HollyRay
2008-07-05, 20:33
Previous Thread: http://forums.spybot.info/showthread.php?t=29880
Many thanks for previous help- i've carried out all of the above without hitch.
Combofix Log
ComboFix 08-07-04.6 - Holly Chapman 2008-07-05 18:40:36.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1198 [GMT 1:00]
Running from: C:\Users\Holly Chapman\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.
2008-07-04 21:51 . 2008-07-04 21:51 <DIR> d-------- C:\Users\Holly Chapman\AppData\Roaming\Malwarebytes
2008-07-04 21:51 . 2008-07-04 21:51 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-04 21:51 . 2008-07-04 21:51 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-04 21:51 . 2008-06-28 14:16 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-07-04 21:51 . 2008-06-28 14:16 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-22 19:34 . 2008-06-22 19:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 14:12 . 2008-04-23 05:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-14 14:12 . 2008-04-23 05:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-14 14:12 . 2008-04-23 05:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-14 14:12 . 2008-04-23 05:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-13 20:32 . 2008-06-13 20:32 <DIR> d-------- C:\Users\Holly Chapman\AppData\Roaming\Uniblue
2008-06-13 20:32 . 2008-06-13 20:32 <DIR> d-------- C:\Program Files\Uniblue
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 17:27 --------- d-----w C:\Program Files\Steam
2008-07-05 17:09 --------- d-----w C:\Users\Holly Chapman\AppData\Roaming\AVG7
2008-06-22 14:05 --------- d-----w C:\Users\Holly Chapman\AppData\Roaming\Azureus
2008-06-12 07:54 --------- d-----w C:\Program Files\Windows Mail
2008-06-11 13:03 --------- d-----w C:\Program Files\Common Files\Steam
2008-06-04 15:14 --------- d-----w C:\ProgramData\CheckPoint
2008-05-27 17:16 --------- d-----w C:\Program Files\Google
2008-05-27 16:46 --------- d-----w C:\Program Files\Xvid
2008-05-27 16:43 --------- d-----w C:\Program Files\ffdshow
2008-05-27 16:31 --------- d-----w C:\Program Files\Real
2008-05-27 16:31 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-27 16:31 --------- d-----w C:\Program Files\Common Files\Real
2008-05-26 20:33 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-05-26 20:33 60,273 ----a-w C:\Windows\System32\pthreadGC2.dll
2008-05-16 21:58 --------- d-----w C:\Users\Holly Chapman\AppData\Roaming\Winamp
2008-05-16 21:58 --------- d-----w C:\ProgramData\avg7
2008-05-10 01:33 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-05-06 22:48 112 ----a-w C:\Users\Holly Chapman\AppData\Roaming\wklnhst.dat
2008-04-29 03:54 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-03-31 19:15 174 --sha-w C:\Program Files\desktop.ini
2008-01-16 22:37 76 --sh--r C:\Windows\CT4CET.bin
2008-02-06 17:29 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-06 17:29 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-02-06 17:29 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 23:33 125952]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 21:02 495616]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-29 06:24 1271032]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-16 23:45 68856]
"Uniblue RegistryBooster 2"="c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe" [2008-06-03 10:01 99608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 07:03 17920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 01:35 857648]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-08-29 06:54 36864]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-26 11:47 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-26 11:47 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-26 11:47 129560]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2008-01-16 23:31 77824]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 17:43 118784]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 12:22 221184]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-11-01 16:39 189736]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 15:09 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 23:54 37376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 17:31 185896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-21 16:23 219136]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
C:\Users\Holly Chapman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [3/11/2008 5:31:45 PM 546816]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [11/3/2006 6:55:50 PM 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [1/16/2008 11:32:56 PM 50688]
QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [1/16/2008 11:35:21 PM 45056]
Sound Station.lnk - C:\Program Files\Sound Station\SNXUACP.exe [4/1/2008 7:31:33 PM 643072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-01-21 16:23 9216 C:\Windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BF41693D-4805-4B9A-BFD6-E647E63DC980}"= C:\Program Files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{921CEA54-DDD6-4AAB-9D94-47DF643CE583}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{D55C49A6-732A-4F18-AE90-ED962AAFAE3A}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{5CCE1B1B-D601-4B39-A519-725FBFB13CC6}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{E07220C3-E1F9-41CE-80E8-F5E9F49ACE35}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7D08E2B6-F622-49C4-B13B-F01B0D2D8687}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{C1F377EE-4EDA-45BF-81D3-3BFC61CA01C4}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{5B678F9D-8B73-4DA9-9A70-C9EDE10F7AEE}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D08161DD-0F72-412E-A4AC-E9A46680B0A4}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{28FCC404-A81F-40F7-96DC-3430A682FD95}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{A254E5E6-120A-46F9-986E-B89DEA41923E}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{5A5EE3C7-D864-46B7-A121-94842944446D}"= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{C49AB4C7-6C08-4DB3-B522-46E1A50BFB37}"= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{F369D018-F43A-4024-87BC-4282013D3B59}"= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{66E96F78-6ECD-47CF-BC83-82BBF1CDF3B3}"= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{D9EB8EA1-01C5-4B6A-BE43-A49EE6BC9CCE}"= UDP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{4052F8A4-6697-463D-8C27-95BE4C5DFBF2}"= TCP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{2EFB641A-7D40-4FE9-87E8-BEE2B89BA3CC}"= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{29ABA03F-F879-4C29-8997-B56753AE8AC4}"= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"TCP Query User{283B9E91-0A10-4AFA-870D-373E76FE5090}C:\\program files\\ares\\ares.exe"= UDP:C:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{1301E5F4-DE7A-4DF4-B068-8C2DEB13BFAF}C:\\program files\\ares\\ares.exe"= TCP:C:\program files\ares\ares.exe:Ares p2p for windows
