37:11 27,136 ----a-w C:\Windows\System32\wsepno.dll
+ 2008-05-27 05:18:35 29,184 ----a-w C:\Windows\System32\wsepno.dll
- 2008-01-19 07:37:12 110,592 ----a-w C:\Windows\System32\xmlfilter.dll
+ 2008-05-27 05:18:32 56,320 ----a-w C:\Windows\System32\xmlfilter.dll
- 2008-08-14 12:03:04 135,794,146 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-08-28 18:09:22 138,173,288 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-05-27 05:17:28 301,568 ----a-w C:\Windows\winsxs\x86_desktop_shell-search-srchadmin_31bf3856ad364e35_7.0.6001.16503_none_13fcab3737a334c2\srchadmin.dll
+ 2008-05-27 05:18:30 136,704 ----a-w C:\Windows\winsxs\x86_microsoft-windows-content-filter-html_31bf3856ad364e35_7.0.6001.16503_none_13ff1de93d266b97\nlhtml.dll
+ 2008-05-27 05:18:32 56,320 ----a-w C:\Windows\winsxs\x86_microsoft-windows-content-filter-html_31bf3856ad364e35_7.0.6001.16503_none_13ff1de93d266b97\xmlfilter.dll
+ 2008-05-27 05:18:32 40,448 ----a-w C:\Windows\winsxs\x86_microsoft-windows-content-filter-mime_31bf3856ad364e35_7.0.6001.16503_none_10a358dd3f57c0de\mimefilt.dll
+ 2008-05-27 05:17:23 194,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-content-filter-office_31bf3856ad364e35_7.0.6001.16503_none_fab3f42bbfadf408\offfilt.dll
+ 2008-05-27 05:18:30 38,400 ----a-w C:\Windows\winsxs\x86_microsoft-windows-content-filter-rtf_31bf3856ad364e35_7.0.6001.16503_none_485964bf76e0570a\rtffilt.dll
+ 2008-05-27 05:17:46 754,176 ----a-w C:\Windows\winsxs\x86_microsoft-windows-propsys_31bf3856ad364e35_7.0.6001.16503_none_f3d11aeeb9526bbb\propsys.dll
+ 2008-05-27 05:18:35 29,184 ----a-w C:\Windows\winsxs\x86_microsoft-windows-search-profilenotify_31bf3856ad364e35_7.0.6001.16503_none_d86cd72c8d3c237e\wsepno.dll
+ 2008-05-27 05:17:16 6,103,040 ----a-w C:\Windows\winsxs\x86_microsoft-windows-w..-chinesetraditional_31bf3856ad364e35_7.0.6001.16503_none_df2000cce0d8c017\chtbrkr.dll
+ 2008-05-27 05:17:16 313,344 ----a-w C:\Windows\winsxs\x86_microsoft-windows-w..breakerstemmer-thai_31bf3856ad364e35_7.0.6001.16503_none_d40428cfc6b6fdf9\thawbrkr.dll
+ 2008-05-27 05:17:16 143,872 ----a-w C:\Windows\winsxs\x86_microsoft-windows-w..eakerstemmer-korean_31bf3856ad364e35_7.0.6001.16503_none_14072d09797cf93d\korwbrkr.dll
+ 2008-05-27 05:17:13 1,671,680 ----a-w C:\Windows\winsxs\x86_microsoft-windows-w..r-chinesesimplified_31bf3856ad364e35_7.0.6001.16503_none_4cbdb704b61543d2\chsbrkr.dll
+ 2008-05-27 05:18:43 13,824 ----a-w C:\Windows\winsxs\x86_windowssearch-wtrservicingsupport_31bf3856ad364e35_7.0.6001.16503_none_163fe74a2171e12e\WSWTRSvc.exe
+ 2008-05-27 05:18:32 231,936 ----a-w C:\Windows\winsxs\x86_windowssearchengine-structuredquery_31bf3856ad364e35_7.0.6001.16503_none_98586419f9103903\msshsq.dll
+ 2008-05-27 04:59:39 106,605 ----a-w C:\Windows\winsxs\x86_windowssearchengine..uredqueryschema.bin_31bf3856ad364e35_7.0.6001.16503_none_88f88929e3c77aa3\StructuredQuerySchema.bin
+ 2008-05-27 04:59:40 18,904 ----a-w C:\Windows\winsxs\x86_windowssearchengine..uredqueryschema.bin_31bf3856ad364e35_7.0.6001.16503_none_88f88929e3c77aa3\StructuredQuerySchemaTrivial.bin
+ 2008-05-27 05:17:42 34,816 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\msscb.dll
+ 2008-05-27 05:17:25 60,416 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\msscntrs.dll
+ 2008-05-27 05:17:36 11,776 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\msshooks.dll
+ 2008-05-27 05:17:25 87,552 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\mssitlb.dll
+ 2008-05-27 05:18:25 350,208 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\mssph.dll
+ 2008-05-27 05:18:55 203,776 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\mssphtb.dll
+ 2008-05-27 05:17:26 32,768 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\mssprxy.dll
+ 2008-05-27 05:21:24 1,418,240 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\mssrch.dll
+ 2008-05-27 05:18:40 44,032 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\msstrc.dll
+ 2008-05-27 05:18:56 670,208 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\mssvp.dll
+ 2008-05-27 05:18:06 71,680 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\propdefs.dll
+ 2008-05-27 05:17:55 87,552 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\SearchFilterHost.exe
+ 2008-05-27 05:18:43 439,808 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\SearchIndexer.exe
+ 2008-05-27 05:18:16 184,832 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\SearchProtocolHost.exe
+ 2008-05-27 05:21:07 1,582,592 ----a-w C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\tquery.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 02:33 1233920]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 17:23 1773568]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 18:43 4670704]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 02:33 202240]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 15:27 455968]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"WebCmd"="C:\ProgramData\WebCmd\hutqnups.exe" [2008-08-24 07:04 94208]
"GurV0KPIm7"="C:\ProgramData\tofixwjs\rivalkbk.exe" [2008-08-24 07:04 69632]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"ProcHlpApl"="C:\ProgramData\ProcHlpApl\psxepmvu.exe" [2008-08-24 07:47 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 02:05 1045800]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 13:28 180224]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 13:42 70912]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-04-30 02:06 77824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 15:15 480560]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-12-19 19:27 468264]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-07 02:35 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-07 02:35 8534560]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-07 02:35 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-07 19:39 44128]

