Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan DNS.Changer/Vimax ads/google links redirect/can't connect to liveupdate


  • This topic is locked This topic is locked
11 replies to this topic

#1 bourn3

bourn3

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 06 December 2008 - 02:26 AM

Hi everyone. I am in desperate need for help. Yesterday I got infected with malware. I am on a vista HP laptop. Internet connection is wireless and I'm using Norton internet security 2009 + recently downloaded malwarebytes, ad-aware, superantispyware to try to fix my problem. I searched google for hours and I decided to finally post here.

My title explains it. I ran malwarebytes several times(in safe mode too) and trojan dns.changer doesn't seem to go away I have 18 files infected with it. I think they are what you call registeries(im not a computer expert). The problems I have is that I have vimax(bleep enlargement pills lol) in every site I go. Google links redirects to stupid advertising sites. I can't run liveupdate in norton or any update in other anti-spyware programs. Norton says there is a problem with my connection... Also a small detail I noticed is that clicked links in google don't turn purple but sometimes they do(when Im not redirected). Also my router is a D-link 624 if that could help. I saw another thread with someone with the same problem and maybe my router might be infected.

Norton Internet Security did a good job but that was before I updated to 2009 and screwed up by going on bad mean sites and downloading evil stuff lol. So Its entirely my fault and not norton's. I dont think I need all those programs with NIS 09 but one thing I noticed is that my new update or norton does not scan all the files only like 5k~ and it doesnt detect the trojan dnschanger.

Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:21 AM, on 06/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Jugaari\Jaadu Connect\JaaduConnect.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Etienne\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [JaaduConnect] "C:\Program Files\Jugaari\Jaadu Connect\JaaduConnect.exe" -autostart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03E9824E-DE16-4197-A257-03A5F6A60649}: NameServer = 85.255.114.93;85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{B15EB333-55F1-48CA-9780-D8940540FA41}: NameServer = 85.255.114.93;85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCC1FFC1-AD8F-4914-8A90-A42E753ABA0E}: NameServer = 85.255.114.93;85.255.112.122
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.93;85.255.112.122
O17 - HKLM\System\CS1\Services\Tcpip\..\{03E9824E-DE16-4197-A257-03A5F6A60649}: NameServer = 85.255.114.93;85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.93;85.255.112.122
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10412 bytes

Edited by bourn3, 06 December 2008 - 02:35 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:35 PM

Posted 08 December 2008 - 07:18 AM

Hello Bourn3 and welcome to BleepingComputer,

Print these instructions or save them to your Desktop as a text file,
since you'll need to reboot in safe mode (without networking support), so you'll be unable to connect here.

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Download SDFix and save it to your Desktop.
DO NOT run it yet !!

Boot your computer in Safe Mode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows window appears, tap the F8 key continually;
  • Instead of loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode (without networking support), then press Enter.
  • Choose your usual account.
Now run SDFix.exe
  • In Safe Mode, double click the SDFix.exe file. Click Install.
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to start SDFix.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and may remove files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply.
3. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 bourn3

bourn3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 08 December 2008 - 02:34 PM

Thanks but since my last post I followed someone elses reply to someone who had the same problem as me. I used Hijackthis to fix:

"O17 - HKLM\System\CCS\Services\Tcpip\..\{03E9824E-DE16-4197-A257-03A5F6A60649}: NameServer = 85.255.114.93;85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{B15EB333-55F1-48CA-9780-D8940540FA41}: NameServer = 85.255.114.93;85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCC1FFC1-AD8F-4914-8A90-A42E753ABA0E}: NameServer = 85.255.114.93;85.255.112.122
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.93;85.255.112.122
O17 - HKLM\System\CS1\Services\Tcpip\..\{03E9824E-DE16-4197-A257-03A5F6A60649}: NameServer = 85.255.114.93;85.255.112.122
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.93;85.255.112.122"

And I reset my router and put a password on it and ran malwarebytes couple of times and the problems were fixed malwarebytes only detect "trojan.agent" now. But I still do need help. How can I be 100% sure my computer is completely clean? Should I post Hijack this log or combo fix? Or follow all the steps you posted to make sure? Im asking because during norton's scan I saw something like "hacktool.unreal" dunno what it was but it wasnt detected as a threat. Sorry thunder if I acted before you replied.