"TCP Query User{C1701AFB-0441-4F19-9BCA-25B52818F095}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{D05EC6C1-668F-455E-9469-DE5FFF08D85B}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"TCP Query User{AEF69CE1-6510-4616-A2E4-B8C97A2664DC}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{05E8816F-2E92-4428-8489-02182D39A040}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{23B62CAD-9F1A-498E-977D-581C438E4887}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{26BB249F-B1C2-4CC7-964F-A1D31E2CC4B4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7678EEB6-5681-4431-9A32-63216C64C0F1}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2007-08-29 22:25]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 13:27]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-07 02:37]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2006-11-07 00:13]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-07 00:13]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 18:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-29 06:55]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-06-11 13:05]
S3 uafilter;uafilter;C:\Windows\system32\DRIVERS\uafilter.sys [2003-09-18 09:21]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 11:49:48 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 18:44:34
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-05 18:46:12
ComboFix-quarantined-files.txt 2008-07-05 17:46:05
Pre-Run: 22,598,021,120 bytes free
Post-Run: 22,367,666,176 bytes free
160 --- E O F --- 2008-07-05 17:13:12
Fresh Hijack this Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:06, on 29/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Web Technologies\iebtmm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Sound Station\SNXUACP.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Web Technologies\iebtm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A49E097A-D6EF-4B2F-8B0F-1230E998587F} - C:\Program Files\Web Technologies\iebt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: 441465 helper - {D311C486-7D5F-4D73-B791-EE56C47D3B2E} - C:\Windows\system32\441465\441465.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Web Technologies\wcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Web Technologies\iebtm.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O4 - Global Startup: Sound Station.lnk = C:\Program Files\Sound Station\SNXUACP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorergate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorergate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12604 bytes
Many thanks for previous help- i've carried out all of the above without hitch.
Combofix Log
ComboFix 08-07-04.6 - Holly Chapman 2008-07-05 18:40:36.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1198 [GMT 1:00]
Running from: C:\Users\Holly Chapman\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.
2008-07-04 21:51 . 2008-07-04 21:51 <DIR> d-------- C:\Users\Holly Chapman\AppData\Roaming\Malwarebytes
2008-07-04 21:51 . 2008-07-04 21:51 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-04 21:51 . 2008-07-04 21:51 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-04 21:51 . 2008-06-28 14:16 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-07-04 21:51 . 2008-06-28 14:16 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-22 19:34 . 2008-06-22 19:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 14:12 . 2008-04-23 05:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-14 14:12 . 2008-04-23 05:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-14 14:12 . 2008-04-23 05:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-14 14:12 . 2008-04-23 05:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-13 20:32 . 2008-06-13 20:32 <DIR> d-------- C:\Users\Holly Chapman\AppData\Roaming\Uniblue
2008-06-13 20:32 . 2008-06-13 20:32 <DIR> d-------- C:\Program Files\Uniblue
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 17:27 --------- d-----w C:\Program Files\Steam
2008-07-05 17:09 --------- d-----w C:\Users\Holly Chapman\AppData\Roaming\AVG7
2008-06-22 14:05 --------- d-----w C:\Users\Holly Chapman\AppData\Roaming\Azureus
2008-06-12 07:54 --------- d-----w C:\Program Files\Windows Mail
2008-06-11 13:03 --------- d-----w C:\Program Files\Common Files\Steam
2008-06-04 15:14 --------- d-----w C:\ProgramData\CheckPoint
2008-05-27 17:16 --------- d-----w C:\Program Files\Google
2008-05-27 16:46 --------- d-----w C:\Program Files\Xvid
2008-05-27 16:43 --------- d-----w C:\Program Files\ffdshow
2008-05-27 16:31 --------- d-----w C:\Program Files\Real
2008-05-27 16:31 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-27 16:31 --------- d-----w C:\Program Files\Common Files\Real
2008-05-26 20:33 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-05-26 20:33 60,273 ----a-w C:\Windows\System32\pthreadGC2.dll
2008-05-16 21:58 --------- d-----w C:\Users\Holly Chapman\AppData\Roaming\Winamp
2008-05-16 21:58 --------- d-----w C:\ProgramData\avg7
2008-05-10 01:33 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-05-06 22:48 112 ----a-w C:\Users\Holly Chapman\AppData\Roaming\wklnhst.dat
2008-04-29 03:54 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-03-31 19:15 174 --sha-w C:\Program Files\desktop.ini
2008-01-16 22:37 76 --sh--r C:\Windows\CT4CET.bin
2008-02-06 17:29 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-06 17:29 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-02-06 17:29 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 23:33 125952]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 21:02 495616]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-29 06:24 1271032]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-16 23:45 68856]