C:\Users\mwilk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-04-30 01:44:01 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"C:\\Program Files\\Vongo\\VongoService.exe"= C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8B1EFD3F-0865-45BE-ADA7-CCCC619B71D8}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2EB80D87-88A9-4C82-90C4-9AEF4D208859}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8EA3AED1-C1B5-4A18-AB62-8AE628E1498A}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6A3B5310-9011-4130-A7F0-4C3C4AC56CFC}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9BD6E2B5-F7BE-491E-ADE1-21667DCE93D9}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4F0200F0-E972-4675-9D7D-F12481964368}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{ADE15D3D-D0CC-41D3-A211-07F709F240BF}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A9251460-71C1-4F7D-B46F-8D2B3391E92E}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{50957FA8-2931-4B49-9EB5-6FE2558893C3}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{AC07E3DD-1A18-43E7-9D40-C4F392A5524F}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{074E7DB8-23E8-494C-BA1C-E0AEF4539AE4}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7BE784DA-9E52-492A-AE51-7440BA56F492}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7F0714ED-9C25-467B-B66B-887733CB65EF}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{78CB8100-768D-45EF-AEC9-1189192C12A2}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6AAEA570-47CB-4269-A6EE-C32B116D458F}"= UDP:C:\Program Files\Ring Factory\RingFactory.exe:Ring Factory 3.0
"{6EA1E709-D3F2-4D0C-9E54-84A6CAAFFC76}"= TCP:C:\Program Files\Ring Factory\RingFactory.exe:Ring Factory 3.0
"{6651B302-0BB9-4E08-8A93-908687588710}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{B17B46A7-639C-4A84-8A8A-8915B2FC4FD2}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{7D1AE115-C847-4734-B817-D78723116222}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{120EE7A5-79A0-4347-8B67-66F74478AFDD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{B7FE613C-4D6F-4E05-B768-2275A578E95F}C:\\program files\\orbitdownloader\\orbitnet.exe"= UDP:C:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"UDP Query User{1BA1068B-1119-441D-9A81-DE0ED4519829}C:\\program files\\orbitdownloader\\orbitnet.exe"= TCP:C:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"{BA9A2661-6DF5-4D1C-8A4F-13D8C784E5E2}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{A626C42D-47F8-485F-85E7-128C72E3F716}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{1D8D24E8-E623-4A45-BDE5-19A4C5CE4DE7}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{06DEB4EA-938F-485E-8D0F-72C1F485E4EC}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"= C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"= C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit

R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-03 05:10]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-08-30 C:\Windows\Tasks\HPCeeScheduleFormwilk.job
- C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-03-23 16:23]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.cnn.com/
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
O8 -: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 -: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 -: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 -: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 07:55:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-30 7:57:08
ComboFix-quarantined-files.txt 2008-08-30 12:57:05
ComboFix2.txt 2008-08-27 00:38:11
ComboFix3.txt 2008-08-26 23:47:23