Edited by bourn3, 08 December 2008 - 02:40 PM.


#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:35 PM

Posted 08 December 2008 - 04:32 PM

No problem, Bourn3 :thumbsup:

And yes, to make sure, I'd like you to follow all steps descrbed above and post the logs.

Make sure Norton is temporarily disabled, because it may falsely indicate some components of those tools as malware,
and subsequently interfere with proper malware removal procedures.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 bourn3

bourn3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 08 December 2008 - 06:02 PM

In safe mode after I installed sdfix I go in the folder c:/sdfix and when I click on runthis.bat nothing happens all I see is a blue window poping up for a fraction of a second.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:35 PM

Posted 08 December 2008 - 06:09 PM

Hello Bourn3,

That's probably because Norton already destroyed the SDFix installer while you downloaded it.
Better try downloading it again, once Norton is disabled.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 bourn3

bourn3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 08 December 2008 - 06:31 PM

Still doesn't work even after I disabled auto protect and disabled norton in services.

I read about smitfraudfix would this work instead of sdfix?

Edit 2: I did some research and apparently sdfix isnt compatible with vista? is that true?

Edited by bourn3, 09 December 2008 - 12:37 AM.


#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:35 PM

Posted 09 December 2008 - 04:07 AM

Hello Bourn3,

Never mind about SDFix, just continue running ComboFix,
and we'll take it from there. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 bourn3

bourn3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 09 December 2008 - 10:42 AM

Here is my Combofix log:

ComboFix 08-12-07.01 - Etienne 2008-12-09 10:33:55.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1848 [GMT -5:00]
Running from: c:\users\Etienne\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\system32\KBL.LOG
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-08 18:30 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-12-05 12:56 . 2008-12-05 12:56 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2008-12-05 12:56 . 2008-12-05 12:56 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2008-12-05 12:55 . 2008-12-06 20:22 <DIR> d-------- c:\users\Etienne\AppData\Roaming\SUPERAntiSpyware.com
2008-12-05 12:40 . 2008-12-06 18:54 <DIR> d-------- c:\program files\Norton Support
2008-12-05 00:47 . 2008-12-06 20:21 <DIR> d-------- c:\users\All Users\Lavasoft
2008-12-05 00:47 . 2008-12-06 20:21 <DIR> d-------- c:\programdata\Lavasoft
2008-12-04 18:43 . 2008-12-04 18:43 <DIR> d-------- c:\users\Etienne\AppData\Roaming\Malwarebytes
2008-12-04 18:43 . 2008-12-04 18:43 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-04 18:43 . 2008-12-04 18:43 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-04 18:43 . 2008-12-04 18:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 18:43 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-04 18:43 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-04 17:26 . 2008-12-04 17:26 29,184 --a------ c:\windows\System32\drivers\Ndisprot.sys
2008-12-04 13:46 . 2008-12-04 13:46 <DIR> d-------- c:\program files\Symantec
2008-12-04 13:46 . 2008-12-04 13:46 124,464 --a------ c:\windows\System32\drivers\SYMEVENT.SYS
2008-12-04 13:46 . 2008-12-04 13:45 25,136 -ra------ c:\windows\System32\drivers\SymIMV.sys
2008-12-04 13:46 . 2008-12-04 13:46 10,635 --a------ c:\windows\System32\drivers\SYMEVENT.CAT
2008-12-04 13:46 . 2008-12-04 13:46 806 --a------ c:\windows\System32\drivers\SYMEVENT.INF
2008-12-04 13:44 . 2008-12-04 13:44 <DIR> d-------- c:\windows\System32\drivers\NIS
2008-12-04 13:44 . 2008-12-04 13:44 <DIR> d-------- c:\program files\Norton Internet Security
2008-12-04 13:35 . 2008-12-04 13:35 <DIR> d-------- c:\users\All Users\PCSettings
2008-12-04 13:35 . 2008-12-04 13:46 <DIR> d-------- c:\users\All Users\Norton
2008-12-04 13:35 . 2008-12-04 13:35 <DIR> d-------- c:\programdata\PCSettings
2008-12-04 13:35 . 2008-12-04 13:46 <DIR> d-------- c:\programdata\Norton
2008-12-04 13:32 . 2008-12-04 13:32 <DIR> d-------- c:\users\All Users\NortonInstaller
2008-12-04 13:32 . 2008-12-04 13:32 <DIR> d-------- c:\programdata\NortonInstaller
2008-12-04 13:32 . 2008-12-04 13:32 <DIR> d-------- c:\program files\NortonInstaller
2008-12-04 13:30 . 2008-12-04 13:30 <DIR> d-------- c:\users\All Users\Symantec Temporary Files
2008-12-04 13:30 . 2008-12-04 13:30 <DIR> d-------- c:\programdata\Symantec Temporary Files
2008-11-28 13:41 . 2008-11-28 13:41 <DIR> d-------- c:\users\Etienne\AppData\Roaming\SystemRequirementsLab
2008-11-26 00:34 . 2008-10-21 00:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-26 00:34 . 2008-08-27 22:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-26 00:34 . 2008-08-27 22:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 00:34 . 2008-08-27 22:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-26 00:34 . 2008-10-21 22:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 23:56 . 2008-11-25 23:56 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 23:56 . 2008-11-25 23:56 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 23:56 . 2008-11-25 23:56 <DIR> d-------- c:\program files\iTunes
2008-11-25 23:56 . 2008-11-25 23:56 <DIR> d-------- c:\program files\iPod
2008-11-25 23:54 . 2008-11-25 23:54 <DIR> d-------- c:\program files\QuickTime
2008-11-25 01:00 . 2008-12-04 17:34 297,260,972 --a------ c:\windows\MEMORY.DMP
2008-11-23 15:32 . 2008-11-23 15:32 0 --ah----- c:\windows\System32\drivers\Msft_Kernel_xusb21_01005.Wdf
2008-11-23 15:31 . 2008-11-23 15:31 873,310 --a------ c:\windows\System32\oem34.inf
2008-11-23 15:29 . 2008-11-23 15:29 <DIR> d-------- c:\program files\Jugaari
2008-11-22 18:09 . 2008-12-02 17:22 <DIR> d-------- c:\users\Etienne\Roms
2008-11-22 18:08 . 2008-11-22 18:08 <DIR> d-------- c:\program files\Project64 1.6
2008-11-22 18:04 . 2007-02-26 20:15 1,421,216 --a------ c:\windows\System32\WdfCoInstaller01001.dll
2008-11-22 18:04 . 2008-11-22 18:04 0 --ah----- c:\windows\System32\drivers\Msft_Kernel_xusb21_01001.Wdf
2008-11-22 01:15 . 2008-10-05 17:31 <DIR> d-------- C:\driver
2008-11-22 01:15 . 2008-10-05 17:30 23,488 --a------ c:\windows\System32\mv2.dll
2008-11-22 01:15 . 2008-10-05 17:30 11,712 --a------ c:\windows\System32\drivers\mv2.sys
2008-11-22 00:32 . 2008-11-22 00:45 <DIR> d-------- c:\program files\UltraVNC
2008-11-21 19:55 . 2008-11-21 19:55 <DIR> d-------- c:\program files\GameSpy Arcade
2008-11-21 19:36 . 2008-11-21 23:16 <DIR> d-------- c:\program files\SystemRequirementsLab
2008-11-20 17:26 . 2008-11-20 17:26 <DIR> d-------- c:\program files\DemoForge
2008-11-20 00:59 . 2008-11-20 00:59 873,152 --a------ c:\windows\System32\oem28.inf
2008-11-20 00:51 . 2008-11-20 00:51 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-20 00:39 . 2008-11-20 00:39 <DIR> d-------- c:\users\Etienne\AppData\Roaming\SlySoft
2008-11-20 00:31 . 2008-11-20 00:31 <DIR> d-------- c:\users\Etienne\AppData\Roaming\DivX
2008-11-20 00:30 . 2008-11-20 00:30 <DIR> d-------- c:\users\Public\CyberLink
2008-11-20 00:30 . 2008-11-20 00:31 <DIR> d-------- c:\users\Etienne\AppData\Roaming\CyberLink
2008-11-19 23:51 . 2008-11-20 00:16 24 ---hs---- c:\windows\SCE58722A.tmp
2008-11-19 23:49 . 2008-11-19 23:49 <DIR> d-------- c:\program files\SlySoft
2008-11-19 23:45 . 2008-11-19 23:45 <DIR> d-------- c:\program files\PowerISO
2008-11-19 20:41 . 2008-07-15 20:32 2,048 --a------ c:\windows\System32\tzres.dll
2008-11-19 19:08 . 2008-11-19 19:08 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-19 18:42 . 2008-12-07 18:22 <DIR> d-------- c:\users\Etienne\iPhone Apps
2008-11-19 18:25 . 2008-11-19 18:25 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-19 17:57 . 2008-11-19 18:00 <DIR> d-------- c:\users\All Users\OrbNetworks
2008-11-19 17:57 . 2008-11-19 18:00 <DIR> d-------- c:\programdata\OrbNetworks
2008-11-19 17:57 . 2008-11-19 17:57 <DIR> d-------- c:\program files\Orb Networks
2008-11-19 17:28 . 2008-12-03 00:40 28,029 --a------ c:\users\Etienne\AppData\Roaming\nvModes.dat
2008-11-19 17:21 . 2008-11-19 17:21 <DIR> d-------- c:\users\All Users\AOL
2008-11-19 17:21 . 2008-11-19 17:21 <DIR> d-------- c:\programdata\AOL
2008-11-19 17:18 . 2008-11-19 17:18 <DIR> d-------- c:\users\Etienne\Bluetooth Software
2008-11-19 17:18 . 2008-11-19 17:18 <DIR> d-------- c:\users\Etienne\AppData\Roaming\Symantec
2008-11-19 17:17 . 2008-11-19 17:17 <DIR> dr------- c:\users\Etienne\Searches
2008-11-19 17:17 . 2008-12-07 18:44 <DIR> dr------- c:\users\Etienne\Contacts
2008-11-19 17:17 . 2008-11-19 17:17 81 --a------ c:\windows\System32\LOG
2008-11-19 17:17 . 2008-11-19 17:17 44 --a------ c:\windows\system\hpsysdrv.dat
2008-11-19 17:13 . 2008-11-26 18:17 <DIR> d-------- c:\users\Etienne\AppData\Roaming\Hewlett-Packard
2008-11-19 17:10 . 2006-10-26 22:56 32,592 --a------ c:\windows\System32\msonpmon.dll
2008-11-19 17:09 . 2008-11-19 17:09 <DIR> d-------- c:\windows\PCHEALTH
2008-11-19 17:09 . 2008-11-19 17:09 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-19 17:08 . 2008-11-19 17:08 <DIR> d-------- c:\users\All Users\Viewpoint
2008-11-19 17:08 . 2008-11-24 23:20 <DIR> d-------- c:\users\All Users\Microsoft Help
2008-11-19 17:08 . 2008-11-19 17:08 <DIR> d-------- c:\programdata\Viewpoint
2008-11-19 17:08 . 2008-11-24 23:20 <DIR> d-------- c:\programdata\Microsoft Help
2008-11-19 17:08 . 2008-11-19 17:08 <DIR> d-------- c:\program files\Viewpoint
2008-11-19 17:08 . 2008-11-19 17:08 <DIR> dr-h----- C:\MSOCache
2008-11-19 17:07 . 2008-11-19 17:08 377 --ah----- C:\IPH.PH
2008-11-19 17:06 . 2008-11-19 17:07 <DIR> d-------- c:\program files\Microsoft Works
2008-11-19 16:59 . 2008-11-19 16:59 <DIR> d-------- c:\users\All Users\HP
2008-11-19 16:59 . 2008-11-19 16:59 <DIR> d-------- c:\programdata\HP
2008-11-19 16:59 . 2008-11-19 16:59 <DIR> d-------- c:\program files\Common Files\HP
2008-11-19 16:59 . 2008-11-19 17:00 101,605 --a------ c:\windows\hpqins13.dat
2008-11-19 16:58 . 2008-11-19 16:58 <DIR> d-------- c:\users\Etienne\AppData\Roaming\GTek
2008-11-19 16:58 . 2008-11-20 03:01 <DIR> d-------- c:\users\All Users\Adobe
2008-11-19 16:58 . 2008-11-20 03:01 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-19 16:57 . 2008-11-19 16:57 <DIR> d-------- c:\program files\Common Files\LightScribe
2008-11-19 16:56 . 2008-11-19 16:56 838,094 --a------ c:\windows\System32\oem23.inf
2008-11-19 16:55 . 2008-11-25 01:05 <DIR> dr------- c:\users\Etienne\Videos
2008-11-19 16:55 . 2008-11-19 17:17 <DIR> dr------- c:\users\Etienne\Saved Games
2008-11-19 16:55 . 2008-12-03 20:59 <DIR> dr------- c:\users\Etienne\Pictures
2008-11-19 16:55 . 2008-11-28 00:42 <DIR> d-------- c:\users\Etienne\Music
2008-11-19 16:55 . 2008-11-19 17:17 <DIR> dr------- c:\users\Etienne\Links
2008-11-19 16:55 . 2008-12-09 00:21 <DIR> d-------- c:\users\Etienne\Downloads
2008-11-19 16:55 . 2008-12-04 15:37 <DIR> dr------- c:\users\Etienne\Documents
2008-11-19 16:55 . 2006-11-02 07:37 <DIR> d-------- c:\users\Etienne\AppData\Roaming\Media Center Programs
2008-11-19 16:55 . 2008-11-19 16:55 <DIR> d-------- c:\users\Etienne\AppData\Roaming\InstallShield
2008-11-19 16:55 . 2008-11-19 16:55 <DIR> d--h----- c:\users\Etienne\AppData
2008-11-19 16:55 . 2008-12-04 13:46 <DIR> d-------- c:\users\Etienne
2008-11-19 16:55 . 2008-11-19 16:55 <DIR> d-------- c:\program files\Broadcom
2008-11-19 16:55 . 2008-11-19 16:55 0 -rahs---- c:\windows\System32\drivers\103C_HP_cNB_Pavilion dv9700 Notebook PC_Y5335KV_0U_QCNF81733KR_E480576-122_4A_I30D1_SQuanta_V85.26_F.2F_T080423_WV3-1_L409_M3007_J250_7AMD_8F82_92.00_#081119_N14E44328;10DE054C_(KN871UA#ABC)_XMOBILE_CN10_Z.MRK
2008-11-19 16:51 . 2004-06-26 13:22 6,016 --a------ c:\windows\System32\drivers\vnccom.SYS
2008-11-19 16:51 . 2008-11-19 16:51 31 --a------ c:\windows\System32\'
2008-11-19 16:50 . 2005-06-10 22:02 12,800 --a------ c:\windows\System32\vncdrv.dll
2008-11-19 16:50 . 2004-06-26 13:21 5,760 --a------ c:\windows\System32\vnchelp.dll
2008-11-19 16:50 . 2004-06-26 13:22 4,736 --a------ c:\windows\System32\drivers\vncdrv.sys
2008-11-19 16:38 . 2008-11-28 00:42 <DIR> d-------- c:\users\Etienne\Incomplete
2008-11-19 16:36 . 2008-11-28 01:11 <DIR> d-------- c:\users\Etienne\AppData\Roaming\LimeWire
2008-11-19 16:36 . 2008-11-19 16:36 <DIR> d-------- c:\program files\LimeWire
2008-11-19 16:05 . 2008-12-09 10:27 <DIR> d-------- c:\users\Etienne\AppData\Roaming\uTorrent
2008-11-19 16:05 . 2008-11-19 16:05 <DIR> d-------- c:\program files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 19:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-04 18:41 --------- d-----w c:\programdata\Symantec
2008-11-29 03:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 23:19 --------- d-----w c:\program files\Hewlett-Packard
2008-11-26 23:14 --------- d-----w c:\program files\HP
2008-11-22 00:54 --------- d-----w c:\program files\Microsoft Games
2008-11-20 06:01 --------- d-----w c:\programdata\NVIDIA
2008-11-20 05:55 --------- d-----w c:\program files\CONEXANT
2008-11-20 05:40 --------- d-----w c:\program files\CyberLink
2008-11-20 02:42 --------- d-----w c:\programdata\CyberLink
2008-11-20 01:51 --------- d-----w c:\program files\Windows Mail
2008-11-19 22:33 --------- d-----w c:\programdata\WildTangent
2008-11-19 22:18 --------- d-----w c:\programdata\Hewlett-Packard
2008-11-19 21:57 --------- d-----w c:\program files\HPQ
2008-11-02 08:44 56,572 ----a-w c:\windows\system32\drivers\scdemu.sys
2008-10-28 22:36 823,296 ----a-w c:\windows\System32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\System32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\System32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\System32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\System32\DivX.dll
2008-10-23 07:16 87,280 ----a-w c:\windows\System32\bcmwlcoi.dll
2008-10-23 07:16 3,809,280 ----a-w c:\windows\System32\bcmihvsrv.dll
2008-10-23 07:16 3,502,080 ----a-w c:\windows\System32\bcmihvui.dll
2008-10-23 07:16 1,331,192 ----a-w c:\windows\system32\drivers\BCMWL6.SYS
2008-09-30 21:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\System32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\System32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\System32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\System32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\System32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\System32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\System32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\System32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\System32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\System32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\System32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\System32\DivXWMPExtType.dll
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"JaaduConnect"="c:\program files\Jugaari\Jaadu Connect\JaaduConnect.exe" [2008-10-30 598016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-19 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-09-05 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 14:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-11-02 03:38 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-20 21:23 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B55B35B5-1C7E-4CA2-A73D-C2B051346BBD}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{20418A82-B72F-4305-9359-87E3D524734C}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{7A98F3B5-875C-4280-8F53-6DFD16912E9A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{C067A2B7-29D1-4339-B46B-DEAEEDA61101}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A1BE7846-FB41-41D1-B90E-5ABA7ECD0414}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C2B03AAB-1D9A-48FC-9F33-DD42CC800D1B}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{53B468CF-F552-4B8C-B26F-E213AEEDFCB3}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{7BC4FC4F-0301-4F84-AED3-5BA05F25BA98}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{15499433-9637-447A-9829-C5079885B078}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{6694659B-1C0B-4765-9839-82F2C517EEAB}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{6C503954-992F-49C9-9FE5-EEF5F05F4591}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{BAE2420A-6233-403C-A7FF-BDD6B9D36799}"= UDP:c:\program files\Orb Networks\Orb\bin\Orb.exe:Orb
"{8448AF53-8520-402E-9300-90379334F12C}"= TCP:c:\program files\Orb Networks\Orb\bin\Orb.exe:Orb
"{E676D509-32B3-4815-9D99-EFBA495B84B2}"= UDP:c:\program files\Orb Networks\Orb\bin\OrbTray.exe:OrbTray
"{A5CA7C87-6F92-4A0F-A01D-E390940B1421}"= TCP:c:\program files\Orb Networks\Orb\bin\OrbTray.exe:OrbTray
"{61CD3F0B-D586-4CE3-9FC6-07AAAE244E40}"= UDP:c:\program files\Orb Networks\Orb\bin\OrbIR.exe:OrbIR
"{D011A40B-05FA-4C65-813E-8BD0D8C64591}"= TCP:c:\program files\Orb Networks\Orb\bin\OrbIR.exe:OrbIR
"{B8D809D5-5BA7-4B56-AB54-14D10D15D493}"= UDP:c:\program files\Orb Networks\Orb\bin\OrbStreamerClient.exe:Orb Stream Client
"{CF3CADF3-7734-4969-B4BD-567215F69DC6}"= TCP:c:\program files\Orb Networks\Orb\bin\OrbStreamerClient.exe:Orb Stream Client
"{7FCBBB5E-BA96-456B-82E1-D57D23437A5B}"= UDP:c:\program files\Orb Networks\Orb\bin\xmltv.exe:OrbTVGuide
"{2C291D48-8D7C-476A-AF0A-7B6EAB8135D2}"= TCP:c:\program files\Orb Networks\Orb\bin\xmltv.exe:OrbTVGuide
"{FDDA0311-171B-46BD-9299-36035EAE2DD7}"= UDP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
"{D09D1CD8-CF92-43DA-8A0D-C34D6219263C}"= TCP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
"{E4BC4FAC-2641-4D5B-A4AC-E32ACF4A55BB}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{1399B683-1AE0-4FE3-ADC2-6E2A67D355AD}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1001000.021\SYMEFA.SYS [2008-12-04 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NIS\1001000.021\BHDrvx86.sys [2008-12-04 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NIS\1001000.021\ccHPx86.sys [2008-12-04 362544]
R1 IDSVix86;IDSVix86;\??\c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081205.001\IDSvix86.sys [2008-12-08 289840]
R2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 uvnc_service;uvnc_service;"c:\program files\UltraVNC\WinVNC.exe" -service [2008-11-22 1519168]
R3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys [2005-11-25 31896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-04 99376]
R3 mv2;mv2;c:\windows\system32\DRIVERS\mv2.sys [2008-11-22 11712]
R3 SYMNDISV;SYMNDISV;\??\c:\windows\system32\drivers\NIS\1001000.021\SYMNDISV.SYS [2008-12-04 40496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinVNC - c:\program files\TightVNC\WinVNC.exe
MSConfigStartUp-Auto LogOff - c:\program files\Turn Off Monitor\AutoLogOff.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSConfigStartUp-Turn Off Monitor - c:\program files\Turn Off Monitor\TurnOffMon.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

