Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible trojan (muldrop?) and/or malware


  • This topic is locked This topic is locked
17 replies to this topic

#1 C47FSN

C47FSN

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 01 April 2009 - 01:16 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/214397/foreign-picschanges-to-website/ ~ OB

Hello. I have been directed here after help from someone else. Originally I posted about some small changes to firefox (specifically one website - gamespot), and also some keyboard problems that only occurred in the web browser. There were strange pictures and other elements on the web page that I knew didn't belong. Then I realized the foreign pictures were from other web sites I had been to. Any text typed in the browser was not quite right. Certain keys were producing incorrect characters.

Before I looked for help, I scanned with Avast, and then Spybot. The problems persisted so I came here.
Following the instructions I:

downloaded ATF cleaner and ran it
downloaded Super Anti Spyware and scanned - posted the results:

Adware.Tracking Cookie
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\Low\chris@revsci[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\Low\chris@richmedia.yahoo[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\Low\chris@tacoda[2].txt

downloaded Malwarebyte's Anti Malware and scanned - posted the results
downloaded Dr Web Cureit and scanned - posted the results:

RegUBP2b-Chris.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
SpellForce_Patch_v152a.exe\data025;C:\Documents and Settings\Chris\Downloads\SpellForce_Patch_v152a.exe;Adware.PeerNet.2;;
SpellForce_Patch_v152a.exe\data027;C:\Documents and Settings\Chris\Downloads\SpellForce_Patch_v152a.exe;Adware.PeerNet.2;;
SpellForce_Patch_v152a.exe;C:\Documents and Settings\Chris\Downloads;Archive contains infected objects;Moved.;
Setup.exe\data053;C:\Program Files\Online Services\Netscape_ca\Setup.exe;Trojan.MulDrop.origin;;
Setup.exe;C:\Program Files\Online Services\Netscape_ca;Archive contains infected objects;Moved.;

At this point in the process, I was directed here.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Chris at 13:39:42.53 on 01/04/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_03
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.2.1033.18.2047.822 [GMT -4:00]

AV: avast! antivirus 4.8.1201 [VPS 081112-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\jureg.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Chris\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: []
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SiteAdvisor] "c:\program files\siteadvisor\6261\SiteAdv.exe"
mRun: [SSI] c:\progra~1\trisna~1\ssi\ssi /s
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\chris\appdata\roaming\micros~1\windows\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: {6D04C7BD-9F59-4677-A71B-A2EBCD759451} = 64.71.255.198
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\h1yrtpg1.default\
FF - prefs.js: browser.search.selectedEngine - qtl
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-8 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-8 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-1-8 51792]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-2-11 1153368]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]

=============== Created Last 30 ================

2009-03-30 08:57 --d----- c:\users\chris\DoctorWeb
2009-03-28 01:51 --d----- c:\users\chris\appdata\roaming\IObit
2009-03-28 01:51 --d----- c:\program files\IObit
2009-03-27 20:43 --d----- c:\programdata\SUPERAntiSpyware.com
2009-03-27 20:43 --d----- c:\progra~2\SUPERAntiSpyware.com
2009-03-27 20:42 --d----- c:\users\chris\appdata\roaming\SUPERAntiSpyware.com
2009-03-27 20:42 --d----- c:\program files\SUPERAntiSpyware
2009-03-27 20:42 --d----- c:\program files\common files\Wise Installation Wizard
2009-03-27 01:56 --d----- c:\users\chris\appdata\roaming\Malwarebytes
2009-03-27 01:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-27 01:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 01:56 --d----- c:\programdata\Malwarebytes
2009-03-27 01:56 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 01:56 --d----- c:\progra~2\Malwarebytes
2009-03-24 23:02 --d----- c:\programdata\Age of Empires 3
2009-03-24 23:02 --d----- c:\progra~2\Age of Empires 3
2009-03-24 22:48 --d----- c:\program files\common files\Microsoft Games
2009-03-24 22:35 --d----- c:\program files\Age of Empires III
2009-03-24 22:30 --d----- c:\users\chris\appdata\roaming\DAEMON Tools Pro
2009-03-24 22:29 --d----- c:\programdata\DAEMON Tools Lite
2009-03-24 22:29 --d----- c:\progra~2\DAEMON Tools Lite
2009-03-24 22:29 --d----- c:\program files\DAEMON Tools Lite
2009-03-24 22:06 --d----- c:\users\chris\appdata\roaming\DAEMON Tools Lite
2009-03-24 14:14 --d----- c:\users\chris\Veoh
2009-03-24 14:14 --d----- c:\program files\Veoh Networks
2009-03-11 00:59 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 00:59 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 00:59 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 00:59 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 00:59 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 00:59 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-03-24 22:07 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-02-05 16:06 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-01-15 15:23 12,800 a------- c:\windows\help\oem\scripts\HCDownloadApp.exe
2009-01-15 02:11 827,392 a------- c:\windows\system32\wininet.dll
2008-11-11 18:38 174 a--sh--- c:\program files\desktop.ini
2008-11-11 18:34 143,360 a------- c:\windows\inf\infstrng.dat
2008-11-11 18:34 86,016 a------- c:\windows\inf\infstor.dat
2008-11-11 18:34 51,200 a------- c:\windows\inf\infpub.dat
2008-11-11 18:22 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-11 22:36 0 a------- c:\users\chris\appdata\roaming\wklnhst.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-01-08 19:20 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 13:40:21.22 ===============

I think that's as informative as I can be. Thank you,

Chris

Attached Files


Edited by Orange Blossom, 01 April 2009 - 04:16 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:01:13 PM

Posted 08 April 2009 - 06:06 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 C47FSN

C47FSN
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 09 April 2009 - 05:38 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Chris at 18:27:23.98 on 09/04/2009
Internet Explorer: 7.0.6001.18000

BrowserJavaVersion: 1.6.0_03
Microsoft® Windows Vista™ Home Premium

6.0.6001.1.1252.2.1033.18.2047.909 [GMT -4:00]

AV: avast! antivirus 4.8.1201 [VPS 081112-0]

*On-access scanning enabled* (Updated)

============== Running Processes

===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k

LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k

LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k

LocalService
C:\Windows\system32\svchost.exe -k

NetworkService
C:\Program Files\Alwil Software\Avast4

\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4

\ashServ.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k

LocalServiceNoNetwork
C:\Program Files\APC\APC PowerChute Personal

Edition\mainserv.exe
C:\Program Files\Common

Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinServi

ce.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common

Files\LightScribe\LSSrvc.exe
C:\Program Files\MagicTune

Premium\MagicTuneEngine.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k

NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search &

Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD

Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\jureg.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Alwil Software\Avast4

\ashDisp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\ATI

Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft IntelliType

Pro\itype.exe
C:\Program Files\Microsoft

IntelliPoint\ipoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Veoh

Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media

Player\wmpnscfg.exe
C:\Program Files\MagicTune

Premium\GammaTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SEC\Natural Color

Pro\NCProTray.exe
C:\Program Files\Windows Media

Player\wmpnetwk.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATI

Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\APC\APC PowerChute Personal

Edition\apcsystray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
c:\Program Files\Hewlett-Packard\HP Health

Check\hphc_service.exe
C:\hp\kbd\kbd.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Chris\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report

===============

uStart Page =

hxxp://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion

&pf=desktop
mStart Page =

hxxp://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion

&pf=desktop
mDefault_Page_URL =

hxxp://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion

&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} -

No File
BHO: {089fd14d-132b-48fc-8861-0048ae113215} -

c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-

4283-a596-fa578c2ebdc3} - c:\program

files\common

files\adobe\acrobat\activex\AcroIEHelperShim.d

ll
BHO: Spybot-S&D IE Protection: {53707962-6f74

-2d53-2644-206d7942484f} - c:\progra~1

\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-

b6eb-d4daf1d92d43} - c:\program

files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} -

No File
BHO: Windows Live Toolbar Helper: {bdbd1dad-

c946-4a17-adc1-64b5b4ff55d0} - c:\program

files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17

-adc1-64b5b4ff55d0} - c:\program files\windows

live toolbar\msntb.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-

9252-17fe6e806aa0} - c:\program

files\siteadvisor\6261\SiteAdv.dll
TB: Veoh Web Player Video Finder: {0fbb9689-

d3d7-4f7a-a2e2-585b10099bfc} - c:\program

files\veoh

networks\veohwebplayer\VeohIEToolbar.dll
TB: {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} -

No File
uRun: [Sidebar] c:\program files\windows

sidebar\sidebar.exe /autoRun
uRun: [VeohPlugin] "c:\program files\veoh

networks\veohwebplayer\veohwebplayer.exe"
uRun: [SUPERAntiSpyware] c:\program

files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows

media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%

\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-

packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [HP Health Check Scheduler] c:\program

files\hewlett-packard\hp health

check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32

\jureg.exe"
mRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32

\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32

\hkcmd.exe
mRun: [Persistence] c:\windows\system32

\igfxpers.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4

\ashDisp.exe
mRun: [SiteAdvisor] "c:\program

files\siteadvisor\6261\SiteAdv.exe"
mRun: [SSI] c:\progra~1\trisna~1\ssi\ssi /s
mRun: [StartCCC] "c:\program files\ati

technologies\ati.ace\core-static\CLIStart.exe"