Pre-Run: 33,598,521,344 bytes free
Post-Run: 33,777,446,912 bytes free

400 --- E O F --- 2008-08-29 05:46:21

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:47 PM

Posted 30 August 2008 - 12:09 PM

Hello Blue97,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:Folder::
C:\Users\All Users\webenmsg
C:\Users\All Users\GenInfo
C:\ProgramData\webenmsg
C:\ProgramData\GenInfo
C:\Users\All Users\smartdb
C:\Users\All Users\ProcAplUtil
C:\ProgramData\smartdb
C:\ProgramData\ProcAplUtil
C:\Users\All Users\enchk
C:\Users\All Users\apien
C:\ProgramData\enchk
C:\ProgramData\apien
C:\Users\All Users\ShStr
C:\Users\All Users\apiact
C:\ProgramData\ShStr
C:\ProgramData\apiact
C:\Users\All Users\MonProcCom
C:\Users\All Users\HlpProc
C:\ProgramData\MonProcCom
C:\ProgramData\HlpProc
C:\Users\All Users\hlpgenchk
C:\Users\All Users\HlpCmdSet
C:\ProgramData\hlpgenchk
C:\ProgramData\HlpCmdSet
C:\Users\All Users\ProcSetMsg
C:\Users\All Users\ActMntCfg
C:\ProgramData\ProcSetMsg
C:\ProgramData\ActMntCfg
C:\Users\All Users\ProcHlpApl
C:\Users\All Users\MntWebSys
C:\ProgramData\ProcHlpApl
C:\ProgramData\MntWebSys
C:\Users\All Users\WebCmd
C:\Users\All Users\tofixwjs
C:\Users\All Users\SmartUtil
C:\ProgramData\WebCmd
C:\ProgramData\tofixwjs
C:\ProgramData\SmartUtil
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCmd"=-
"GurV0KPIm7"=-
"ProcHlpApl"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 blue97

blue97
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 01 September 2008 - 05:41 PM

Thank you Thunder. My latest logs.

ComboFix log:

ComboFix 08-09-01.01 - mwilk 2008-09-01 17:30:57.5 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.336 [GMT -5:00]
Running from: C:\Users\mwilk\Desktop\ComboFix.exe
Command switches used :: C:\Users\mwilk\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\ActMntCfg
C:\ProgramData\ActMntCfg\onedslkl.exe
C:\ProgramData\apiact
C:\ProgramData\apiact\ehmvifop.exe
C:\ProgramData\apien
C:\ProgramData\apien\jargjgng.exe
C:\ProgramData\enchk
C:\ProgramData\enchk\jsrcfedy.exe
C:\ProgramData\GenInfo
C:\ProgramData\GenInfo\qlefovun.exe
C:\ProgramData\HlpCmdSet
C:\ProgramData\HlpCmdSet\ebejshyh.exe
C:\ProgramData\hlpgenchk
C:\ProgramData\hlpgenchk\irirujqn.exe
C:\ProgramData\HlpProc
C:\ProgramData\HlpProc\ahkbgzsr.exe
C:\ProgramData\MntWebSys
C:\ProgramData\MntWebSys\fyjcjafw.exe
C:\ProgramData\MonProcCom
C:\ProgramData\MonProcCom\qvypipkh.exe
C:\ProgramData\ProcAplUtil
C:\ProgramData\ProcAplUtil\xunqneje.exe
C:\ProgramData\ProcHlpApl
C:\ProgramData\ProcSetMsg
C:\ProgramData\ProcSetMsg\wnmpsrch.exe
C:\ProgramData\ShStr
C:\ProgramData\ShStr\oludajul.exe
C:\ProgramData\smartdb
C:\ProgramData\smartdb\pgfwhafi.exe
C:\ProgramData\SmartUtil
C:\ProgramData\SmartUtil\pujcboxw.exe
C:\ProgramData\tofixwjs
C:\ProgramData\tofixwjs\rivalkbk.exe
C:\ProgramData\WebCmd
C:\ProgramData\webenmsg
C:\ProgramData\webenmsg\avirshyt.exe
C:\Users\All Users\ActMntCfg\onedslkl.exe
C:\Users\All Users\apiact\ehmvifop.exe
C:\Users\All Users\apien\jargjgng.exe
C:\Users\All Users\enchk\jsrcfedy.exe
C:\Users\All Users\GenInfo\qlefovun.exe
C:\Users\All Users\HlpCmdSet\ebejshyh.exe
C:\Users\All Users\hlpgenchk\irirujqn.exe
C:\Users\All Users\HlpProc\ahkbgzsr.exe
C:\Users\All Users\MntWebSys\fyjcjafw.exe
C:\Users\All Users\MonProcCom\qvypipkh.exe
C:\Users\All Users\ProcAplUtil\xunqneje.exe
C:\Users\All Users\ProcSetMsg\wnmpsrch.exe
C:\Users\All Users\ShStr\oludajul.exe
C:\Users\All Users\smartdb\pgfwhafi.exe
C:\Users\All Users\SmartUtil\pujcboxw.exe
C:\Users\All Users\tofixwjs\rivalkbk.exe
C:\Users\All Users\webenmsg\avirshyt.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-09-01 17:26 . 2008-09-01 17:26 <DIR> d-------- C:\Users\All Users\procwebstr
2008-09-01 17:26 . 2008-09-01 17:26 <DIR> d-------- C:\Users\All Users\cmdadm
2008-09-01 17:26 . 2008-09-01 17:26 <DIR> d-------- C:\ProgramData\procwebstr
2008-09-01 17:26 . 2008-09-01 17:26 <DIR> d-------- C:\ProgramData\cmdadm
2008-09-01 17:12 . 2008-09-01 17:12 <DIR> d-------- C:\Users\All Users\strwebsmart
2008-09-01 17:12 . 2008-09-01 17:12 <DIR> d-------- C:\Users\All Users\ShAdm
2008-09-01 17:12 . 2008-09-01 17:12 <DIR> d-------- C:\ProgramData\strwebsmart
2008-09-01 17:12 . 2008-09-01 17:12 <DIR> d-------- C:\ProgramData\ShAdm
2008-08-31 06:58 . 2008-08-31 06:58 <DIR> d-------- C:\Users\All Users\smartdsc
2008-08-31 06:58 . 2008-08-31 06:58 <DIR> d-------- C:\Users\All Users\CmdWebMnt
2008-08-31 06:58 . 2008-08-31 06:58 <DIR> d-------- C:\ProgramData\smartdsc
2008-08-31 06:58 . 2008-08-31 06:58 <DIR> d-------- C:\ProgramData\CmdWebMnt
2008-08-28 12:21 . 2008-08-28 12:21 <DIR> d-------- C:\Windows\BDOSCAN8
2008-08-28 07:46 . 2008-08-28 07:48 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-08-28 07:46 . 2008-08-28 07:48 <DIR> d-------- C:\ProgramData\Lavasoft
2008-08-28 07:46 . 2008-08-28 07:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-28 07:45 . 2008-08-28 07:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\Malwarebytes
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-26 19:20 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-26 19:20 . 2008-08-17 15:01 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-26 19:20 . 2008-08-17 15:01 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-24 17:20 . 2008-08-24 17:20 <DIR> d-------- C:\Users\All Users\Grisoft
2008-08-24 17:20 . 2008-08-24 17:20 <DIR> d-------- C:\ProgramData\Grisoft
2008-08-24 13:41 . 2008-08-24 05:08 <DIR> d-------- C:\SDFix
2008-08-24 11:12 . 2008-08-24 13:23 <DIR> d-a------ C:\Users\All Users\TEMP
2008-08-24 11:12 . 2008-08-24 13:23 <DIR> d-a------ C:\ProgramData\TEMP
2008-08-24 08:03 . 2008-08-24 08:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-24 07:17 . 2008-08-24 11:46 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-24 07:17 . 2008-08-24 11:46 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-24 07:17 . 2008-08-24 10:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 14:18 . 2008-08-18 14:18 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\Template
2008-08-18 14:18 . 2008-08-18 14:18 0 --a------ C:\Users\mwilk\AppData\Roaming\wklnhst.dat
2008-08-14 09:52 . 2008-08-14 09:56 <DIR> d-------- C:\Program Files\Windows Live
2008-08-14 09:52 . 2008-08-14 09:56 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-14 09:48 . 2008-08-14 09:52 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-08-14 09:48 . 2008-08-14 09:52 <DIR> d-------- C:\ProgramData\WLInstaller
2008-08-14 07:02 . 2008-07-15 20:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 06:57 . 2008-08-14 06:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-13 18:23 . 2008-06-26 20:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 18:23 . 2008-06-26 23:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 18:23 . 2008-04-10 00:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-13 18:23 . 2008-06-18 22:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 18:23 . 2008-04-18 00:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-02 22:31 . 2008-08-02 22:31 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-02 03:11 . 2008-08-02 03:11 <DIR> d-------- C:\PerfLogs
2008-08-01 13:52 . 2008-01-19 02:38 4,595,712 --a------ C:\Windows\System32\AuthFWSnapin.dll
2008-08-01 13:51 . 2008-01-19 02:33 8,139,264 --a------ C:\Windows\System32\ssBranded.scr
2008-08-01 13:50 . 2008-01-19 02:32 5,714,432 --a------ C:\Windows\System32\logon.scr
2008-08-01 13:49 . 2008-01-19 01:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-08-01 13:48 . 2008-01-19 02:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-08-01 13:48 . 2008-01-19 02:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-08-01 13:48 . 2008-01-19 02:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-08-01 13:48 . 2008-01-19 02:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-08-01 13:48 . 2008-01-19 02:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-08-01 13:48 . 2008-01-19 02:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-08-01 13:48 . 2008-01-19 02:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-08-01 13:48 . 2008-01-19 02:35 35,328 --a------ C:\Windows\System32\mspatcha.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 20:34 --------- d-----w C:\Users\mwilk\AppData\Roaming\Orbit
2008-08-24 06:20 --------- d-----w C:\Users\mwilk\AppData\Roaming\LimeWire
2008-08-20 08:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-18 14:58 --------- d-----w C:\Program Files\Orbitdownloader
2008-08-15 12:02 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-14 15:02 41,662 ----a-w C:\Users\mwilk\AppData\Roaming\nvModes.dat
2008-08-14 14:59 --------- d-----w C:\Program Files\Windows Mail
2008-08-05 22:56 --------- d-----w C:\Users\mwilk\AppData\Roaming\Move Networks
2008-08-02 14:19 --------- d-----w C:\ProgramData\NVIDIA
2008-08-02 08:22 174 --sha-w C:\Program Files\desktop.ini
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Sidebar
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Journal
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Collaboration
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Calendar
2008-08-02 08:12 --------- d-----w C:\Program Files\Windows Defender
2008-08-01 19:13 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-08-01 19:13 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-08-01 04:26 --------- d-----w C:\Users\mwilk\AppData\Roaming\Hewlett-Packard
2008-08-01 03:34 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-01 03:33 --------- d-----w C:\ProgramData\CyberLink
2008-08-01 03:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 03:31 --------- d-----w C:\Program Files\Hp
2008-08-01 03:01 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-08-01 02:54 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-01 02:46 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-08-01 00:06 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 22:59 --------- d-----w C:\Users\mwilk\AppData\Roaming\InstallShield
2008-07-28 17:49 --------- d-----w C:\Program Files\Apple Software Update
2008-07-14 17:11 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-11 20:41 21,248 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2008-04-23 14:56 56,912 ----a-w C:\Users\mwilk\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((( snapshot_2008-08-30_ 7.56.15.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-30 12:40:49 602,680 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-09-01 22:10:14 602,680 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-08-30 12:41:56 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-01 22:11:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-30 12:41:56 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-09-01 22:11:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-30 12:42:55 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-01 22:11:37 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-30 12:42:57 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-01 22:12:27 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-08-30 12:40:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-01 22:28:08 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-30 12:40:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-01 22:28:08 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-30 12:40:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-01 22:28:08 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-30 12:50:32 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-01 22:15:15 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-08-30 12:46:33 101,350 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-01 22:17:46 101,350 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-30 12:46:33 595,684 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-01 22:17:46 595,684 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-30 12:44:25 10,578 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2115636563-2388709207-2260462170-1000_UserData.bin
+ 2008-09-01 22:13:11 10,626 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2115636563-2388709207-2260462170-1000_UserData.bin
- 2008-08-30 12:44:25 53,356 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-01 22:13:11 53,356 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-30 12:44:24 41,836 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-01 22:13:10 42,224 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-08-28 21:58:06 181,518 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-09-01 22:25:03 181,758 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 02:33 1233920]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 17:23 1773568]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 18:43 4670704]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 02:33 202240]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 15:27 455968]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"procwebstr"="C:\ProgramData\procwebstr\zajsxgre.exe" [2008-09-01 17:26 98304]
"lphca5tj0etst"="C:\Windows\system32\lphca5tj0etst.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 02:05 1045800]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 13:28 180224]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 13:42 70912]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-04-30 02:06 77824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 15:15 480560]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-12-19 19:27 468264]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-07 02:35 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-07 02:35 8534560]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-07 02:35 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-07 19:39 44128]