c:\windows\Downloaded Program Files\sysreqlab_srl.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd
FireFox -: Profile - c:\users\Etienne\AppData\Roaming\Mozilla\Firefox\Profiles\hhs0dfcy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 10:35:27
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-09 10:36:18
ComboFix-quarantined-files.txt 2008-12-09 15:36:15

Pre-Run: 164,236,931,072 bytes free
Post-Run: 164,252,581,888 bytes free

318 --- E O F --- 2008-11-27 23:28:29

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:35 PM

Posted 09 December 2008 - 10:54 AM

Hello Bourn3,

Your logs look quite good :thumbsup:

Are you still having problems ?

If not, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the Download button to the right of Java SE Runtime Environment (JRE) 6 Update 11 (first option).
  • Select your Platform (Windows version) and check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click "Continue" and the page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 bourn3

bourn3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 09 December 2008 - 11:29 AM

Everything seems fine. Thanks a lot for your time. With Norton Internet Security 2009, unless I download something bad and/or execute it, I shouldn't get infected right? I'll be more careful next time. Thanks again.

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:35 PM

Posted 09 December 2008 - 01:22 PM

Glad we could help, Bourn3 :thumbsup:

With Norton Internet Security 2009, unless I download something bad and/or execute it, I shouldn't get infected right?

As a matter of fact, no security pack offers a 100 % protection !
To avoid getting infected, especially by brand new, unknown malware, your best bet is your own common sense. :)

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users