Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Virtumonde problem?

  1. #1
    Member
    Join Date
    Feb 2008
    Posts
    33

    Default Virtumonde problem?

    hi i had a malware problem a few months ago and you guys helped me out then, so i was hoping someone could help me out again.

    i recently got infected with something and i noticed this when my comp started opening internet browsers slower and it's cpu usage on my cpu meter (in my vista sidebar) was almost always above 90%. so then i scanned with spybot and it found two entries of virtumonde i deleted with spybot and it seemed to work, however EVERY SECOND my computer was on a teatimer message came up saying that something called msserver was trying to add two or three files to my registry, i wasnt sure what it was and it KEPT on coming up so when i clicked 'agree' to allow it the virtumonde came back (leading me to believe this is the cause of it). scanning with spybot seemed to only be a temp solution because whenever i restarted the tt message kept coming back asking if i wanted to add it to the registry. the files were iifddbaB.dll, jkkttwQgF.dll, and novnhetr.dll (these were in my temp files, btw and could not be deleted by pressing 'delete'

    so then i tried vundofix and it found an infection in poweriso (which is this virtual drive program) and when i clicked remove vundo it didnt work, then gave me a message saying it will restart the comp and vundofix will come up again at reboot so it could delete it before , but that didnt work cause when i restarted vundofix didnt even come up at startup.

    then i tried virtumondebegone but that didnt even find anything..

    then i tried even Malwarebytes antimalware and that found like 12 infections, it quarantined and deleted most of it and got two of them on reboot.

    the problem is that everytime on startup a rundll message comes up saying that the file iifddbaB.dll, jkkttwQgF.dll, or novnhetr.dll could not be found or w/e so that should mean there are still some traces of the vundo on my comp so can someone please help me get rid of it?

    heres my hjt log:
    ---------------------------------------------------------------
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:14:58 PM, on 22/05/2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\WINDOWS\RtHDVCpl.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Users\Computer\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\hp\kbd\kbd.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
    O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Computer\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Computer\AppData\Local\Temp\iifddbaB.dll,#1
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} -
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} -
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\Windows\system32\libusbd-nt.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 10762 bytes

    ---------------------------------------------------------
    thanks, compprogram

  2. #2
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,624

    Default

    Hello

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.





    Please visit this web page for instructions for downloading and running ComboFix

    http://www.bleepingcomputer.com/comb...o-use-combofix

    This includes installing the Windows XP Recovery Console in case you have not installed it yet.

    For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

    Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  3. #3
    Member
    Join Date
    Feb 2008
    Posts
    33

    Default

    thank you for the quick reply.

    i already had atf cleaner on my comp because i use it regularily, but do u want me to delete this and reinstall or is it ok? (btw i have VISTA and atf cleaner works for it but it does not delete anything in the prefetch.

    also, for combofix, is there a way to install a vista recovery console because i only quickly looked through it and it had something to do with the command prompt.

    also, to note, i rescanned with malwarebytes this time with full scan and it found one more infection i deleted. and apparently the file that vundofix thought was malware i think is not because it thought a file of poweriso's was infected however i uninstalled it, scanned to double check and it showed no malware, then installed a newer version straight off the website, scanned, and it thought that same file is malware so i think that specifically from vundofix is wrong but malwarebytes still found some so im sure im still infected.

    finally, i will carry on with this but i cant right now so i will be back in a few hours (like less than 4) thanks.

  4. #4
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,624

    Default

    No need to re-download ATF Cleaner

    Can leave the Recovery Console
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  5. #5
    Member
    Join Date
    Feb 2008
    Posts
    33

    Default

    ok so here is the combofix log. there is one thing i should note, that at first i tried running combo fix but i realized i would not have enough time to do it before i left so i closed it (only change i noticed was my system clock was 24h now) then recently i opened it again and it seemed to pick up where it left off but then it lagged for a while so i closed it and then ran again and i think it picked up from there again and created the log. so hopefully all is well if not i can redo the combo fix thing and post another log.
    -----------------------------------------------
    ComboFix 08-05-21.3 - Computer 2008-05-22 23:04:49.2 - NTFSx86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1851 [GMT -4:00]
    Running from: C:\Users\Computer\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
    C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_navapsvc


    ((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
    .