C:\Users\mwilk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-04-30 01:44:01 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"C:\\Program Files\\Vongo\\VongoService.exe"= C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8B1EFD3F-0865-45BE-ADA7-CCCC619B71D8}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2EB80D87-88A9-4C82-90C4-9AEF4D208859}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8EA3AED1-C1B5-4A18-AB62-8AE628E1498A}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6A3B5310-9011-4130-A7F0-4C3C4AC56CFC}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9BD6E2B5-F7BE-491E-ADE1-21667DCE93D9}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4F0200F0-E972-4675-9D7D-F12481964368}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{ADE15D3D-D0CC-41D3-A211-07F709F240BF}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A9251460-71C1-4F7D-B46F-8D2B3391E92E}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{50957FA8-2931-4B49-9EB5-6FE2558893C3}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{AC07E3DD-1A18-43E7-9D40-C4F392A5524F}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{074E7DB8-23E8-494C-BA1C-E0AEF4539AE4}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7BE784DA-9E52-492A-AE51-7440BA56F492}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7F0714ED-9C25-467B-B66B-887733CB65EF}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{78CB8100-768D-45EF-AEC9-1189192C12A2}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6AAEA570-47CB-4269-A6EE-C32B116D458F}"= UDP:C:\Program Files\Ring Factory\RingFactory.exe:Ring Factory 3.0
"{6EA1E709-D3F2-4D0C-9E54-84A6CAAFFC76}"= TCP:C:\Program Files\Ring Factory\RingFactory.exe:Ring Factory 3.0
"{6651B302-0BB9-4E08-8A93-908687588710}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{B17B46A7-639C-4A84-8A8A-8915B2FC4FD2}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{7D1AE115-C847-4734-B817-D78723116222}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{120EE7A5-79A0-4347-8B67-66F74478AFDD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{B7FE613C-4D6F-4E05-B768-2275A578E95F}C:\\program files\\orbitdownloader\\orbitnet.exe"= UDP:C:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"UDP Query User{1BA1068B-1119-441D-9A81-DE0ED4519829}C:\\program files\\orbitdownloader\\orbitnet.exe"= TCP:C:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"{BA9A2661-6DF5-4D1C-8A4F-13D8C784E5E2}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{A626C42D-47F8-485F-85E7-128C72E3F716}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{1D8D24E8-E623-4A45-BDE5-19A4C5CE4DE7}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{06DEB4EA-938F-485E-8D0F-72C1F485E4EC}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"= C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"= C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit

R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-03 05:10]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 17:33:46
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-01 17:35:45
ComboFix-quarantined-files.txt 2008-09-01 22:35:41
ComboFix2.txt 2008-09-01 22:21:59
ComboFix3.txt 2008-08-30 12:57:09
ComboFix4.txt 2008-08-27 00:38:11
ComboFix5.txt 2008-09-01 22:30:15

Pre-Run: 29,905,678,336 bytes free
Post-Run: 29,770,739,712 bytes free

307 --- E O F --- 2008-08-29 05:46:21




HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:06 AM, on 8/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\ProgramData\WebCmd\hutqnups.exe
C:\ProgramData\tofixwjs\rivalkbk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Vongo\Tray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\ProgramData\MntWebSys\fyjcjafw.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WebCmd] C:\ProgramData\WebCmd\hutqnups.exe
O4 - HKCU\..\Run: [lphca5tj0etst] C:\Windows\system32\lphca5tj0etst.exe
O4 - HKCU\..\Run: [GurV0KPIm7] C:\ProgramData\tofixwjs\rivalkbk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProcHlpApl] C:\ProgramData\ProcHlpApl\psxepmvu.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.cnn.com
O15 - Trusted Zone: http://www.ringfactory.net
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9733 bytes

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:47 PM

Posted 02 September 2008 - 03:57 AM

Hello Blue97,

We're not there yet :thumbsup:

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Copy the entire content of the page, open Notepad and paste the content in it,
save this as ResetTeatimer.bat Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Double click on ResetTeaTimer.bat to remove all entries set by TeaTimer.

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:Folder::
C:\Users\All Users\procwebstr
C:\Users\All Users\cmdadm
C:\ProgramData\procwebstr
C:\ProgramData\cmdadm
C:\Users\All Users\strwebsmart
C:\Users\All Users\ShAdm
C:\ProgramData\strwebsmart
C:\ProgramData\ShAdm
C:\Users\All Users\smartdsc
C:\Users\All Users\CmdWebMnt
C:\ProgramData\smartdsc
C:\ProgramData\CmdWebMnt
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"procwebstr"=-
"lphca5tj0etst"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 blue97

blue97
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 02 September 2008 - 07:00 AM

Quick question: When you say

Copy the entire content of the page, open Notepad and paste the content in it,

What page are you referring to?

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:47 PM

Posted 02 September 2008 - 08:58 AM

Hello Blue97,

When you click the ResetTeaTimer.bat link, you'll notice it will open a text page.
The entire content of this page should be copied and saved in a notepad file and saved as ResetTeaTimer.bat. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 blue97

blue97
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 02 September 2008 - 10:36 AM

When I download the .bat file, it downloads as a .bat file to the desktop. When I double click it, this message comes up on a window with a command prompt title C:\Windows\system32\cmd.exe

The only thing it says is:

Unsupported Document
Press any key to exit...
Press any key to continue...

It will not allow me to copy and paste this text into a Notepad file, or post any other text.

I'm really sorry for my confusion, and thank you for your help.

Attached Files

  • Attached File  mal1.jpg   7.33KB   10 downloads


#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:47 PM

Posted 02 September 2008 - 10:43 AM

Hello Blue97,

You're right, my mistake :thumbsup:
That batch file is not suited for Vista users.

Never mind about that,
you can continue with the CFScript :)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 blue97

blue97
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 02 September 2008 - 12:35 PM

Thunder,

The wallpaper infection did not appear, neither has the pop-up (so far). Here are the latest logs:

Combofix

ComboFix 08-09-01.03 - mwilk 2008-09-02 12:02:40.8 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.336 [GMT -5:00]
Running from: C:\Users\mwilk\Desktop\ComboFix.exe
Command switches used :: C:\Users\mwilk\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\cmdadm
C:\ProgramData\cmdadm\twdkhuvy.exe
C:\ProgramData\CmdWebMnt
C:\ProgramData\CmdWebMnt\velktqdc.exe
C:\ProgramData\procwebstr
C:\ProgramData\procwebstr\zajsxgre.exe
C:\ProgramData\ShAdm
C:\ProgramData\ShAdm\sjanejyt.exe
C:\ProgramData\smartdsc
C:\ProgramData\smartdsc\nmderyto.exe
C:\ProgramData\strwebsmart
C:\ProgramData\strwebsmart\gtapqret.exe
C:\Users\All Users\cmdadm\twdkhuvy.exe
C:\Users\All Users\CmdWebMnt\velktqdc.exe
C:\Users\All Users\procwebstr\zajsxgre.exe
C:\Users\All Users\ShAdm\sjanejyt.exe
C:\Users\All Users\smartdsc\nmderyto.exe
C:\Users\All Users\strwebsmart\gtapqret.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-08-28 12:21 . 2008-08-28 12:21 <DIR> d-------- C:\Windows\BDOSCAN8
2008-08-28 07:46 . 2008-08-28 07:48 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-08-28 07:46 . 2008-08-28 07:48 <DIR> d-------- C:\ProgramData\Lavasoft
2008-08-28 07:46 . 2008-08-28 07:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-28 07:45 . 2008-08-28 07:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\Malwarebytes
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-26 19:20 . 2008-08-26 19:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-26 19:20 . 2008-09-02 10:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-26 19:20 . 2008-09-02 00:16 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-26 19:20 . 2008-09-02 00:16 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-24 17:20 . 2008-08-24 17:20 <DIR> d-------- C:\Users\All Users\Grisoft
2008-08-24 17:20 . 2008-08-24 17:20 <DIR> d-------- C:\ProgramData\Grisoft
2008-08-24 13:41 . 2008-08-24 05:08 <DIR> d-------- C:\SDFix
2008-08-24 11:12 . 2008-08-24 13:23 <DIR> d-a------ C:\Users\All Users\TEMP
2008-08-24 11:12 . 2008-08-24 13:23 <DIR> d-a------ C:\ProgramData\TEMP
2008-08-24 08:03 . 2008-08-24 08:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-24 07:17 . 2008-09-02 11:01 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-24 07:17 . 2008-09-02 11:01 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-24 07:17 . 2008-09-02 11:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 14:18 . 2008-08-18 14:18 <DIR> d-------- C:\Users\mwilk\AppData\Roaming\Template
2008-08-18 14:18 . 2008-08-18 14:18 0 --a------ C:\Users\mwilk\AppData\Roaming\wklnhst.dat
2008-08-14 09:52 . 2008-08-14 09:56 <DIR> d-------- C:\Program Files\Windows Live
2008-08-14 09:52 . 2008-08-14 09:56 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-14 09:48 . 2008-08-14 09:52 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-08-14 09:48 . 2008-08-14 09:52 <DIR> d-------- C:\ProgramData\WLInstaller
2008-08-14 07:02 . 2008-07-15 20:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 06:57 . 2008-08-14 06:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-13 18:23 . 2008-06-26 20:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 18:23 . 2008-06-26 23:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 18:23 . 2008-04-10 00:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-13 18:23 . 2008-06-18 22:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 18:23 . 2008-04-18 00:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-02 22:31 . 2008-08-02 22:31 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-02 03:11 . 2008-08-02 03:11 <DIR> d-------- C:\PerfLogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 17:00 --------- d-----w C:\Users\mwilk\AppData\Roaming\Orbit
2008-09-02 12:44 --------- d-----w C:\Program Files\Orbitdownloader
2008-08-24 06:20 --------- d-----w C:\Users\mwilk\AppData\Roaming\LimeWire
2008-08-20 08:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-15 12:02 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-14 15:02 41,662 ----a-w C:\Users\mwilk\AppData\Roaming\nvModes.dat
2008-08-14 14:59 --------- d-----w C:\Program Files\Windows Mail
2008-08-05 22:56 --------- d-----w C:\Users\mwilk\AppData\Roaming\Move Networks
2008-08-02 14:19 --------- d-----w C:\ProgramData\NVIDIA
2008-08-02 08:22 174 --sha-w C:\Program Files\desktop.ini
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Sidebar
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Journal
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Collaboration
2008-08-02 08:13 --------- d-----w C:\Program Files\Windows Calendar
2008-08-02 08:12 --------- d-----w C:\Program Files\Windows Defender
2008-08-01 19:13 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-08-01 19:13 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-08-01 04:26 --------- d-----w C:\Users\mwilk\AppData\Roaming\Hewlett-Packard
2008-08-01 03:34 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-01 03:33 --------- d-----w C:\ProgramData\CyberLink
2008-08-01 03:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 03:31 --------- d-----w C:\Program Files\Hp
2008-08-01 03:01 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-08-01 02:54 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-01 02:46 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-08-01 00:06 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 22:59 --------- d-----w C:\Users\mwilk\AppData\Roaming\InstallShield
2008-07-28 17:49 --------- d-----w C:\Program Files\Apple Software Update
2008-07-14 17:11 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-11 20:41 21,248 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2008-04-23 14:56 56,912 ----a-w C:\Users\mwilk\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((( snapshot_2008-09-02_11.39.53.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-02 16:03:34 602,680 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-09-02 16:55:37 602,680 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-09-02 16:05:06 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-02 16:56:35 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-09-02 16:05:06 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-09-02 16:56:35 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-02 16:05:25 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-02 16:57:01 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-09-02 16:05:33 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-02 16:57:03 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-02 16:09:36 101,350 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-02 17:02:14 101,350 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-02 16:09:36 595,684 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-02 17:02:14 595,684 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-02 16:06:59 10,682 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2115636563-2388709207-2260462170-1000_UserData.bin
+ 2008-09-02 16:58:29 10,698 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2115636563-2388709207-2260462170-1000_UserData.bin
- 2008-09-02 16:06:59 53,364 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-02 16:58:29 53,364 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-02 16:06:57 42,766 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-02 16:58:28 42,908 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 1773568]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 455968]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 180224]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-04-30 77824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-12-19 468264]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-07 8534560]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-07 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-07 44128]