MSRun
mRun: [ATICustomerCare] "c:\program

files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [itype] "c:\program files\microsoft

intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program

files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher]

"c:\program files\adobe\reader 9.0

\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%

\SMINST\launcher.exe
StartupFolder:

c:\users\chris\appdata\roaming\micros~1

\windows\startm~1

\programs\startup\speedfan.lnk - c:\program

files\speedfan\speedfan.exe
StartupFolder: c:\progra~2\micros~1

\windows\startm~1

\programs\startup\apcups~1.lnk - c:\program

files\apc\apc powerchute personal

edition\Display.exe
StartupFolder: c:\progra~2\micros~1

\windows\startm~1

\programs\startup\gammat~1.lnk - c:\program

files\magictune premium\GammaTray.exe
StartupFolder: c:\progra~2\micros~1

\windows\startm~1

\programs\startup\ncprot~1.lnk - c:\program

files\sec\natural color pro\NCProTray.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1

(0x1)
mPolicies-system: EnableUIADesktopToggle = 0

(0x0)
IE: &Windows Live Search - c:\program

files\windows live

toolbar\msntb.dll/search.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} -

c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

{53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplay

er/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_03-windows-i586.cab
TCP: {6D04C7BD-9F59-4677-A71B-A2EBCD759451} =

64.71.255.198
Handler: siteadvisor - {3A5DC592-7723-4EAA-

9EE6-AF4222BCF879} - c:\program

files\siteadvisor\6261\SiteAdv.dll
Notify: !SASWinLogon - c:\program

files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-

9afb-48e0-853a-ebb7f4a000da} - c:\program

files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

c:\users\chris\appdata\roaming\mozilla\firefox

\profiles\h1yrtpg1.default\
FF - prefs.js: browser.search.selectedEngine -

qtl
FF - prefs.js: browser.startup.homepage -

hxxp://en-US.start2.mozilla.com/firefox?

client=firefox-a&rls=org.mozilla:en-

US:official
FF - component: c:\program

files\siteadvisor\6261

\ff\components\FFHook.dll
FF - plugin: c:\program files\mozilla

firefox\plugins\npigl.dll
FF - plugin: c:\program

files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\veoh

networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh

networks\veohwebplayer\npWebPlayerVideoPluginA

TL.dll

============= SERVICES / DRIVERS

===============

R1 aswSP;avast! Self

Protection;c:\windows\system32

\drivers\aswSP.sys [2008-4-8 114768]
R1 SASDIFSV;SASDIFSV;c:\program

files\superantispyware\sasdifsv.sys [2009-3-23

9968]
R1 SASKUTIL;SASKUTIL;c:\program

files\superantispyware\SASKUTIL.SYS [2009-3-23

72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32

\drivers\aswFsBlk.sys [2008-4-8 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32

\drivers\aswMonFlt.sys [2008-1-8 51792]
R2 DQLWinService;DQLWinService;c:\program

files\common

files\intel\inteldh\nms\adpplugins\DQLWinServi

ce.exe [2006-9-3 208896]
R2 SBSDWSCService;SBSD Security Center

Service;c:\program files\spybot - search &

destroy\SDWinSec.exe [2008-2-11 1153368]
R3 SASENUM;SASENUM;c:\program

files\superantispyware\SASENUM.SYS [2009-3-23

7408]
S2 IntelDHSvcConf;Intel DH Service;c:\program

files\intel\inteldh\intel media

server\tools\IntelDHSvcConf.exe [2006-5-10

29696]

=============== Created Last 30

================

2009-03-30 08:57 <DIR> --d-----

c:\users\chris\DoctorWeb
2009-03-28 01:51 <DIR> --d-----

c:\users\chris\appdata\roaming\IObit
2009-03-28 01:51 <DIR> --d-----

c:\program files\IObit
2009-03-27 20:43 <DIR> --d-----

c:\programdata\SUPERAntiSpyware.com
2009-03-27 20:43 <DIR> --d-----

c:\progra~2\SUPERAntiSpyware.com
2009-03-27 20:42 <DIR> --d-----

c:\users\chris\appdata\roaming\SUPERAntiSpywar

e.com
2009-03-27 20:42 <DIR> --d-----

c:\program files\SUPERAntiSpyware
2009-03-27 20:42 <DIR> --d-----

c:\program files\common files\Wise

Installation Wizard
2009-03-27 01:56 <DIR> --d-----

c:\users\chris\appdata\roaming\Malwarebytes
2009-03-27 01:56 15,504 a-------

c:\windows\system32\drivers\mbam.sys
2009-03-27 01:56 38,496 a-------

c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 01:56 <DIR> --d-----

c:\programdata\Malwarebytes
2009-03-27 01:56 <DIR> --d-----

c:\program files\Malwarebytes' Anti-Malware
2009-03-27 01:56 <DIR> --d-----

c:\progra~2\Malwarebytes
2009-03-24 23:02 <DIR> --d-----

c:\programdata\Age of Empires 3
2009-03-24 23:02 <DIR> --d-----

c:\progra~2\Age of Empires 3
2009-03-24 22:48 <DIR> --d-----

c:\program files\common files\Microsoft Games
2009-03-24 22:35 <DIR> --d-----

c:\program files\Age of Empires III
2009-03-24 22:30 <DIR> --d-----

c:\users\chris\appdata\roaming\DAEMON Tools

Pro
2009-03-24 22:29 <DIR> --d-----

c:\programdata\DAEMON Tools Lite
2009-03-24 22:29 <DIR> --d-----

c:\progra~2\DAEMON Tools Lite
2009-03-24 22:29 <DIR> --d-----

c:\program files\DAEMON Tools Lite
2009-03-24 22:06 <DIR> --d-----

c:\users\chris\appdata\roaming\DAEMON Tools

Lite
2009-03-24 14:14 <DIR> --d-----

c:\users\chris\Veoh
2009-03-24 14:14 <DIR> --d-----

c:\program files\Veoh Networks
2009-03-11 00:59 7,680 a-------

c:\windows\system32\spwmp.dll
2009-03-11 00:59 4,096 a-------

c:\windows\system32\dxmasf.dll
2009-03-11 00:59 8,147,456 a----

--- c:\windows\system32\wmploc.DLL
2009-03-11 00:59 4,096 a-------

c:\windows\system32\msdxm.ocx
2009-03-11 00:59 268,288 a-------

c:\windows\system32\schannel.dll
2009-03-11 00:59 2,033,152 a----

--- c:\windows\system32\win32k.sys

==================== Find3M

====================

2009-03-24 22:07 717,296 a-------

c:\windows\system32\drivers\sptd.sys
2009-01-15 15:23 12,800 a-------

c:\windows\help\oem\scripts\HCDownloadApp.exe
2009-01-15 02:11 827,392 a-------

c:\windows\system32\wininet.dll
2008-11-11 18:38 174 a--sh---

c:\program files\desktop.ini
2008-11-11 18:34 143,360 a-------

c:\windows\inf\infstrng.dat
2008-11-11 18:34 86,016 a-------

c:\windows\inf\infstor.dat
2008-11-11 18:34 51,200 a-------

c:\windows\inf\infpub.dat
2008-11-11 18:22 665,600 a-------

c:\windows\inf\drvindex.dat
2008-01-11 22:36 0 a-------

c:\users\chris\appdata\roaming\wklnhst.dat
2006-11-02 08:42 287,440 a-------

c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a-------

c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a-------

c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a-------

c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a-------

c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a-------

c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a-------

c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a-------

c:\windows\inf\perflib\0000\perfc.dat
2008-01-08 19:20 22 a--sh---

c:\windows\sminst\HPCD.sys

============= FINISH: 18:27:53.48

===============



Since the last time I ran DDS, the only difference in the computer is the mouse cursor has started to get stuck, and delay a bit. Sometimes it's for a split second, while other times it can be a second or two or three. Not sure if this matters, but it wasn't happening until a day or two ago.

Thanks,

Chris.

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:13 PM

Posted 10 April 2009 - 01:53 PM

Hi C47FSN,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

The second log is broken and not easy to read. Please use Notepad to post the logs, make sure Wordwrap under File menu is not selected. Use also ADDREPLY button instead of FASTREPLY.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. We are not here to pass judgment on file-sharing as a concept. But file-sharing is used to infect users as tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p download folders. They might contain infected files. Please avoid using these p2p applications or uninstall them. Using these applications at this stage might lead to reinfection or infecting other users.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start => Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. To do that:
      • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
      • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
      • Repeat as many times as necessary to remove each Java versions.
      • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    Note 1. If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    Note 2. The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.[/color][/i]

    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Open CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Close all open windows inclusive Internet Explorer and click Run Cleaner.
    • Close CCleaner.
  • Please download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Set the list of files/folders created to 3 Months and click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
      • log.txt (<<will be maximized)
      • info.txt (<<will be minimized).
    • Please copy and paste the content of just log.txt to your reply. No need for info.txt

      Note 1: If you have difficulty finding the log, the logs is in this folder: C:\rsit

      Note 2: The tool takes not more than one minute to scan the system.
You might want to save this page on your favorites, so you can find it again when you return.

Please include in your next reply:
  • The RSIT log.
  • Any comment or feedback about the current condition of your computer.


#5 C47FSN

C47FSN
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 April 2009 - 03:41 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Chris at 18:27:23.98 on 09/04/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_03
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2047.909 [GMT -4:00]

AV: avast! antivirus 4.8.1201 [VPS 081112-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\jureg.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\hp\kbd\kbd.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Chris\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SiteAdvisor] "c:\program files\siteadvisor\6261\SiteAdv.exe"
mRun: [SSI] c:\progra~1\trisna~1\ssi\ssi /s
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\chris\appdata\roaming\micros~1\windows\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: {6D04C7BD-9F59-4677-A71B-A2EBCD759451} = 64.71.255.198
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\h1yrtpg1.default\
FF - prefs.js: browser.search.selectedEngine - qtl
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-8 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-8 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-1-8 51792]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-2-11 1153368]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]

=============== Created Last 30 ================

2009-03-30 08:57 <DIR> --d----- c:\users\chris\DoctorWeb
2009-03-28 01:51 <DIR> --d----- c:\users\chris\appdata\roaming\IObit
2009-03-28 01:51 <DIR> --d----- c:\program files\IObit
2009-03-27 20:43 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-03-27 20:43 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-03-27 20:42 <DIR> --d----- c:\users\chris\appdata\roaming\SUPERAntiSpyware.com
2009-03-27 20:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-27 20:42 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-27 01:56 <DIR> --d----- c:\users\chris\appdata\roaming\Malwarebytes
2009-03-27 01:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-27 01:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 01:56 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-27 01:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 01:56 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-24 23:02 <DIR> --d----- c:\programdata\Age of Empires 3
2009-03-24 23:02 <DIR> --d----- c:\progra~2\Age of Empires 3
2009-03-24 22:48 <DIR> --d----- c:\program files\common files\Microsoft Games
2009-03-24 22:35 <DIR> --d----- c:\program files\Age of Empires III
2009-03-24 22:30 <DIR> --d----- c:\users\chris\appdata\roaming\DAEMON Tools Pro
2009-03-24 22:29 <DIR> --d----- c:\programdata\DAEMON Tools Lite
2009-03-24 22:29 <DIR> --d----- c:\progra~2\DAEMON Tools Lite
2009-03-24 22:29 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-03-24 22:06 <DIR> --d----- c:\users\chris\appdata\roaming\DAEMON Tools Lite
2009-03-24 14:14 <DIR> --d----- c:\users\chris\Veoh
2009-03-24 14:14 <DIR> --d----- c:\program files\Veoh Networks
2009-03-11 00:59 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 00:59 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 00:59 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 00:59 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 00:59 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 00:59 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-03-24 22:07 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-01-15 15:23 12,800 a------- c:\windows\help\oem\scripts\HCDownloadApp.exe
2009-01-15 02:11 827,392 a------- c:\windows\system32\wininet.dll
2008-11-11 18:38 174 a--sh--- c:\program files\desktop.ini
2008-11-11 18:34 143,360 a------- c:\windows\inf\infstrng.dat
2008-11-11 18:34 86,016 a------- c:\windows\inf\infstor.dat
2008-11-11 18:34 51,200 a------- c:\windows\inf\infpub.dat
2008-11-11 18:22 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-11 22:36 0 a------- c:\users\chris\appdata\roaming\wklnhst.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-01-08 19:20 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 18:27:53.48 ===============










Logfile of random's system information tool 1.06 (written by random/random)
Run by Chris at 2009-04-10 16:11:41
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 42 GB (14%) free of 299 GB
Total RAM: 2047 MB (43% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:06 PM, on 10/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Chris\Desktop\RSIT.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\trend micro\Chris.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe" -delete
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [SSI] C:\PROGRA~1\TRISNA~1\SSI\ssi /s
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D04C7BD-9F59-4677-A71B-A2EBCD759451}: NameServer = 64.71.255.198
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10230 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Check Updates for Windows Live Toolbar.job
C:\Windows\tasks\SmartDefrag.job
C:\Windows\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\Windows\tasks\User_Feed_Synchronization-{9A91E911-F701-4ED5-8BC3-A88F56291779}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{089FD14D-132B-48FC-8861-0048AE113215}]
C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-16 927008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-10 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]
{0BF43445-2F28-4351-9252-17FE6E806AA0} - McAfee SiteAdvisor - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-16 927008]
{0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - Veoh Web Player Video Finder - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll [2009-03-06 429816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"hpsysdrv"=c:\hp\support\hpsysdrv.exe [2007-04-18 65536]
"KBD"=C:\HP\KBD\KbdStub.EXE [2006-12-08 65536]
"OsdMaestro"=C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe [2007-02-15 118784]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-10-25 4702208]
"CCUTRAYICON"=FactoryMode []
"HP Health Check Scheduler"=c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [2008-06-16 75008]
"SunJavaUpdateReg"=C:\Windows\system32\jureg.exe [2007-09-25 54672]
""= []
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2007-08-24 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2007-08-24 154136]
"Persistence"=C:\Windows\system32\igfxpers.exe [2007-08-24 129560]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6261\SiteAdv.exe [2007-12-04 36640]
"SSI"=C:\PROGRA~1\TRISNA~1\SSI\ssi /s []
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-01 61440]
"ATICustomerCare"=C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe [2008-05-02 307200]
"itype"=C:\Program Files\Microsoft IntelliType Pro\itype.exe [2008-06-10 1442888]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 1406024]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-10 148888]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"=C:\Windows\SMINST\launcher.exe [2007-04-03 44168]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"VeohPlugin"=C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe [2009-03-06 3558136]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-03-23 1830128]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-08-24 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDesktopCleanupWizard"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe"="C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe:*:Enabled:Logitech Harmony Remote Software V5"
"C:\Program Files\Logitech\Harmony Remote\HarmonyClient"="C:\Program Files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software V5"
"C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe"="C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe"="C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe:*:Enabled:Logitech Harmony Remote Software V5"
"C:\Program Files\Logitech\Harmony Remote\HarmonyClient"="C:\Program Files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software V5"
"C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe"="C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
shell\AutoRun\command - M:\install.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c7a5a41-18e3-11de-8ec0-001d60ac0e06}]
shell\AutoRun\command - N:\install.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec16ba4-c132-11dc-a117-001d60ac0e06}]
shell\AutoRun\command - J:\
shell\open\command - J:\D0B11539.exe


======List of files/folders created in the last 3 months======

2009-04-10 16:11:41 ----D---- C:\rsit
2009-04-10 16:11:41 ----D---- C:\Program Files\trend micro
2009-04-10 16:04:54 ----D---- C:\Program Files\CCleaner
2009-04-10 15:58:48 ----A---- C:\Windows\system32\javaws.exe
2009-04-10 15:58:48 ----A---- C:\Windows\system32\javaw.exe
2009-04-10 15:58:48 ----A---- C:\Windows\system32\java.exe
2009-04-10 15:58:48 ----A---- C:\Windows\system32\deploytk.dll
2009-03-29 09:42:24 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-03-29 09:41:04 ----D---- C:\Program Files\Adobe
2009-03-28 01:51:12 ----D---- C:\Users\Chris\AppData\Roaming\IObit
2009-03-28 01:51:11 ----D---- C:\Program Files\IObit
2009-03-27 20:57:56 ----A---- C:\Windows\ntbtlog.txt
2009-03-27 20:43:34 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-03-27 20:42:59 ----D---- C:\Users\Chris\AppData\Roaming\SUPERAntiSpyware.com
2009-03-27 20:42:59 ----D---- C:\Program Files\SUPERAntiSpyware
2009-03-27 20:42:01 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-03-27 01:56:47 ----D---- C:\Users\Chris\AppData\Roaming\Malwarebytes
2009-03-27 01:56:40 ----D---- C:\ProgramData\Malwarebytes
2009-03-27 01:56:40 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-24 23:02:09 ----D---- C:\ProgramData\Age of Empires 3
2009-03-24 22:48:04 ----D---- C:\Program Files\Common Files\Microsoft Games
2009-03-24 22:35:53 ----D---- C:\Program Files\Age of Empires III
2009-03-24 22:30:31 ----D---- C:\Users\Chris\AppData\Roaming\DAEMON Tools Pro
2009-03-24 22:29:50 ----D---- C:\ProgramData\DAEMON Tools Lite
2009-03-24 22:29:38 ----D---- C:\Program Files\DAEMON Tools Lite
2009-03-24 22:06:44 ----D---- C:\Users\Chris\AppData\Roaming\DAEMON Tools Lite
2009-03-24 14:14:25 ----D---- C:\Program Files\Veoh Networks
2009-03-11 00:59:53 ----A---- C:\Windows\system32\wmp.dll
2009-03-11 00:59:52 ----A---- C:\Windows\system32\spwmp.dll
2009-03-11 00:59:52 ----A---- C:\Windows\system32\dxmasf.dll
2009-03-11 00:59:51 ----A---- C:\Windows\system32\wmploc.DLL
2009-03-11 00:59:46 ----A---- C:\Windows\system32\schannel.dll
2009-03-01 00:16:48 ----D---- C:\ProgramData\GameHouse
2009-03-01 00:15:57 ----D---- C:\ProgramData\Trymedia
2009-03-01 00:15:21 ----D---- C:\Program Files\Yahoo! Games
2009-02-14 19:59:38 ----A---- C:\Windows\system32\EncDec.dll
2009-02-14 19:59:35 ----A---- C:\Windows\system32\psisdecd.dll
2009-02-11 16:14:48 ----A---- C:\Windows\system32\mshtml.dll
2009-02-11 16:14:47 ----A---- C:\Windows\system32\ieframe.dll
2009-02-11 16:14:46 ----A---- C:\Windows\system32\urlmon.dll
2009-02-11 16:14:45 ----A---- C:\Windows\system32\wininet.dll
2009-02-11 16:14:45 ----A---- C:\Windows\system32\msfeeds.dll
2009-02-11 16:14:44 ----A---- C:\Windows\system32\mstime.dll
2009-02-11 16:14:44 ----A---- C:\Windows\system32\iertutil.dll
2009-02-11 16:14:43 ----A---- C:\Windows\system32\jsproxy.dll

======List of files/folders modified in the last 3 months======

2009-04-10 16:11:53 ----D---- C:\Windows\Prefetch
2009-04-10 16:11:45 ----D---- C:\Windows\Temp
2009-04-10 16:11:41 ----RD---- C:\Program Files
2009-04-10 16:07:03 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-04-10 16:01:26 ----D---- C:\Windows\System32
2009-04-10 16:01:26 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-04-10 16:01:25 ----D---- C:\Windows\inf
2009-04-10 15:58:51 ----SHD---- C:\Windows\Installer
2009-04-10 15:58:51 ----HD---- C:\Config.Msi
2009-04-10 15:58:23 ----D---- C:\Program Files\Java
2009-04-10 15:58:17 ----SHD---- C:\System Volume Information
2009-04-10 15:55:05 ----D---- C:\Windows\SMINST
2009-04-10 15:51:32 ----D---- C:\Program Files\Common Files
2009-04-06 15:23:52 ----D---- C:\Users\Chris\AppData\Roaming\uTorrent
2009-04-01 00:05:51 ----D---- C:\Windows\system32\catroot2
2009-03-31 19:23:25 ----D---- C:\Windows
2009-03-31 09:35:45 ----D---- C:\Program Files\Mozilla Firefox
2009-03-29 09:42:26 ----D---- C:\Users\Chris\AppData\Roaming\Adobe
2009-03-29 09:42:26 ----D---- C:\ProgramData\Adobe
2009-03-29 09:41:37 ----D---- C:\Program Files\Common Files\Adobe
2009-03-28 01:51:16 ----D---- C:\Windows\Tasks
2009-03-28 01:51:16 ----D---- C:\Windows\system32\Tasks
2009-03-27 20:43:34 ----HD---- C:\ProgramData
2009-03-27 01:56:43 ----D---- C:\Windows\system32\drivers
2009-03-26 17:32:55 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-03-24 22:53:30 ----HD---- C:\Program Files\InstallShield Installation Information
2009-03-24 22:42:51 ----RSD---- C:\Windows\assembly
2009-03-24 22:30:31 ----D---- C:\Users\Chris\AppData\Roaming\DAEMON Tools
2009-03-20 11:59:07 ----RSD---- C:\Windows\Fonts
2009-03-20 11:58:46 ----D---- C:\Program Files\Microsoft Games
2009-03-11 03:20:33 ----D---- C:\Windows\winsxs
2009-03-11 03:10:27 ----D---- C:\Windows\system32\catroot
2009-03-11 03:06:55 ----D---- C:\Program Files\Windows Media Player
2009-03-11 03:06:55 ----D---- C:\Program Files\Windows Mail
2009-02-25 12:55:00 ----A---- C:\Windows\system32\mrt.exe
2009-02-15 04:03:58 ----D---- C:\Windows\Microsoft.NET
2009-02-15 04:01:11 ----D---- C:\Windows\ehome
2009-02-05 16:11:35 ----A---- C:\Windows\system32\aswBoot.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2009-02-05 23152]
R1 aswSP;avast! Self Protection; C:\Windows\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 NCPro;NCPro; C:\Windows\system32\drivers\MTictwl.sys [2006-11-24 12288]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMonFlt;aswMonFlt; C:\Windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 8704]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-09-23 3976192]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2007-08-30 217728]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 HSF_DP;HSF_DP; C:\Windows\system32\DRIVERS\HSX_DP.sys [2008-05-08 980992]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2008-05-08 266752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-10-25 2015192]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\Windows\system32\DRIVERS\point32k.sys [2008-06-10 33352]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-19 73088]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2008-05-08 661504]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 a03mawr9;a03mawr9; C:\Windows\system32\drivers\a03mawr9.sys []
S3 ATIXPGAA;ATIXPGAA; \??\C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []
S3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-19 131584]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-19 16384]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-19 36864]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HidBatt;HID UPS Battery Driver; C:\Windows\system32\DRIVERS\HidBatt.sys [2008-01-06 21504]
S3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 1899008]
S3 MagicTune;MagicTune; C:\Windows\system32\drivers\MTiCtwl.sys [2006-11-24 12288]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 PcdrNdisuio;PCDRNDISUIO Usermode I/O Protocol; C:\Windows\system32\DRIVERS\pcdrndisuio.sys []
S3 Ps2;PS2; C:\Windows\system32\DRIVERS\PS2.sys [2005-12-12 19072]
S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Sandra.sys [2007-11-17 21920]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 APC UPS Service;APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [2005-12-12 176193]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-09-23 704512]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 DQLWinService;DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 208896]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2008-06-16 94208]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-07-25 79136]
R2 MagicTuneEngine;MagicTuneEngine; C:\Program Files\MagicTune Premium\MagicTuneEngine.exe [2007-04-24 32768]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-10-18 386560]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S2 IntelDHSvcConf;Intel DH Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-05-10 29696]
S2 SysEnforce;SysEnforce; C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE []
S3 AlertService;Intel® Alert Service; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [2006-09-11 188416]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ISSM;Intel® Software Services Manager; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [2006-09-11 75264]
S3 M1 Server;Intel® Viiv™ Media Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [2006-09-01 26624]
S3 MCLServiceATL;Intel® Application Tracker; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [2006-09-11 167936]
S3 Remote UI Service;Intel® Remoting Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [2006-09-11 544256]
S3 RoxMediaDB9;RoxMediaDB9; c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-05-11 887544]
S3 SandraDataSrv;SiSoftware Database Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe [2007-12-12 213176]
S3 SandraTheSrv;SiSoftware Sandra Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe [2007-12-12 1253568]
S3 stllssvr;stllssvr; c:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-05-03 74656]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------



Hi farbar, thanks for your help. Before I empty any P2P folders, what are my options? If any of these files containing something malicious and are burnt to disc, what happens? Is there any point in using anti-virus, malware, etc programs to check these files individually, or would the total system scans have already detected any problems?

Including the pc hard drive, I also have an external one (with 3 partitions, but used all together anyways), and am looking at roughly 375 gb of P2P stuff. Approximately 96% are video files...

Must they all go? If that's the case then so be it, but I was hoping there was some way to deal with them.



Thanks again for your help,

Chris.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:13 PM

Posted 10 April 2009 - 04:27 PM

Hi again,

To answer your question, it is needed to empty the download folder anyway. That is where the current active or incomplete downloads are kept or shared with other users. The rest can be kept in a folder to be scanned later on, I'll tell you when the time comes. There should be no problems with those movie files.
If something is infected then burned on a CD it can't be cleaned anymore. However the content of the CD can be kept in a folder and let be scanned, eventually cleaned and then burned to CD again. If the scanners detect nothing the CD is clean.
The video files cloud not be scanned because of their size as usually they are big. They should be judged on face value. You can't throw away anything because of mere suspicion.
To sum up, keep those files in a folder, they do no harm as far as you don't open them. We will check them later on.

Your computer is infected with a flash drive infection. This type of infection gets usually carried over through removable storage devices (flash drive/ USB drive/ thumb drive/ ipod/ memory stick/ memory card/ photo camera memory card/ external hard drive, etc) and networks. Please make sure you have your removable devices ready to disinfect. Don't connect them yet.
  • We need to scan a file. Click on this link--> virustotal
    • Copy and paste the following bold line in the Browse... area:

      C:\Windows\SMINST\launcher.exe

    • Click Send File.
    • If the file is analyzed before, click Reanalyse File Now button.
    • Please copy and paste the results of the scan in your next post.
  • Please read this carefully: http://www.zyxware.com/articles/2007/08/14...virus-infection

    Note: It is important to have autoplay feature turned off and not to open the thump drives by double clicking. Instead rightclick the drive and select Explore

  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    • Turn of the auto-protect or resident-shield of your antivirus.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning which takes only a few seconds and then exit the program.
    • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please include in your next reply:
  • The scan result of virustotal.
  • The Combofix log.
  • Any comment or feedback about how it went.


#7 C47FSN

C47FSN
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 April 2009 - 06:28 PM

Hi, I just wanted to clarify what "To answer your question, it is needed to empty the download folder anyway" means before I did anything. This means delete everything in the download folder?

Also you mention active and incomplete downloads. In the past 3 months or more, all downloads have gone to a folder on C:, but many of the files are active not only on C: but J:, K:, and L: (these three are the external HD). They are just sitting there seeding; to the best of my memory nothing has actually been downloaded there for some time.

Sorry, I hope I'm not irritating you.

Thanks,

C.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:13 PM

Posted 10 April 2009 - 07:22 PM

Hi C,

You are not irritating me at all and I like clarification. :)


They are just sitting there seeding


This is exactly what I mean. As long as we are not sure I would like to avoid that kind of traffic. If one of those seeding files is infected other users get infected too. Moreover we don't want any interference of that kind at this moment. We need to be invisible for some time to make sure everything is alright. We need not running p2p program at the moment as we are not able to check the system and the extra traffic made at the same time. We want to rule out that factor.

I would be irritated however if we clean the computer and you get infected in the course of disinfection because of p2p traffic. :thumbup2:

Let me tell you something I keep for the last post and it is the fact that you don't have a firewall other than Windows. If you are behind a router it is safer against the outside threat, but still without a firewall controlling the inbound threats (trojan downloaders) making contact with outside, you don't know really what is going out and coming to your computer.

I hope it is clear now.

#9 C47FSN

C47FSN
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 April 2009 - 10:24 PM

Uh oh, now I am confused!

To be clear, no P2P programs have been running since I started getting help here. March 27.

Did you mean delete everything in the P2P download folder on C: ?

And for the files sitting on the external hd that are (were) seeding, was I to remove them as well? Or did you just not want P2P traffic to be occurring?

I am behind a router, would a firewall have prevented this? After reading some of the info from the links above... I was beginning to think I could see the reason for all of this, which was something I actively did with program installation. The timing is pretty convenient, but I really don't know anything.

Thanks again for your help, and patience,

C.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:13 PM

Posted 11 April 2009 - 03:49 AM

To be clear, no P2P programs have been running since I started getting help here. March 27.


That is good enough. I just want to avoid P2p traffic at this stage. Please proceed with other steps.

#11 C47FSN

C47FSN
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 11 April 2009 - 10:09 AM

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.11 -
AhnLab-V3 5.0.0.2 2009.04.11 -
AntiVir 7.9.0.138 2009.04.10 -
Antiy-AVL 2.0.3.1 2009.04.11 -
Authentium 5.1.2.4 2009.04.10 -
Avast 4.8.1335.0 2009.04.10 -
AVG 8.5.0.285 2009.04.11 -
BitDefender 7.2 2009.04.11 -
CAT-QuickHeal 10.00 2009.04.10 -
ClamAV 0.94.1 2009.04.10 -
Comodo 1110 2009.04.11 -
DrWeb 4.44.0.09170 2009.04.11 -
eSafe 7.0.17.0 2009.04.07 -
eTrust-Vet 31.6.6450 2009.04.11 -
F-Prot 4.4.4.56 2009.04.10 -
F-Secure 8.0.14470.0 2009.04.11 -
Fortinet 3.117.0.0 2009.04.11 -
GData 19 2009.04.11 -
Ikarus T3.1.1.49.0 2009.04.11 -
K7AntiVirus 7.10.700 2009.04.11 -
Kaspersky 7.0.0.125 2009.04.11 -
McAfee 5580 2009.04.10 -
McAfee+Artemis 5580 2009.04.10 -
McAfee-GW-Edition 6.7.6 2009.04.10 -
Microsoft 1.4502 2009.04.11 -
NOD32 4001 2009.04.11 -
Norman 6.00.06 2009.04.09 -
nProtect 2009.1.8.0 2009.04.11 Trojan/W32.Agent.44168
Panda 10.0.0.14 2009.04.11 -
PCTools 4.4.2.0 2009.04.08 -
Prevx1 V2 2009.04.11 -
Rising 21.24.52.00 2009.04.11 -
Sophos 4.40.0 2009.04.11 -
Sunbelt 3.2.1858.2 2009.04.11 -
Symantec 1.4.4.12 2009.04.11 -
TheHacker 6.3.4.0.305 2009.04.11 -
TrendMicro 8.700.0.1004 2009.04.10 -
ViRobot 2009.4.10.1688 2009.04.10 Trojan.Win32.Agent.44168
VirusBuster 4.6.5.0 2009.04.11 -
Additional information
File size: 44168 bytes
MD5...: 31539595f006dae39f719735f30c3570
SHA1..: f883a7708d7d0427450a85b1802a1325eaf04b0e
SHA256: 9484ff4ae6d74caee4aa0003d4e5aa58bd29473635712fa63e0be90d83bb88ae
SHA512: f287011591792244288b5c2b394c57e0aa0274f005d9e1882951553a3651dcc2
79cce2b07c94ab839c63f112d7a13948692dea1ba707304a978f123e65815f63
ssdeep: 768:uqkjP6maLVgM5/7a8misGa86TUBqtI3FTvcTb3:uZjSmaLVgePLsD86ltItv
cv3
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4858
timedatestamp.....: 0x454f2771 (Mon Nov 06 12:15:45 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x41c9 0x5000 5.38 5c5a7f6e4e9784110db25bddcc6dee3c
.rdata 0x6000 0x1458 0x2000 3.03 ae638035d8f027226689b7c38288aca2
.data 0x8000 0xb30 0x1000 2.60 90612eb9fcc7c59a48e1552b7ea3bb65
.rsrc 0x9000 0x3b0 0x1000 0.96 3b4d5d544aab5d57e8e6f20740ea399c

( 7 imports )
> MFC42u.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> msvcrt.dll: __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, __p__fmode, __1type_info@@UAE@XZ, _onexit, __dllonexit, __set_app_type, _ltow, __CxxFrameHandler, wcscmp, wcslen, _terminate@@YAXXZ, _controlfp, _c_exit, _except_handler3, _wgetenv, _wcsicmp
> KERNEL32.dll: CreateFileW, DeleteFileW, SetFileAttributesW, SetLastError, FormatMessageW, GetLastError, GlobalFree, GlobalUnlock, GetPrivateProfileStringW, GlobalAlloc, GetModuleFileNameW, GetVersionExW, GetModuleHandleA, GetStartupInfoA, GetPrivateProfileIntW, GetCurrentDirectoryW, GlobalLock, GetExitCodeProcess, CloseHandle, WaitForSingleObject, CreateProcessW
> USER32.dll: wvsprintfW
> ADVAPI32.dll: RegSetValueExW, RegCloseKey, RegOpenKeyW
> VERSION.dll: VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
> SHLWAPI.dll: PathStripPathW

( 0 exports )
RDS...: NSRL Reference Data Set
-



ComboFix 09-04-04.01 - Chris 2009-04-11 10:24:57.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1291 [GMT -4:00]
Running from: c:\users\Chris\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1201 [VPS 081112-0] *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\x64
J:\Autorun.inf
K:\Autorun.inf
L:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-10 16:11 . 2009-04-10 16:12 <DIR> d-------- C:\rsit
2009-04-10 16:11 . 2009-04-10 16:12 <DIR> d-------- c:\program files\trend micro
2009-04-10 16:04 . 2009-04-10 16:04 <DIR> d-------- c:\program files\CCleaner
2009-04-10 15:58 . 2009-04-10 15:58 410,984 --a------ c:\windows\System32\deploytk.dll
2009-03-30 08:57 . 2009-03-30 11:14 <DIR> d-------- c:\users\Chris\DoctorWeb
2009-03-29 09:42 . 2009-03-29 09:42 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-28 01:51 . 2009-03-28 01:51 <DIR> d-------- c:\users\Chris\AppData\Roaming\IObit
2009-03-28 01:51 . 2009-03-28 01:51 <DIR> d-------- c:\program files\IObit
2009-03-27 20:43 . 2009-03-27 20:43 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-03-27 20:43 . 2009-03-27 20:43 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-03-27 20:42 . 2009-03-27 20:42 <DIR> d-------- c:\users\Chris\AppData\Roaming\SUPERAntiSpyware.com
2009-03-27 20:42 . 2009-03-27 20:43 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-27 20:42 . 2009-03-27 20:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-27 01:56 . 2009-03-27 01:56 <DIR> d-------- c:\users\Chris\AppData\Roaming\Malwarebytes
2009-03-27 01:56 . 2009-03-27 01:56 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-27 01:56 . 2009-03-27 01:56 <DIR> d-------- c:\programdata\Malwarebytes
2009-03-27 01:56 . 2009-03-27 01:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 01:56 . 2009-03-26 16:49 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-27 01:56 . 2009-03-26 16:49 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-24 23:02 . 2009-03-24 23:02 <DIR> d-------- c:\users\All Users\Age of Empires 3
2009-03-24 23:02 . 2009-03-24 23:02 <DIR> d-------- c:\programdata\Age of Empires 3
2009-03-24 22:48 . 2009-03-24 22:53 <DIR> d-------- c:\program files\Common Files\Microsoft Games
2009-03-24 22:35 . 2009-03-24 22:57 <DIR> d-------- c:\program files\Age of Empires III
2009-03-24 22:34 . 2009-03-24 22:34 <DIR> dr------- c:\windows\System32\config\systemprofile\Videos
2009-03-24 22:34 . 2009-03-24 22:34 <DIR> dr------- c:\windows\System32\config\systemprofile\Searches
2009-03-24 22:34 . 2009-03-24 22:34 <DIR> dr------- c:\windows\System32\config\systemprofile\Saved Games
2009-03-24 22:34 . 2009-03-24 22:34 <DIR> dr------- c:\windows\System32\config\systemprofile\Pictures
2009-03-24 22:34 . 2009-03-24 22:34 <DIR> dr------- c:\windows\System32\config\systemprofile\Links
2009-03-24 22:34 . 2009-03-24 22:34 <DIR> dr------- c:\windows\System32\config\systemprofile\Downloads
2009-03-24 22:34 . 2009-03-24 22:34 <DIR> dr------- c:\windows\System32\config\systemprofile\Documents
2009-03-24 22:30 . 2009-03-27 09:11 <DIR> d-------- c:\users\Chris\AppData\Roaming\DAEMON Tools Pro
2009-03-24 22:29 . 2009-03-24 22:29 <DIR> d-------- c:\users\All Users\DAEMON Tools Lite
2009-03-24 22:29 . 2009-03-24 22:29 <DIR> d-------- c:\programdata\DAEMON Tools Lite
2009-03-24 22:29 . 2009-03-24 22:29 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-03-24 22:06 . 2009-03-24 22:30 <DIR> d-------- c:\users\Chris\AppData\Roaming\DAEMON Tools Lite
2009-03-24 14:14 . 2009-04-11 10:26 <DIR> d-------- c:\users\Chris\Veoh
2009-03-24 14:14 . 2009-03-24 14:14 <DIR> d-------- c:\program files\Veoh Networks
2009-03-11 00:59 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-11 00:59 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-11 00:59 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-11 00:59 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-11 00:59 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-11 00:59 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 14:18 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-04-10 19:58 --------- d-----w c:\program files\Java
2009-04-06 19:23 --------- d-----w c:\users\Chris\AppData\Roaming\uTorrent
2009-03-29 13:41 --------- d-----w c:\program files\Common Files\Adobe
2009-03-26 21:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-25 02:53 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-25 02:30 --------- d-----w c:\users\Chris\AppData\Roaming\DAEMON Tools
2009-03-25 02:07 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-20 15:58 --------- d-----w c:\program files\Microsoft Games
2009-03-11 07:06 --------- d-----w c:\program files\Windows Mail
2009-03-01 04:16 --------- d-----w c:\programdata\GameHouse
2009-03-01 04:15 --------- d-----w c:\programdata\Trymedia
2009-03-01 04:15 --------- d-----w c:\program files\Yahoo! Games
2009-01-15 19:23 12,800 ----a-w c:\windows\Help\OEM\scripts\HCDownloadApp.exe
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-11-11 22:38 174 --sha-w c:\program files\desktop.ini
2008-01-12 02:36 0 ----a-w c:\users\Chris\AppData\Roaming\wklnhst.dat
2008-01-08 23:20 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-03-06 3558136]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"SSI"="c:\progra~1\TRISNA~1\SSI\ssi" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-09-25 54672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-24 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-24 129560]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2007-12-04 36640]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2008-05-02 307200]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-10 148888]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2008-08-19 3562496]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-06-12 221247]
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2007-12-31 36864]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2007-12-31 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"= c:\program files\Logitech\Harmony Remote\HarmonyClient.exe:*:Enabled:Logitech Harmony Remote Software V5
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient"= c:\program files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software V5
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"= c:\program files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2299F01F-C91A-457C-B72E-0365A38E1687}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{BC96A6C0-9CBB-4BE5-9033-56696B4F6D36}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{A74E5317-1196-452F-96BF-F03DA7892753}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{4A4BA856-3E92-47BF-9D44-5E4C91294BEC}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{89D13081-7054-4D4F-929C-2AA827F2D024}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{447D9DA3-690F-4F81-BD7F-C7225870C9DE}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{C449C751-CC0C-4F27-AF83-0AA4DF41EEA6}"= TCP:9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{5E7CD85A-1E84-4572-B30E-334F82E13D57}"= TCP:1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{5C32179F-54B8-49A1-9920-7D9C3C0D4EC3}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{45BEEF07-5D7F-4AC4-B370-59AA55B5CC62}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2D42B8C3-48C3-4F93-906B-A887994DDE3D}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0EAD738F-0CB3-4359-8E87-FDDBCE76158A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{934C80B0-EDDF-4ED8-AD06-2D0927175F05}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{76A5270C-3B3B-45CE-B248-7B6F3F7BF370}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05442A76-7886-495C-A99C-EBB2D2FB7E96}"= UDP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Civilization4.exe:Sid Meier's Civilization 4 Gold
"{D95A01DA-6A5F-49DC-84F9-496E55CD85CF}"= TCP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Civilization4.exe:Sid Meier's Civilization 4 Gold
"{61FB6536-2FF1-48AE-BB86-22CEAB9FF799}"= UDP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4: Warlords
"{4897B56F-C709-4EBB-9BCA-DDE7EB50EA50}"= TCP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4: Warlords
"{D97C4A78-6682-4F48-B7D6-B5E2D935BA1F}"= UDP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{7BF5E8A5-54B0-4A43-9E0A-148AA9356871}"= TCP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{85439C31-0FFA-4E1A-9BFC-1FD8744B47D4}"= UDP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{B4AC4D5F-8B6A-4B01-9562-70DCE6B630A5}"= TCP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{F7C9596C-D997-4D16-A046-BCA00A7186D2}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{95185AB1-A1E6-4901-A30B-C2FD4DD1E835}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{88DA27D0-3FFB-4A0A-BF83-32BC8E373AD1}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{CC2DA86A-A80F-4D14-BF8A-6BC73B2E4105}c:\\program files\\trisnap technologies\\ssi\\ssi.exe"= UDP:c:\program files\trisnap technologies\ssi\ssi.exe:System Spyware InterrigatorTech Edition
"UDP Query User{FCA30EAB-2E95-4E04-A000-191D8C0AEF4F}c:\\program files\\trisnap technologies\\ssi\\ssi.exe"= TCP:c:\program files\trisnap technologies\ssi\ssi.exe:System Spyware InterrigatorTech Edition
"TCP Query User{0D79DFF4-65B7-480E-88B2-D30E9D43D65E}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{3A4148EB-B7E9-49F6-BAF7-BCD50F2C8908}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{186A5CD6-5054-4241-B763-77437281EADC}"= UDP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Civilization4.exe:Sid Meier's Civilization 4 Gold
"{3DB19C84-6EFA-4416-B5F7-ACF9359F7400}"= TCP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Civilization4.exe:Sid Meier's Civilization 4 Gold
"{67BFBFAA-A9FE-49EC-9C76-0E47429E14FE}"= UDP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4: Warlords
"{A1436780-3792-4741-87C4-FDC082C38C57}"= TCP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4: Warlords
"{B1B00FCD-2B92-4011-9267-4ECABCDA4985}"= UDP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{4F365F42-BB7B-43B2-ACE8-DB5E942ED8D3}"= TCP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{9513F548-5D5C-4C90-980C-5A5D3B3EC678}"= UDP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{F97601E7-881A-4D7C-9695-2B28D16924CB}"= TCP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{E8662F9B-1247-48FD-B72C-EBECD65A2286}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{13037A92-980A-467B-AAF0-91D0CA51ECFD}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{0AF74E59-0934-4AE1-AD9E-899D157DAC1F}"= UDP:c:\program files\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{F2A7FFB6-F199-41E4-B6E9-CD938143D9A5}"= TCP:c:\program files\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{6C61F1A3-AEA4-48FA-989C-E277C93D1306}"= UDP:c:\program files\Age of Empires III\age3y.exe:Age of Empires III - The Asian Dynasties
"{AAED0A49-F6F6-4645-A66C-27FA8E545DE4}"= TCP:c:\program files\Age of Empires III\age3y.exe:Age of Empires III - The Asian Dynasties
"TCP Query User{B47B4287-9945-4269-A413-0060A21214BF}c:\\program files\\veoh networks\\veohwebplayer\\veohwebplayer.exe"= UDP:c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe:Veoh Web Player Beta
"UDP Query User{ECA62F4D-D08F-4882-BC6B-C73D20A272CF}c:\\program files\\veoh networks\\veohwebplayer\\veohwebplayer.exe"= TCP:c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe:Veoh Web Player Beta

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"= c:\program files\Logitech\Harmony Remote\HarmonyClient.exe:*:Enabled:Logitech Harmony Remote Software V5
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient"= c:\program files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software V5
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"= c:\program files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2008-04-08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2008-04-08 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2008-01-08 51792]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 208896]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-02-11 1153368]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [2006-05-10 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\shell\AutoRun\command - M:\install.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c7a5a41-18e3-11de-8ec0-001d60ac0e06}]
\shell\AutoRun\command - N:\install.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec16ba4-c132-11dc-a117-001d60ac0e06}]
\shell\AutoRun\command - J:\
\shell\open\Command - J:\D0B11539.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2009-03-30 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 18:15]

2009-03-30 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-03-28 01:51]

2008-02-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]

2009-04-11 c:\windows\Tasks\User_Feed_Synchronization-{9A91E911-F701-4ED5-8BC3-A88F56291779}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 03:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktop
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
TCP: {6D04C7BD-9F59-4677-A71B-A2EBCD759451} = 64.71.255.198
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\h1yrtpg1.default\
FF - prefs.js: browser.search.selectedEngine - qtl
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\SiteAdvisor\6261\FF\components\FFHook.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-11 10:26:46
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-11 10:28:36
ComboFix-quarantined-files.txt 2009-04-11 14:28:34

Pre-Run: 44,217,765,888 bytes free
Post-Run: 44,182,781,952 bytes free

254 --- E O F --- 2009-04-06 16:31:11





A few things occurred during this process. When the virustotal scan was finished, near the top of the screen was something like Result: 3/40.
I didn't save these results, and lost them after rebooting from the next steps.

The Flash Disinfector process went fine, although there was no autorun.inf created in the usb drive. There was one in each partition of the external HD though.

Combofix asked me to disable antivirus etc, and although I did, it repeatedly told me that avast was still active. I continued anyways. While watching the progress I noticed that it deleted the three autorun.inf files in the partitions. I saved the report this time.

After rebooting, my internet connection did not work. I tried unplugging the router, tried resetting the connection, but nothing worked. After another reboot, still no connection. I had set up a static IP for P2P, and by returning that setting to dynamic the problem was gone.

So, since I hadn't saved the virustotal results I did it again, and this time I got Result: 2/40.

Also, when starting firefox I was prompted to choose whether or not to make firefox my default browser (which it was).


Thanks farbar,

C.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:13 PM

Posted 12 April 2009 - 04:21 AM

Sorry for the delay and thanks for the detailed feed back.

ComboFix resets Internet Explorer and that is why you had to reset Firefox as your default browser after running ComboFix.

This time we are going to check the whole system for old and eventually inactive malware.
  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4 
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c7a5a41-18e3-11de-8ec0-001d60ac0e06}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec16ba4-c132-11dc-a117-001d60ac0e06}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
    
    [-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
    
    [-HKEY_CLASSES_ROOT\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • It is kind of strange Flash_Disinfector did not create a empty (hidden) folder on the flash drive. To make sure there is nothing left on the flash drive:
    Set Windows to show hidden files and folders: How to see hidden files in Windows
    Insert the flash drive, right-click its drive and select Explore.
    Search for any file named D0B11539.exe or install.bat
    Tell me if you can find any before removing it.

  • Please use Internet Explorer to perform a BitDefender Online Virus and Malware Scan
    • Click on I Agree.
    • If an Active X warning box will appear Click on Install.
      Note: If you got the message:"Could not load the Online Scanner! Click here for other possible fixes", it means Internet Explorer has blocked the Active X being installed. Just above the page under the Internet Explorer toolbar you see this message:
      "This website wants to install the following add-on: "Bitdefender OnlineScanner v8' from 'BITDEFENDER LLC'. If you trust the website and the add-on and want to install it, click here..."
      Click on that and select: Install Active x.
    • Now Click On Start Scan. Please wait as it might take some time.
    • If it found anything when it finished, on the BitDefender page click Click here to export the scan report
    • Give the report a name and save it. The file will be a .HTML file.
    • Please attach the file to your reply.
    • To attach the file press ADDREPLY, under the reply window press Browse... show the path to the file on your computer.
    • Highlight the file and click Open then press the green UPLOAD button.
    Note: "Click here to export the scan report" appears on the BitDefender page when the scan is finished. However when the computer is clean it might not appear.

  • Please run RSIT, set the list of Files/Folders created to 1 Months and copy/paste the content of log.txt to your reply for a finall review and tell me how is the computer running.


#13 C47FSN

C47FSN
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 April 2009 - 02:15 PM

Hi farbar.

After checking the hidden folders settings, 'Hide protected operating system files' was still checked, so I unchecked it. When I looked at the usb again, there was a folder at the top named autorun.inf. The folder icon was somewhat transparent, unlike any other icons. The autorun.inf icon on the three partitions showed up at the bottom of the files listed and had an icon that was something like a little paper page with a gear on it, if I remember correctly (combofix removed them). It's absolutely possible I didn't see the autorun.inf folder on the usb the first time I looked, or the folder setting changed it. I don't know which one is responsible.


Logfile of random's system information tool 1.06 (written by random/random)
Run by Chris at 2009-04-12 14:45:25
Microsoft® Windows Vistaâ„¢ Home Premium Service Pack 1
System drive C: has 39 GB (13%) free of 299 GB
Total RAM: 2047 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:40 PM, on 12/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Chris\Desktop\RSIT.exe
C:\Program Files\trend micro\Chris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe" -delete
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [SSI] C:\PROGRA~1\TRISNA~1\SSI\ssi /s
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9814 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Check Updates for Windows Live Toolbar.job
C:\Windows\tasks\SmartDefrag.job
C:\Windows\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\Windows\tasks\User_Feed_Synchronization-{9A91E911-F701-4ED5-8BC3-A88F56291779}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{089FD14D-132B-48FC-8861-0048AE113215}]
C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-16 927008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-10 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]
{0BF43445-2F28-4351-9252-17FE6E806AA0} - McAfee SiteAdvisor - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-16 927008]
{0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - Veoh Web Player Video Finder - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll [2009-03-06 429816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\hp\support\hpsysdrv.exe [2007-04-18 65536]
"KBD"=C:\HP\KBD\KbdStub.EXE [2006-12-08 65536]
"OsdMaestro"=C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe [2007-02-15 118784]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-10-25 4702208]
"CCUTRAYICON"=FactoryMode []
"HP Health Check Scheduler"=c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [2008-06-16 75008]
"SunJavaUpdateReg"=C:\Windows\system32\jureg.exe [2007-09-25 54672]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2007-08-24 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2007-08-24 154136]
"Persistence"=C:\Windows\system32\igfxpers.exe [2007-08-24 129560]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6261\SiteAdv.exe [2007-12-04 36640]
"SSI"=C:\PROGRA~1\TRISNA~1\SSI\ssi /s []
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-01 61440]
"ATICustomerCare"=C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe [2008-05-02 307200]
"itype"=C:\Program Files\Microsoft IntelliType Pro\itype.exe [2008-06-10 1442888]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 1406024]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-10 148888]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"=C:\Windows\SMINST\launcher.exe [2007-04-03 44168]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"VeohPlugin"=C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe [2009-03-06 3558136]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-03-23 1830128]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-08-24 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDesktopCleanupWizard"=1
"NoDriveAutoRun"=FFFFFFFF
"NoDriveTypeAutoRun"=36
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe"="C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe:*:Enabled:Logitech Harmony Remote Software V5"
"C:\Program Files\Logitech\Harmony Remote\HarmonyClient"="C:\Program Files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software V5"
"C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe"="C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe"="C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe:*:Enabled:Logitech Harmony Remote Software V5"
"C:\Program Files\Logitech\Harmony Remote\HarmonyClient"="C:\Program Files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software V5"
"C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe"="C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper"

======List of files/folders created in the last 1 months======

2009-04-12 11:03:14 ----D---- C:\Windows\BDOSCAN8
2009-04-11 10:28:37 ----A---- C:\ComboFix.txt
2009-04-11 10:21:49 ----A---- C:\Windows\zip.exe
2009-04-11 10:21:49 ----A---- C:\Windows\VFIND.exe
2009-04-11 10:21:49 ----A---- C:\Windows\SWXCACLS.exe
2009-04-11 10:21:49 ----A---- C:\Windows\SWSC.exe
2009-04-11 10:21:49 ----A---- C:\Windows\SWREG.exe
2009-04-11 10:21:49 ----A---- C:\Windows\sed.exe
2009-04-11 10:21:49 ----A---- C:\Windows\NIRCMD.exe
2009-04-11 10:21:49 ----A---- C:\Windows\grep.exe
2009-04-11 10:21:49 ----A---- C:\Windows\fdsv.exe
2009-04-11 10:21:45 ----D---- C:\Windows\ERDNT
2009-04-11 10:21:45 ----D---- C:\ComboFix
2009-04-11 10:19:59 ----AD---- C:\Qoobox
2009-04-11 09:31:38 ----RASHD---- C:\autorun.inf
2009-04-10 16:11:41 ----D---- C:\rsit
2009-04-10 16:11:41 ----D---- C:\Program Files\trend micro
2009-04-10 16:04:54 ----D---- C:\Program Files\CCleaner
2009-04-10 15:58:48 ----A---- C:\Windows\system32\javaws.exe
2009-04-10 15:58:48 ----A---- C:\Windows\system32\javaw.exe
2009-04-10 15:58:48 ----A---- C:\Windows\system32\java.exe
2009-04-10 15:58:48 ----A---- C:\Windows\system32\deploytk.dll
2009-03-29 09:42:24 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-03-29 09:41:04 ----D---- C:\Program Files\Adobe
2009-03-28 01:51:12 ----D---- C:\Users\Chris\AppData\Roaming\IObit
2009-03-28 01:51:11 ----D---- C:\Program Files\IObit
2009-03-27 20:57:56 ----A---- C:\Windows\ntbtlog.txt
2009-03-27 20:43:34 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-03-27 20:42:59 ----D---- C:\Users\Chris\AppData\Roaming\SUPERAntiSpyware.com
2009-03-27 20:42:59 ----D---- C:\Program Files\SUPERAntiSpyware
2009-03-27 20:42:01 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-03-27 01:56:47 ----D---- C:\Users\Chris\AppData\Roaming\Malwarebytes
2009-03-27 01:56:40 ----D---- C:\ProgramData\Malwarebytes
2009-03-27 01:56:40 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-24 23:02:09 ----D---- C:\ProgramData\Age of Empires 3
2009-03-24 22:48:04 ----D---- C:\Program Files\Common Files\Microsoft Games
2009-03-24 22:35:53 ----D---- C:\Program Files\Age of Empires III
2009-03-24 22:30:31 ----D---- C:\Users\Chris\AppData\Roaming\DAEMON Tools Pro
2009-03-24 22:29:50 ----D---- C:\ProgramData\DAEMON Tools Lite
2009-03-24 22:29:38 ----D---- C:\Program Files\DAEMON Tools Lite
2009-03-24 22:06:44 ----D---- C:\Users\Chris\AppData\Roaming\DAEMON Tools Lite
2009-03-24 14:14:25 ----D---- C:\Program Files\Veoh Networks