    2008-05-22 18:06 . 2008-05-22 18:06 <DIR> d-------- C:\Program Files\PowerISO
    2008-05-22 10:07 . 2008-05-22 10:07 <DIR> d-------- C:\Users\Computer\AppData\Roaming\Malwarebytes
    2008-05-22 10:07 . 2008-05-22 10:07 <DIR> d-------- C:\Users\All Users\Malwarebytes
    2008-05-22 10:07 . 2008-05-22 10:07 <DIR> d-------- C:\ProgramData\Malwarebytes
    2008-05-22 10:07 . 2008-05-22 10:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-05-22 10:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\System32\drivers\mbamcatchme.sys
    2008-05-22 10:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\System32\drivers\mbam.sys
    2008-05-21 23:18 . 2008-05-22 18:21 <DIR> d-------- C:\VundoFix Backups
    2008-05-14 20:27 . 2008-05-14 20:28 <DIR> d-------- C:\WINDOWS\System32\Adobe
    2008-05-09 21:09 . 2008-05-11 02:02 <DIR> d-------- C:\Users\Computer\AppData\Roaming\MiniDm
    2008-05-09 21:06 . 2008-05-09 21:07 <DIR> d-------- C:\Program Files\IEPro
    2008-05-02 18:12 . 2008-05-02 18:12 <DIR> d-------- C:\Users\Computer\AppData\Roaming\Talkback
    2008-05-02 17:38 . 2008-05-02 17:38 0 --a------ C:\WINDOWS\nsreg.dat
    2008-04-28 17:07 . 2008-04-28 17:10 <DIR> d-------- C:\Program Files\Counter-Strike 1.6