C:\Users\mwilk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-04-30 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"C:\\Program Files\\Vongo\\VongoService.exe"= C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8B1EFD3F-0865-45BE-ADA7-CCCC619B71D8}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2EB80D87-88A9-4C82-90C4-9AEF4D208859}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8EA3AED1-C1B5-4A18-AB62-8AE628E1498A}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6A3B5310-9011-4130-A7F0-4C3C4AC56CFC}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9BD6E2B5-F7BE-491E-ADE1-21667DCE93D9}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4F0200F0-E972-4675-9D7D-F12481964368}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{ADE15D3D-D0CC-41D3-A211-07F709F240BF}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A9251460-71C1-4F7D-B46F-8D2B3391E92E}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{50957FA8-2931-4B49-9EB5-6FE2558893C3}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{AC07E3DD-1A18-43E7-9D40-C4F392A5524F}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{074E7DB8-23E8-494C-BA1C-E0AEF4539AE4}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7BE784DA-9E52-492A-AE51-7440BA56F492}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7F0714ED-9C25-467B-B66B-887733CB65EF}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{78CB8100-768D-45EF-AEC9-1189192C12A2}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6AAEA570-47CB-4269-A6EE-C32B116D458F}"= UDP:C:\Program Files\Ring Factory\RingFactory.exe:Ring Factory 3.0
"{6EA1E709-D3F2-4D0C-9E54-84A6CAAFFC76}"= TCP:C:\Program Files\Ring Factory\RingFactory.exe:Ring Factory 3.0
"{6651B302-0BB9-4E08-8A93-908687588710}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{B17B46A7-639C-4A84-8A8A-8915B2FC4FD2}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{7D1AE115-C847-4734-B817-D78723116222}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{120EE7A5-79A0-4347-8B67-66F74478AFDD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{B7FE613C-4D6F-4E05-B768-2275A578E95F}C:\\program files\\orbitdownloader\\orbitnet.exe"= UDP:C:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"UDP Query User{1BA1068B-1119-441D-9A81-DE0ED4519829}C:\\program files\\orbitdownloader\\orbitnet.exe"= TCP:C:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"{BA9A2661-6DF5-4D1C-8A4F-13D8C784E5E2}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{A626C42D-47F8-485F-85E7-128C72E3F716}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{1D8D24E8-E623-4A45-BDE5-19A4C5CE4DE7}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{06DEB4EA-938F-485E-8D0F-72C1F485E4EC}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"= C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"= C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit

R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-03 182272]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 12:07:00
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-02 12:08:53
ComboFix-quarantined-files.txt 2008-09-02 17:08:49
ComboFix2.txt 2008-09-02 16:40:53
ComboFix3.txt 2008-09-02 16:26:27
ComboFix4.txt 2008-09-01 22:35:46
ComboFix5.txt 2008-09-02 17:00:35

Pre-Run: 29,913,653,248 bytes free
Post-Run: 29,896,581,120 bytes free

234 --- E O F --- 2008-08-29 05:46:21

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:06 AM, on 8/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\ProgramData\WebCmd\hutqnups.exe
C:\ProgramData\tofixwjs\rivalkbk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Vongo\Tray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\ProgramData\MntWebSys\fyjcjafw.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WebCmd] C:\ProgramData\WebCmd\hutqnups.exe
O4 - HKCU\..\Run: [lphca5tj0etst] C:\Windows\system32\lphca5tj0etst.exe
O4 - HKCU\..\Run: [GurV0KPIm7] C:\ProgramData\tofixwjs\rivalkbk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProcHlpApl] C:\ProgramData\ProcHlpApl\psxepmvu.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.cnn.com
O15 - Trusted Zone: http://www.ringfactory.net
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9733 bytes

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:47 PM

Posted 02 September 2008 - 05:07 PM

Hello Blue97,

That looks quite good. :thumbsup:

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if still present :O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update7.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windowsi586-p.exe to install the newest version.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 blue97

blue97
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 02 September 2008 - 11:28 PM

Thank you again, Thunder. I have completed your last recommendations, and if you wish to close the thread, please be my guest.

I am very, very thankful for your help in this matter. I will be more careful in the future, but your help has been amazing.

Thank you, thank you, thank you.

Blue97

#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:47 PM

Posted 03 September 2008 - 03:21 AM

Glad we could help, Blue97 :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users