"Uniblue RegistryBooster 2"="c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe" [2008-06-03 10:01 99608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 07:03 17920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 01:35 857648]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-08-29 06:54 36864]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-26 11:47 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-26 11:47 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-26 11:47 129560]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2008-01-16 23:31 77824]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 17:43 118784]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 12:22 221184]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-11-01 16:39 189736]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 15:09 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 23:54 37376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 17:31 185896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-21 16:23 219136]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
C:\Users\Holly Chapman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [3/11/2008 5:31:45 PM 546816]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [11/3/2006 6:55:50 PM 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [1/16/2008 11:32:56 PM 50688]
QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [1/16/2008 11:35:21 PM 45056]
Sound Station.lnk - C:\Program Files\Sound Station\SNXUACP.exe [4/1/2008 7:31:33 PM 643072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-01-21 16:23 9216 C:\Windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BF41693D-4805-4B9A-BFD6-E647E63DC980}"= C:\Program Files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{921CEA54-DDD6-4AAB-9D94-47DF643CE583}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{D55C49A6-732A-4F18-AE90-ED962AAFAE3A}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{5CCE1B1B-D601-4B39-A519-725FBFB13CC6}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{E07220C3-E1F9-41CE-80E8-F5E9F49ACE35}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7D08E2B6-F622-49C4-B13B-F01B0D2D8687}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{C1F377EE-4EDA-45BF-81D3-3BFC61CA01C4}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{5B678F9D-8B73-4DA9-9A70-C9EDE10F7AEE}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D08161DD-0F72-412E-A4AC-E9A46680B0A4}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{28FCC404-A81F-40F7-96DC-3430A682FD95}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{A254E5E6-120A-46F9-986E-B89DEA41923E}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{5A5EE3C7-D864-46B7-A121-94842944446D}"= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{C49AB4C7-6C08-4DB3-B522-46E1A50BFB37}"= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{F369D018-F43A-4024-87BC-4282013D3B59}"= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{66E96F78-6ECD-47CF-BC83-82BBF1CDF3B3}"= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{D9EB8EA1-01C5-4B6A-BE43-A49EE6BC9CCE}"= UDP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{4052F8A4-6697-463D-8C27-95BE4C5DFBF2}"= TCP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{2EFB641A-7D40-4FE9-87E8-BEE2B89BA3CC}"= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{29ABA03F-F879-4C29-8997-B56753AE8AC4}"= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"TCP Query User{283B9E91-0A10-4AFA-870D-373E76FE5090}C:\\program files\\ares\\ares.exe"= UDP:C:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{1301E5F4-DE7A-4DF4-B068-8C2DEB13BFAF}C:\\program files\\ares\\ares.exe"= TCP:C:\program files\ares\ares.exe:Ares p2p for windows
"TCP Query User{C1701AFB-0441-4F19-9BCA-25B52818F095}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{D05EC6C1-668F-455E-9469-DE5FFF08D85B}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"TCP Query User{AEF69CE1-6510-4616-A2E4-B8C97A2664DC}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{05E8816F-2E92-4428-8489-02182D39A040}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{23B62CAD-9F1A-498E-977D-581C438E4887}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{26BB249F-B1C2-4CC7-964F-A1D31E2CC4B4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7678EEB6-5681-4431-9A32-63216C64C0F1}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2007-08-29 22:25]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 13:27]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-07 02:37]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2006-11-07 00:13]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-07 00:13]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 18:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-29 06:55]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-06-11 13:05]
S3 uafilter;uafilter;C:\Windows\system32\DRIVERS\uafilter.sys [2003-09-18 09:21]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 11:49:48 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 18:44:34
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-05 18:46:12
ComboFix-quarantined-files.txt 2008-07-05 17:46:05
Pre-Run: 22,598,021,120 bytes free
Post-Run: 22,367,666,176 bytes free
160 --- E O F --- 2008-07-05 17:13:12
Fresh Hijack this Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:06, on 29/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Web Technologies\iebtmm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Sound Station\SNXUACP.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Web Technologies\iebtm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A49E097A-D6EF-4B2F-8B0F-1230E998587F} - C:\Program Files\Web Technologies\iebt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: 441465 helper - {D311C486-7D5F-4D73-B791-EE56C47D3B2E} - C:\Windows\system32\441465\441465.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Web Technologies\wcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Web Technologies\iebtm.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O4 - Global Startup: Sound Station.lnk = C:\Program Files\Sound Station\SNXUACP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorergate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorergate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12604 bytes