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-23 03:04 --------- d-----w C:\Users\Computer\AppData\Roaming\DNA
    2008-05-22 21:49 --------- d-----w C:\Users\Computer\AppData\Roaming\BitTorrent
    2008-05-20 22:32 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-05-17 16:20 --------- d---a-w C:\ProgramData\TEMP
    2008-05-17 16:20 --------- d-----w C:\Program Files\SpywareBlaster
    2008-05-15 02:26 --------- d-----w C:\Users\Computer\AppData\Roaming\Image Zone Express
    2008-05-14 02:39 --------- d-----w C:\ProgramData\Microsoft Help
    2008-05-14 02:39 --------- d-----w C:\Program Files\Windows Mail
    2008-05-10 01:07 --------- d-----w C:\ProgramData\Symantec
    2008-05-04 04:48 --------- d-----w C:\Program Files\Steam
    2008-05-03 02:38 --------- d-----w C:\Program Files\Common Files\Steam
    2008-04-19 00:05 --------- d-----w C:\Users\Computer\AppData\Roaming\PrevxCSI
    2008-04-17 00:20 --------- d-----w C:\Program Files\DNA
    2008-04-16 23:17 --------- d-----w C:\Program Files\Common Files\xing shared
    2008-04-16 23:17 --------- d-----w C:\Program Files\Common Files\Real
    2008-04-16 18:25 29,952 ----a-w C:\Windows\Help\OEM\Scripts\HPScript.exe
    2008-04-15 21:32 --------- d-----w C:\Program Files\CCleaner
    2008-04-13 21:35 --------- d-----w C:\ProgramData\WildTangent
    2008-04-12 01:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-12 00:41 --------- d-----w C:\Program Files\Lavasoft
    2008-04-11 20:41 --------- d-----w C:\Program Files\Valve
    2008-04-10 00:09 21,840 ----atw C:\Windows\System32\SIntfNT.dll
    2008-04-10 00:09 17,212 ----atw C:\Windows\System32\SIntf32.dll
    2008-04-10 00:09 12,067 ----atw C:\Windows\System32\SIntf16.dll
    2008-04-08 01:02 --------- d-----w C:\Program Files\Total Video Converter
    2008-04-06 04:23 --------- d-----w C:\Users\Computer\AppData\Roaming\Uniblue
    2008-04-06 04:16 --------- d-----w C:\Program Files\Uniblue
    2008-04-06 02:52 --------- d-----w C:\Program Files\HP
    2008-04-04 21:52 43,520 ----a-w C:\Windows\System32\CmdLineExt03.dll
    2008-03-27 19:02 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
    2008-03-26 01:28 174 --sha-w C:\Program Files\desktop.ini
    2008-03-26 01:19 --------- d-----w C:\Program Files\Windows Sidebar
    2008-03-26 01:19 --------- d-----w C:\Program Files\Windows Photo Gallery
    2008-03-26 01:19 --------- d-----w C:\Program Files\Windows Journal
    2008-03-26 01:19 --------- d-----w C:\Program Files\Windows Defender
    2008-03-26 01:19 --------- d-----w C:\Program Files\Windows Collaboration
    2008-03-26 01:19 --------- d-----w C:\Program Files\Windows Calendar
    2008-03-26 00:53 82,432 ----a-w C:\Windows\System32\axaltocm.dll
    2008-03-26 00:53 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
    2008-03-23 23:31 --------- d-----w C:\Program Files\NetConeal
    2008-03-23 23:27 --------- d-----w C:\Users\Computer\AppData\Roaming\FreeCap
    2008-03-08 20:16 319,456 ----a-w C:\Windows\DIFxAPI.dll
    2008-03-06 23:18 4,502 ----a-w C:\Windows\System32\tmp.reg
    2008-03-06 03:29 82,432 ----a-w C:\Windows\System32\IEDFix.exe
    2008-03-02 04:12 86,016 ----a-w C:\Windows\System32\VACFix.exe
    2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
    2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
    2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
    2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
    2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
    2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
    2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
    2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
    2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
    2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
    2007-11-04 14:16 440 ----a-w C:\Users\Computer\AppData\Roaming\wklnhst.dat
    2007-09-04 23:36 22 --sha-w C:\Windows\SMINST\HPCD.sys
    .

    ------- Sigcheck -------

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 03:33 1233920]
    "WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 03:36 2153472 C:\WINDOWS\System32\oobefldr.dll]
    "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
    "Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2008-04-02 09:50 1424648]
    "BitTorrent DNA"="C:\Users\Computer\Program Files\DNA\btdna.exe" [2008-05-08 11:47 289088]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 09:42 65536]
    "KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 12:16 65536]
    "OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 06:59 118784]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 12:26 4874240 C:\WINDOWS\RtHDVCpl.exe]
    "HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-06-05 09:12 71176]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 22:05 116328]
    "SnapfishMediaDetector"="C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 17:55 1441792]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
    "MSConfig"="C:\Windows\system32\msconfig.exe" [2008-01-19 03:33 227840]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 20:15 86016]
    "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 20:15 8466432]
    "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 20:15 81920]
    "Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-24 09:22 2476408]
    "Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-05-05 20:46 1179256]
    "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 19:50 233472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    Snapfish Media Detector.lnk - C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe [3/2/2007 5:55:02 PM 1441792]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    backup=C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^Computer^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
    path=C:\Users\Computer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
    backup=C:\Windows\pss\Microsoft Office Groove.lnk.Startup
    backupExtension=.Startup