======List of files/folders modified in the last 1 months======

2009-04-12 14:45:37 ----D---- C:\Windows\Prefetch
2009-04-12 14:45:28 ----D---- C:\Windows\Temp
2009-04-12 12:09:02 ----D---- C:\Windows\System32
2009-04-12 11:04:13 ----SD---- C:\Windows\Downloaded Program Files
2009-04-12 11:03:14 ----D---- C:\Windows
2009-04-12 10:58:43 ----D---- C:\Windows\inf
2009-04-12 10:58:43 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-04-12 09:35:11 ----D---- C:\Windows\SMINST
2009-04-11 23:03:02 ----SHD---- C:\System Volume Information
2009-04-11 10:28:38 ----D---- C:\Windows\system32\en-US
2009-04-11 10:26:48 ----A---- C:\Windows\system.ini
2009-04-11 10:26:05 ----D---- C:\Windows\system32\drivers
2009-04-11 10:26:05 ----D---- C:\Windows\AppPatch
2009-04-11 10:26:05 ----D---- C:\Program Files\Common Files
2009-04-11 10:18:59 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-04-11 09:33:47 ----D---- C:\Windows\system32\Tasks
2009-04-10 16:11:41 ----RD---- C:\Program Files
2009-04-10 15:58:51 ----SHD---- C:\Windows\Installer
2009-04-10 15:58:51 ----HD---- C:\Config.Msi
2009-04-10 15:58:23 ----D---- C:\Program Files\Java
2009-04-06 15:23:52 ----D---- C:\Users\Chris\AppData\Roaming\uTorrent
2009-04-01 00:05:51 ----D---- C:\Windows\system32\catroot2
2009-03-31 09:35:45 ----D---- C:\Program Files\Mozilla Firefox
2009-03-29 09:42:26 ----D---- C:\Users\Chris\AppData\Roaming\Adobe
2009-03-29 09:42:26 ----D---- C:\ProgramData\Adobe
2009-03-29 09:41:37 ----D---- C:\Program Files\Common Files\Adobe
2009-03-28 01:51:16 ----D---- C:\Windows\Tasks
2009-03-27 20:43:34 ----HD---- C:\ProgramData
2009-03-26 17:32:55 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-03-24 22:53:30 ----HD---- C:\Program Files\InstallShield Installation Information
2009-03-24 22:42:51 ----RSD---- C:\Windows\assembly
2009-03-24 22:30:31 ----D---- C:\Users\Chris\AppData\Roaming\DAEMON Tools
2009-03-20 11:59:07 ----RSD---- C:\Windows\Fonts
2009-03-20 11:58:46 ----D---- C:\Program Files\Microsoft Games

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2009-02-05 23152]
R1 aswSP;avast! Self Protection; C:\Windows\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 NCPro;NCPro; C:\Windows\system32\drivers\MTictwl.sys [2006-11-24 12288]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMonFlt;aswMonFlt; C:\Windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 8704]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-09-23 3976192]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2007-08-30 217728]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 HSF_DP;HSF_DP; C:\Windows\system32\DRIVERS\HSX_DP.sys [2008-05-08 980992]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2008-05-08 266752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-10-25 2015192]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\Windows\system32\DRIVERS\point32k.sys [2008-06-10 33352]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-19 73088]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2008-05-08 661504]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 as7w2gfv;as7w2gfv; C:\Windows\system32\drivers\as7w2gfv.sys []
S3 ATIXPGAA;ATIXPGAA; \??\C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []
S3 catchme;catchme; \??\C:\Users\Chris\AppData\Local\Temp\catchme.sys []
S3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-19 131584]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-19 16384]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-19 36864]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HidBatt;HID UPS Battery Driver; C:\Windows\system32\DRIVERS\HidBatt.sys [2008-01-06 21504]
S3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 1899008]
S3 MagicTune;MagicTune; C:\Windows\system32\drivers\MTiCtwl.sys [2006-11-24 12288]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 PcdrNdisuio;PCDRNDISUIO Usermode I/O Protocol; C:\Windows\system32\DRIVERS\pcdrndisuio.sys []
S3 Ps2;PS2; C:\Windows\system32\DRIVERS\PS2.sys [2005-12-12 19072]
S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Sandra.sys [2007-11-17 21920]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 APC UPS Service;APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [2005-12-12 176193]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-09-23 704512]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 DQLWinService;DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 208896]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2008-06-16 94208]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-07-25 79136]
R2 MagicTuneEngine;MagicTuneEngine; C:\Program Files\MagicTune Premium\MagicTuneEngine.exe [2007-04-24 32768]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-10-18 386560]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S2 IntelDHSvcConf;Intel DH Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-05-10 29696]
S2 SysEnforce;SysEnforce; C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE []
S3 AlertService;Intel® Alert Service; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [2006-09-11 188416]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ISSM;Intel® Software Services Manager; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [2006-09-11 75264]
S3 M1 Server;Intel® Viiv™ Media Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [2006-09-01 26624]
S3 MCLServiceATL;Intel® Application Tracker; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [2006-09-11 167936]
S3 Remote UI Service;Intel® Remoting Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [2006-09-11 544256]
S3 RoxMediaDB9;RoxMediaDB9; c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-05-11 887544]
S3 SandraDataSrv;SiSoftware Database Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe [2007-12-12 213176]
S3 SandraTheSrv;SiSoftware Sandra Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe [2007-12-12 1253568]
S3 stllssvr;stllssvr; c:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-05-03 74656]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------


I could have sworn that those keygen files in those screensaver folders were dealt with a long time ago. I specifically remember avast flagging them, and they were completely unnecessary, so I thought I would have removed them. Maybe not, but I can't imagine why I would leave them.

As far as I can tell the computer is running well. The irritating mouse cursor hanging and skipping and so on also seems to have disappeared (happened once but hardly the same thing as before). From reading some of the sites you directed me to, and some of the other links within them, one thing in particular that stood out was the section about web browsers being slower than usual. That was something I had definitely noticed in the past so I've been thinking about it, and after the last few steps taken it seems that firefox is more responsive than it has been in the past. It has been so far, anyway.

Thanks a lot,

C.

Attached Files


Edited by C47FSN, 12 April 2009 - 02:43 PM.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:13 PM

Posted 12 April 2009 - 03:02 PM

Hi C.,

The autoran.inf was created but you couldn't see it because Windows was not set to show all hidden and system files.

Everything looks good. Just a few things:
  • BitDefender Could not remove some of the flagged infections, in the first case it was in a compressed fodler and in the second case it was a part of igLoader_setup.exe (in the Downloads folder :thumbup2: ), please delete them manually.

    C:\Users\Chris\Documents\Chris\Torrents\SCREENSAVERS\Solar\Planet.Neptune.3D.Screensaver.v1.0-s0m_crk.rar=>Planet.Neptune.3D.Screensaver.v1.0-s0m_crk\Neptune Keygen.exe
    C:\Users\Chris\Downloads\igLoader_setup.exe

  • Just a couple of clutter from legit programs. If you want you may delete them. Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

    The first reboot might be a little slow, the next one will be faster.
Optional Recommendations:
  • I advise you to install a firewall. The windows firewall is not good enough. The Windows firewall provides protection from outside threats as long as the malware is not on your system. When the malware gets to your computer Windows firewall is no more effective. You find more information on firewalls below.
    Click for more information on:Understanding and Using Firewalls

    There are several good free programs available like:

    Sunbelt-Kerio
    (Note: You install the Sunbelt trial version but after the trial period it will revert back to free version.)

    Online Armor Free edition

  • I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. Update it manually (if you use the free version) once in 2-3 weeks and enable the restriction.
Please let me know Combofix uninstalled properly.

Happy surfing!

#15 C47FSN

C47FSN
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 April 2009 - 06:46 PM

Hi farbar.

I removed those files manually, and combofix uninstalled fine as far as I could tell. I didn't use Hijackthis because I don't think I actually have it. I went through all of these posts to see where it came from, but I never did find it. And I also thought at this point I'll ask you where to get it rather than do so myself.

I opted for the Sunbelt-kerio firewall. It installed ok. When I rebooted I was swamped with access/deny windows for all sorts of things, a lot of which I didn't even recognize. For those I kept pressing 'deny' but I think it was just looping. It took me awhile to get past all of them, and even now every so often another pops up and it takes five or more clicks of the same decision before it goes away. What were all of those things? The worst ones won't let you check the box to make that choice by default. Obviously I recognize some of them, but not all. Through the help file I realized it's set to advanced. Should I just put it to simple? Can you just put it to simple, or does it need to be reinstalled? I was looking for that answer, I thought it said something about switching.


Should I attempt to scan all of the existing movie files I mentioned previously?

If I attempt to reestablish a static IP, can I just use the setup I had before or do I need to go through the process from the beginning?

I was wrong, the mouse cursor is still getting stuck.


Thanks for the help,

C.

Edited by C47FSN, 12 April 2009 - 11:15 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users