    [HKLM\~\startupfolder\C:^Users^Computer^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    --a------ 2007-08-24 08:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UacDisableNotify"=dword:00000001
    "InternetSettingsDisableNotify"=dword:00000001
    "AutoUpdateDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2354960861-141067943-2326317658-1000]
    "EnableNotificationsRef"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{54977830-5DAA-452E-89C5-D41D88273689}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{41FBDAB9-34F2-42E0-9E2D-E393373FC67D}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{929CD735-7BBD-47E5-9806-CE8885D84057}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
    "{8AAC98F5-E5E7-4ACC-93AF-71A04BF4D1CA}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
    "{44CDF252-411B-4121-8647-FC6CF3748606}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
    "{D403D48C-2C68-403C-9DB3-621454BE35E3}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
    "{7AB53790-ADF7-4001-AF26-866F69621ED1}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
    "{02125C7D-3B27-4F08-9EFB-0BEEED35D227}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
    "{147A54C4-B07A-4EDD-AA51-45A4B71741DE}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
    "{5DDB0D55-AA17-455A-B0DE-3FB1DAC3B2EA}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
    "{C9C9205A-0A1D-4453-A0EE-82C9E2F82F0C}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
    "{7912511B-F37A-4ACE-889F-89E03B6711AB}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{46D8B631-7DFA-4597-B9A6-AA4B5C6C8FED}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "TCP Query User{4E4EBBE6-BB02-4604-AFEA-57FD3C4E8F76}C:\\program files\\microsoft office\\office12\\groove.exe"= UDP:C:\program files\microsoft office\office12\groove.exe:Microsoft Office Groove
    "UDP Query User{4E333A80-66FD-4156-8BBA-6439C084849A}C:\\program files\\microsoft office\\office12\\groove.exe"= TCP:C:\program files\microsoft office\office12\groove.exe:Microsoft Office Groove
    "{6F8E648A-E75E-4233-BCD2-B5AEE92DD6DD}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
    "{D31D44C4-6592-4AA8-8C35-A2CD7BAC29F7}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
    "{9692C3E6-330D-4243-A271-80C2D0922E15}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
    "{D2C9746E-967D-4AA4-A97F-12B88FBCB6F4}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
    "{3AEF1CA1-7B2C-4E74-BC00-90ADD66BD187}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
    "C:\\Program Files\\IEPro\\MiniDM.exe"= C:\Program Files\IEPro\MiniDM.exe:*:Enabled:MiniDM

    R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080521.001\IDSvix86.sys [2008-02-13 12:18]
    R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 07:36]
    R3 hcw18bda;Hauppauge WinTV 418 Driver;C:\Windows\system32\drivers\hcw18bda.sys [2007-04-18 16:30]
    R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\Windows\system32\drivers\libusb0.sys [2005-03-09 21:50]
    R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2008-02-15 15:22]
    R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
    S3 GameConsoleService;GameConsoleService;"C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [2007-11-27 17:38]
    S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-05-01 18:05]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
    \shell\AutoRun\command - J:\Setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
    \shell\AutoRun\command - K:\SETUP.EXE

    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-18 00:54:55 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Computer.job"
    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
    "2008-05-12 00:17:57 C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-03-22 16:36:37 C:\Windows\Tasks\Uniblue SpeedUpMyPC.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-05-17 23:00:01 C:\Windows\Tasks\Uniblue SpyEraser.job"
    - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
    "2008-05-22 23:18:33 C:\Windows\Tasks\User_Feed_Synchronization-{62E94CC9-2D78-43E7-84C0-454D26D2160C}.job"
    - C:\Windows\system32\msfeedssync.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-22 23:07:02
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-05-22 23:08:25
    ComboFix-quarantined-files.txt 2008-05-23 03:07:58

    Pre-Run: 257,440,481,280 bytes free
    Post-Run: 257,405,255,680 bytes free

    232 --- E O F --- 2008-05-20 22:32:16
    ----------------------------------------------------
    and the hjt:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:16:24 PM, on 22/05/2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\WINDOWS\RtHDVCpl.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Users\Computer\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\hp\kbd\kbd.exe
    C:\Windows\system32\conime.exe
    C:\Windows\Explorer.exe
    C:\Windows\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
    O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Computer\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} -
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} -
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\Windows\system32\libusbd-nt.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 10659 bytes

  6. #6
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,624

    Default

    Hello

    1. Close any open browsers.

    2. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    K:\SETUP.EXE
    J:\Setup.exe

    Folder::

    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]

    Driver::
    Save this as CFScript.txt, in the same location as ComboFix.exe




    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt"

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall





    1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


    2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner and click Accept

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.




    Also tell me how your PC is running
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  7. #7
    Member
    Join Date
    Feb 2008
    Posts
    33

    Default

    ok so here is the scan log:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Friday, May 23, 2008 8:35:03 PM
    Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 23/05/2008
    Kaspersky Anti-Virus database records: 799359
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    J:\

    Scan Statistics:
    Total number of scanned objects: 149160
    Number of viruses found: 0
    Number of infected objects: 0
    Number of suspicious objects: 0
    Duration of the scan process: 02:02:58

    Infected Object Name / Virus Name / Last Action
    C:\Bug.txt Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
    C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
    C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
    C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
    C:\Program Files\PC-Doctor 5 for Windows\Configuration\config.xml Object is locked skipped
    C:\ProgramData\Symantec\Common Client\settings.bak Object is locked skipped
    C:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
    C:\ProgramData\Symantec\LiveUpdate\2008-05-23_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SubEng\submissions.idx Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDALRT.log Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDCON.log Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDDBG.log Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDFW.log Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDIDS.log Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDSYS.log Object is locked skipped
    C:\ProgramData\Lavasoft\Ad-Aware 2007\logs\AWProcessesLog.log Object is locked skipped
    C:\ProgramData\Lavasoft\Ad-Aware 2007\logs\CoreEngineCommunicationLog.log Object is locked skipped
    C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\864da5be2adb28c7711b08a95f5dd038_390a2636-5a2e-43c1-9914-129ca03a9f40 Object is locked skipped
    C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped
    C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
    C:\Users\Computer\AppData\Roaming\microsoft\Windows\Cookies\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Roaming\microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\Working\database_F8AE_9DCE_AE9D_85B2\dfsr.db Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\Working\database_F8AE_9DCE_AE9D_85B2\fsr.log Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\Working\database_F8AE_9DCE_AE9D_85B2\fsrtmp.log Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\Working\database_F8AE_9DCE_AE9D_85B2\tmp.edb Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008052320080524\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{2e03b47a-5649-11dc-a105-001bfc51b749}.TM.blf Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{2e03b47a-5649-11dc-a105-001bfc51b749}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{2e03b47a-5649-11dc-a105-001bfc51b749}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows Live Contacts\ibrahim--a@hotmail.com\real\members.stg Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
    C:\Users\Computer\AppData\Local\Temp\~DFD9D5.tmp Object is locked skipped
    C:\Users\Computer\AppData\Local\Temp\~DFDCB4.tmp Object is locked skipped
    C:\Users\Computer\AppData\Local\VirtualStore\ProgramData\muvee Technologies\030625\0103\0399\ProductKey.val Object is locked skipped
    C:\Users\Computer\AppData\Local\VirtualStore\ProgramData\muvee Technologies\030625\0103\0399\template.mmdf Object is locked skipped
    C:\Users\Computer\AppData\Local\VirtualStore\ProgramData\muvee Technologies\030625\0103\0399\values Object is locked skipped
    C:\Users\Computer\NTUSER.DAT Object is locked skipped
    C:\Users\Computer\ntuser.dat.LOG1 Object is locked skipped
    C:\Users\Computer\ntuser.dat.LOG2 Object is locked skipped
    C:\Users\Computer\NTUSER.DAT{c566d2e8-26bc-11dd-a89c-001bfc51b749}.TM.blf Object is locked skipped
    C:\Users\Computer\NTUSER.DAT{c566d2e8-26bc-11dd-a89c-001bfc51b749}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
    C:\Users\Computer\NTUSER.DAT{c566d2e8-26bc-11dd-a89c-001bfc51b749}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\TempSBE\MSDVRMM_2929558962_5701632_113546 Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\TempSBE\MSDVRMM_2929558962_7143424_116253 Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\TempSBE\SBE2A79.tmp Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\TempSBE\SBE2CEA.tmp Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\{5359DEC2-47C8-436B-A8AA-569C50C22448}.TmpSBE Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\{BF8B54D4-4982-4DC6-921A-2EC7DCA17B76}.TmpSBE Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Debug\WIA\wiatrace.log Object is locked skipped
    C:\WINDOWS\Logs\CBS\CBS.log Object is locked skipped
    C:\WINDOWS\Logs\CBS\CBS.persist.log Object is locked skipped
    C:\WINDOWS\Logs\DPX\setupact.log Object is locked skipped
    C:\WINDOWS\Logs\DPX\setuperr.log Object is locked skipped
    C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
    C:\WINDOWS\Panther\UnattendGC\diagerr.xml Object is locked skipped
    C:\WINDOWS\Panther\UnattendGC\diagwrn.xml Object is locked skipped
    C:\WINDOWS\Panther\UnattendGC\setupact.log Object is locked skipped
    C:\WINDOWS\Panther\UnattendGC\setuperr.log Object is locked skipped
    C:\WINDOWS\security\database\secedit.sdb Object is locked skipped
    C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
    C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
    C:\WINDOWS\System32\catroot2\edb.log Object is locked skipped
    C:\WINDOWS\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
    C:\WINDOWS\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
    C:\WINDOWS\System32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
    C:\WINDOWS\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
    C:\WINDOWS\System32\restore\MachineGuid.txt Object is locked skipped
    C:\WINDOWS\System32\spool\SpoolerETW.etl Object is locked skipped
    C:\WINDOWS\System32\sysprep\Panther\diagerr.xml Object is locked skipped
    C:\WINDOWS\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
    C:\WINDOWS\System32\sysprep\Panther\setupact.log Object is locked skipped
    C:\WINDOWS\System32\sysprep\Panther\setuperr.log Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\040270F850D5C3C91057DDDA2DA294D8.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\0DF617D6737A7561E732F853792261C3.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\1E2E58C73053C7775EB226DB5E739137.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\2A811E5CCC22CC9D7AE2B04EF0402688.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\2AA23BB86A5EBD8BC2D820944E55B233.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\2CE523184A801AA7361A7039E2D6B41D.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\2D57A7682ACD19214C258D31A06D008F.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\376786241A5443E41378D25CF812FCC1.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\4A01E0F376B5833EBA98F0D1D5F60CD1.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\4B471F64BAF831EC7945C820FD5A16E5.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\4CB32C0A77CD4D9B0C9618F73F786C32.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\5774C77265BE4C55B5C6C9718979E015.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\5B5D21CF62E70BACF9D085E6AA6CE143.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\69554D930FCA40B0304B9A43A8036F2D.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\7851AF96EA828F912853F32DB0D96138.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\7F417E1A6D819A9B2FEB55DA6858EA0A.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\903E49C444C46FEF5F2C3A189C9CEF71.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\96ABB1671705F680578FE240427CBD4F.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\9A72EE7775E8021F75961342B8AFD1B4.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\9AD3182A2F39A3E091E15109132EC6CC.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\9CD33F0956942860B50AA1B9330DEFAF.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\9E06E4FE97F0CBB8D659894823F805D7.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\A80FF2DC09487ECD60AFB147B262BDD7.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\AA6E0E396C238977CA909EFD82299737.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\D1A1B12A7DA3F9675C01397A26DBF4B3.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\DE391013DA56ABA39FFF40A9ABDF052F.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\E9D8A460B2C986DD5FF19F299F4A27EC.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\EC45C70F2A3D9DED718E71631C38E2FE.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\Logs\WMITracing.log Object is locked skipped
    C:\WINDOWS\System32\wbem\Repository\INDEX.BTR Object is locked skipped
    C:\WINDOWS\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Application.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Media Center.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\ODiag.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\OSession.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Security.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Setup.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\System.evtx Object is locked skipped
    C:\WINDOWS\Tasks\SCHEDLGU.TXT Object is locked skipped
    C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job Object is locked skipped
    C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job Object is locked skipped
    C:\WINDOWS\Tasks\Uniblue SpyEraser.job Object is locked skipped
    C:\WINDOWS\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
    C:\WINDOWS\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18000_none_d12e90ac35ffb753\dnary.xsd Object is locked skipped
    D:\$RECYCLE.BIN\Desktop.ini Object is locked skipped
    D:\$RECYCLE.BIN\Protect.ed Object is locked skipped

    Scan process completed.
    --------------------------------------

    its returned clean so im sure thats good and i dont see anything in the hjt that could be bad, and my comp seems to be working fine again.

    but just in case please dont close this topic at least for a few days or unless i say im sure its all fine. thanks a lot for the help.

    one question though, what happened when i created that cfscript file and dragged it to combofix? is it sort of like a custom scan?

  8. #8
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,624

    Default

    It deletes the files we tell it to delete

    Your logs are clean

    Follow these steps to uninstall Combofix and tools used in the removal of malware
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.




    You now need to update your Java and remove your older versions.

    Please follow these steps to remove older version Java components.

    * Click Start > Control Panel.
    * Click Add/Remove Programs.
    * Check any item with Java Runtime Environment (JRE) in the name.
    * Click the Remove or Change/Remove button.

    Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
    here



    Below I have included a number of recommendations for how to protect your computer against malware infections.

    * Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

    * To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
    SpywareBlaster protects against bad ActiveX
    IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
    Have a look at this tutorial for IE-Spyad here

    * SpywareGuard offers realtime protection from spyware installation attempts.

    Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.


    * MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

    * Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
    Here

    * Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
    Here

    Thank you for your patience, and performing all of the procedures requested.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  9. #9
    Member
    Join Date
    Feb 2008
    Posts
    33

    Default

    ok thank you so much for helping me. i uninstalled combofix, updated java (though i thought i uninstalled all previous versions when i updated it a few months ago), and my computer is already set to auto update through windows update, so i will know when there are updates available through windows update.
    i already had spywareblaster on my comp, and i have to say it is really useful, but i read in IE-SPYAD that it only works for ie6 or less, but i have ie7. Also, i think i remember trying spywareguard a few months ago but it had some sort of conflict with the other programs on my comp (i think Teatimer, but im not exactly sure).

    Also, i have to say thank you for the link to the hosts files i already had a list on my comp but i saw how this was rated #1 and all so thanks again.

    And as a note, i also use ff, its just that my comp is windows and windows bundles ie with all its pcs so unfortunately i cant get rid of it (do you know of some way to uninstall ie so i can ONLY use ff? because i use both equally right now).

    As a final note, im not sure if you can help or not but, i have a program called Uniblue SpyEraser on my comp, and i set it up to scan it weekly and every week it seems to find this same spyware on it. SpyEraser labels it as "Malware (General Components)" and it says like "threat level: moderate" and its always these 8 infections. they are in things like hkey_current_user\software\wget\
    or entversion\internet settings\zonemap\domains\blazefind.com\

    is there any way i can permanently delete these? or any other good scanning programs etc? im just wondering if you may know what this is.


    and FINALLY, i would like to thank you for your patience in helping me and would like to say you have done a good job. thanks.

  10. #10
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,624

    Default

    I think IE-SPYAD should still work on IE7

    SpywareGuard will conflict with TeaTimer, make sure you only use one of those


    You cant uninstall IE as it is needed. Would be dangerous to try do that


    I wouldn't worry about SpyEraser detecting that, it is nothing to worry about that. That program is not very good at all, I would recommend removing it.


    is there any way i can permanently delete these? or any other good scanning programs etc? im just wondering if you may know what this is.
    We can delete it but there is no need, it is not dangerous at all. MBAM is the best program, if that is giving you a clean bill of health then you are good to go


    Any other questions ?
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •